People | Departments | Search UMD
	Search ITSS:

Policy on Networked Server Management

The purpose of this policy is to describe controls that should be in place to protect data and equipment. Private data is most important to protect, and servers storing private data should comply with this policy. For servers storing public information that is easy to recover, these controls may be viewed as guidelines rather than requirements.

For more information on what constitutes private data, and for information about how to secure desktop computers that access private data, see the University of Minnesota Standard on Securing Private Data. For more details on configuring networked servers, see the University of Minnesota Server Security Guideline.

Accounts and Passwords

• Accounts on a system should match the business need. Only those who have a business need should have access.
• Accounts should be closed as soon as access is no longer required, such as when an employee changes jobs or leaves the University.
• Accounts should be reviewed yearly to ensure that only those who have a business need for access have accounts.
• Systems should require that each account have a password. Systems should require strong passwords whenever possible.
• Systems should be configured to deny access to an account after multiple unsuccessful login attempts.
• Passwords should be changed annually at a minimum.

Server Registration and Scanning

• UMD critical servers must be registered with ITSS and with OIT. Other servers may be registered as well if desired.
• Registered servers will be scanned regularly for security vulnerabililities.
• Servers must have a system administrator who can be contacted in the event of a problem.
• Server logs should be maintained and reviewed regularly to look for, and respond to, inappropriate intrusion attempts.

Server Configuration

• Server operating systems should be kept fully patched and up-to-date.
• Servers should have appropriate virus detection software installed and up-to-date.
• Security alerts should be monitored, and relevant alerts should result in appropriate action by the system administrator.

Special Protection for Critical Private Data

• Servers storing protected health information associated with HIPAA must have very tight security. System administrators for such servers must be familiar with the University's Privacy and Security Project and must comply with related server security requirements.
• Servers storing financial data, especially credit card information, must have very tight security. Credit card processing must comply with the VISA (PCI DSS) security guidelines. ITSS will provide assistance to units who need to accept credit card data and will require the University's vendor for credit card processing.
• Student records, personnel records, and all other private information stored on servers must be kept very secure. Social Security Numbers require exceptional security, and it is preferable that they not be stored on local servers at all. For additional resources, see Understanding & Identifying Private and Public Information.

Physical Security

• Servers should be located in data centers that are kept locked at all times.
• Data centers should have walls that extend through dropped ceilings and/or below raised floors.
• Access to data centers should be limited to those individuals with a business need to access the data center equipment.
• Data centers should be equipped with automated fire detection and fire suppression devices.
• Data centers should be equipped with uninterruptable power supplies that trigger system shut-down before power runs out. Critical systems should be tied to back-up power provided by generators.

Backups and Disaster Recovery

• Servers must be covered by a disaster recovery plan, which is tested and updated regularly.
• Data stored on servers should be backed up regularly. The backup schedule can depend upon the degree to which data stored on the server changes. Backup files should be stored far enough from the server itself that they will not be destroyed in the event the server is destroyed.
• Data should be retained and archived as needed for system audit trails.
• System administrators should schedule a regular process for demonstrating that a system can be rebuilt, and data recovered, in the event of a failure. Data owners should be involved in the testing of the recovery process. This should be done annually at a minimum.

Change Control Procedures

• Critical servers and applications should be modified using change control procedures that ensure only authorized and tested program changes are moved into production.
• Critical servers and applications should have separate development, test, and production environments.

Software Escrow

• Business-critical software should be protected in the event of a vendor going out of business with a software escrow agreement. Such an agreement would provide the University with access to the source code in case of a business failure on the part of the vendor.
• Software purchased through the University Purchasing Office will include the Software License Agreement. Section 24 of this agreement is about software escrow.
• Departments purchasing without using the Software License Agreement should consider requesting an escrow agreement for business-critical software or be prepared to assume the risk should the vendor have a business failure.

  Did you find what you were looking for? YES NO
  ©2003 Regents of the University of Minnesota. All rights reserved. The University of Minnesota is an equal opportunity educator and employer. Last modified on 06/30/08	Contact ITSS | Privacy