Server Management Policy UPPS No. 04.01.09 (NEW)
Issue No. 1
Effective Date: 11/06/2007
Review: November 1 E2Y
01. POLICY STATEMENT
01.01 This
UPPS is intended to promote the appropriate management of university servers, and
in doing so, achieve consistency, increase availability and security,
facilitate disaster-recovery, coordinate technical operations and apply sound
Information Technology management practices consistently throughout the
institution.
02. RELATED DOCUMENTS
UPPS No. 04.01.01, Security of Texas State Information
Resources
UPPS No. 04.01.01 Attachment I, Information Resources Security
Manual
UPPS No. 04.01.05, Network Use Policy
03. DEFINITIONS
03.01 Server
– A networked resource that is used to distribute data to other networked
resources.
03.02 Server
Management – Functions associated with the oversight of server operations.
These include controlling user access, establishing and maintaining security
measures, monitoring server configuration and performance, and risk assessment
and mitigation.
03.03 Server
Owner – The department head charged with overall responsibility for the
server asset in the University’s inventory records. The server owner must
designate an individual to serve as the primary system administrator and may
designate a backup system administrator.
03.04 Device
Registry – A database of university network devices maintained by IT
Security to assist with incident response and alerts. This registry includes
information about the device such as device name, function, operating system,
and primary and secondary contact information.
03.05 Server
Administrator – The individual designated by the server owner as
responsible for performing server management functions.
03.06 Vulnerability
Patch – An update provided by a vendor to correct a flaw or weakness in a
system's design, implementation, or operation and management that could be
exploited to violate the system's security policy. All software and hardware
are subject to vulnerability and firmware patches.
04. GENERAL REQUIREMENTS
04.01 Before
connecting to the Texas State network, servers must comply with the General
Requirements outlined in this policy and the Technical and Security Standards &
Procedures. Before
purchasing any equipment for use as a server, departments should contact the
Information Technology Assistance Center (ITAC, formerly the Help Desk) to
determine what alternatives may exist to satisfy the need. If adequate
resources do not already exist, Technology Resources will assist the department
in configuring a server adequate to address the requirements.
04.02 The
server owner is responsible for the management, operation and security of the
server. At a minimum, the owner must assure the server is physically secured,
that electronic access to the server is properly controlled, and server
configuration is maintained within specified security and operational
parameters. The owner may delegate some or all of these responsibilities to a
system administrator.
04.03 IT
Security maintains a device registry (http://webapps.tr.txstate.edu/security/wsr/wsrform.asp) that facilitates compliance with the
mandated security efforts and assists in diagnosing, locating and mitigating
security incidents on the campus network. All server owners must supply
required information (e. g., location, contact information for the responsible
individual, etc.) about their servers for inclusion in the registry.
04.04 System
administrators must subscribe to vendor notification and automated update
services appropriate to the software hosted on their servers. System
administrators will be required to subscribe to university-provided
notification/update services (or equivalent) as those services become available
(e. g., Texas State Server Administrators
Listserv).
04.05 While
this policy is meant to be a definitive policy and guide to effective server
management at Texas State, it is recognized that not all specific situations or
problems can be addressed by a policy. Nonetheless, server owners are
encouraged to seek guidance from Technology Resources as necessary to meet
these responsibilities.
04.06 Exceptions
to this policy require collaboration with Technology Resources and may be
granted only by the Assistant Vice President for Technology Resources or a
designee.
05. PROCEDURES FOR RESPONSE TO THREATS AND
POLICY VIOLATIONS
05.01 IT
Security routinely scans the network to monitor compliance with this policy. IT
Security will notify the server owner, the server administrator, and the
Assistant Vice President for Technology Resources of deficiencies, including
lack of inclusion in the device registry. If a server is out of compliance for
more than 10 working days after notification, IT Security may, with the concurrence
of the Assistant Vice President for Technology Resources, remove the server
from the campus network.
05.02 Emergency
circumstances: IT Security will attempt to notify the server administrator
when it determines that a server presents an unacceptable risk to university
information resources, (e. g., when a server has been compromised, when it is a
threat to other network users, or when its defenses against compromise are
inadequate for the purpose it serves). If the server administrator cannot be contacted
or will not act immediately, Technology Resources may remove the offending
server from the network and work with the server owner to remedy the threat and
recertify the server.
06. REVIEWERS OF THIS UPPS
06.01 Reviewers of this UPPS
include the following:
Position Date
Assistant Vice President for November 1 E2Y
Technology Resources
Information Security Officer November 1 E2Y
Director of Infrastructure Services November 1 E2Y
Special Asst. to the Vice President November 1 E2Y
for Information Technology
07. CERTIFICATION STATEMENT
This
UPPS has been approved by the following individuals in their official
capacities and represents Texas State policy and procedure from the date of
this document until superseded.
Assistant
Vice President for Technology Resources; senior review of this UPPS
Vice
President for Information Technology
President