Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Size: px

Start display at page:

Download "Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating"

Lee Dixon
8 years ago
Views:

1 Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating to all users of UNH IT resources, and improve the availability of UNH IT resources Specifically, compliance will help to protect UNH s computers and Network, and safeguard the data which they contain and transport from attack and compromise Finally, UNH is compelled by law 1, USNH policy 2, and UNH CIO directive to assure appropriate protection of all Restricted UNH information. UNH also must protect certain Sensitive information and has a need to protect certain Public information as well. See the USNH Data Classification model for definitions. 2. Scope 2.1. This Policy applies to every Server connected to any UNH Network. See definition of Server below. 3. Policy 3.1. Every Server connected to any UNH Network must be registered (as a Server) with the operator of that Network In order to comply with UNH and USNH policies, every Server must be properly maintained to prevent: Compromise of UNH information Harm to the UNH Network Harm to other equipment connected to the UNH Network or the Internet 4. Authority and Responsibility 4.1. This policy pertains to all Servers connected to any UNH Network and has been endorsed by the CIS CIO The managers/operators of the Network are responsible for monitoring and enforcement of compliance with this policy on their Network. 5. Policy Clarification 5.1. Departments will assign appropriate Server administrator(s) for the Servers owned and/or operated by the department Server administrator will Be the primary contact for CIS IT Security Maintain appropriate skills to properly administer the Servers Ensure that current software patches are applied in a timely manner 1 This policy was endorsed by the UNH Steering Committee for Information Technology (SCIT) April 29, 2009

1.2. Specifically, compliance will help to protect UNH s computers and Network, and safeguard the data which they contain and transport from attack and compromise. 1.3.

2 Maintain and regularly review logs for intrusion attempts Limit physical access to the Server to appropriate personnel Keep the Server in a physical location that provides protection against damage, theft and/or compromise in a way that is consistent with university policies, applicable federal laws, and reasonable expectations of service availability Use strong passwords and not share passwords Harden the OS and applications to limit services to only those required for the Server use Registration will include providing the following information about each Server: Server administrator (including phone number, office location, and address) Secondary technical contact information Networked services being offered by the Server Whether the following Security Protection measures were applied to the device Anti-virus Firewall Automated OS patching or patching schedule plan Physical security room access policy Type of hardware platform Operating System Ethernet MAC address Requested DNS name Assigned or requested IP address Device physical location Responsible dean or vice president Departments/owners of the Servers will be responsible to inform CIS if there are changes in information in section above All computers on the UNH Network operated by CIS are regularly scanned for currently acute vulnerabilities. Servers will be scanned more deeply. This will be done in cooperation with the Server administrator to coordinate appropriate scheduling of scans, and to establish a response protocol regarding found vulnerabilities Registration renewal will be required annually and accomplished through an efficient selfservice mechanism Unregistered Servers will be protected by blocking of network access from the Internet How-To Register Servers on the core UNH Network operated by CIS:

expectations of service availability. 5.2.7. Use strong passwords and not share passwords. 5.2.8. Harden the OS and applications to limit services to only those required for the Server use. 5.2.9.

3 Properly maintain a Server Refer to UNH CIS Network and Server Security best practices web pages Physical security Server must be in a locked, limited access space, with appropriate power and cooling. Additional protection may be appropriate, including but not limited to fire suppression, alarms (intrusion, water, temperature, power, etc.) Strong, secret, and non-shared passwords or stronger authentication method, unique to each system administrator. Automated or frequently scheduled updates of Operating System Security patches, Anti-Virus, Anti-spyware, and other software Frequent review of Server health logs, alarms, performance CIS IT Security Management of Server Registrations CIS IT Security will maintain a database of Servers registered with CIS and all information provided by the registering party Automated systems will periodically scan registered Servers for vulnerabilities. This is to assist with securing data, avoiding Server compromise, and maintaining network availability. However, it is not intended to provide total system protection. System administrators must still properly maintain their Servers. The lack of notification by CIS IT Security is not to be construed as an endorsement of the Server's current configuration and is not a guarantee that the Server is impervious to possible exploits. Full responsibility for the maintenance of the Server is retained by the department operating the Server. Similarly, any undetected vulnerabilities are the sole responsibility of the department operating the Server. See Authority and Responsibility on page UNH Internet firewalls will be modified to allow unsolicited external access to registered Servers according to existing classes of service (e.g. wide open or web only) Definitions Server Any computing device connected to the Network which provides a service in response to unsolicited network traffic e.g. a web Server, application server, print/file sharing server, , etc. Also includes devices containing financial, student, or employee records, as well as other information accessed from other devices over a network connection (ie. Through a mechanism other than from the console of the device storing the information). Exceptions from this definition for any short-lived equipment must be approved by the UNH CIO.

2.3. Strong, secret, and non-shared passwords or stronger authentication method, unique to each system administrator.

4 Restricted and UNH information is: See the USNH Data Classification Model for definitions and proper classification of the following examples All information protected under the USNH Online Policy manual Protected intellectual property as defined in the USNH Online Policy Manual Financial information Any other confidential and/or proprietary UNH personnel, business, academic or research information Compromise Compromise of UNH information includes any unauthorized viewing, recording, release, copying, destruction, modification, or creation thereof Compromise of a Server is any unauthorized access to that Server, be it from a person physically interacting with the Server or over the Network, modem or any remote method. Theft of the Server would be considered a compromise. Compromise also includes the unauthorized installation of any software or file including but not limited to viruses, worms, Trojan horse programs, illegal programs or files of any type, web or service, game Servers, etc Compromise of a Server on the UNH Network that does not contain restricted or sensitive UNH information can still result in the Compromise of restricted or sensitive UNH information on other computers, which is why every Server on the UNH Network must be registered and secured Servers are often compromised to convert them into a resource for the ongoing or future use of the compromising entity. Compromised Servers are used to perform tasks, without the administrators knowledge, such as: launching attacks on other computers and network equipment, relaying mail, sending spam, creating illicit or anonymous websites, spreading viruses, acquiring passwords and other confidential information, etc Additional Footnotes Federal Laws governing protection of UNH Restricted information include but are not limited to the following: Family Educational Rights and Privacy Act (FERPA) Public Law Health Insurance Portability And Accountability Act (HIPAA) - Public Law

3.5. Compromise 5.3.5.1. Compromise of UNH information includes any unauthorized viewing, recording, release, copying, destruction, modification, or creation thereof. 5.3.5.2.

5 Gramm-Leach Bliley Act (GLB) - Public Law UNH and USNH policies: Acceptable Use Policy for Information Technology Resources at the University of New Hampshire USNH Policy on Use of Technological Resources USNH Online Policy Manual Policy on Use of Technological Resources USNH Online Policy manual USNH Information System Access Policy to be added May, 2009

USNH Online Policy Manual Policy on Use of Technological Resources 5.

How are we keeping Hackers away from our UCD networks and computer systems?

How are we keeping Hackers away from our UCD networks and computer systems? Cybercrime Sony's Hacking Scandal Could Cost The Company $100 Million - http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12