Security Procedures for Servers

The Security Procedures for Servers storing Personal Information are used to ensure an adequate level of protection for these servers against information security related threats, such as hacker attacks, worms, viruses, and other malicious activities. These procedures apply to all SMU servers which store Personal Information.

SMU servers which store Personal Information will be configured, maintained, and tested by authorized SMU faculty / staff members or approved third parties. Business unit operating procedures define individual access rights to configure, maintain, and test SMU servers. SMU servers which store Personal Information must be registered with the SMU Information Security Officer, per the process outlined in section C Registration Process for Servers which store Personal Information. SMU servers which store Personal Information must comply with the Payment Card Industry (PCI) Data Security Standard (DSS).

A. DEFINITIONS

  1. Critical Patch – a released fix for a specific problem that addresses a critical vulnerability.
  2. Personal Information – defined in University Policy 12.x Use and Protection of Personal Information.
  3. Server – defined in University Policy 12.x Use and Protection of Personal Information.

B. PROCESS

SMU Servers which store Personal Information will be protected by complying with all requirements below:

1. Servers will meet minimum established baseline security standards.

SMU uses a variety of resources to determine the baseline minimum criteria for securing server operating systems. The current minimum standards are as follows:

  • Microsoft Windows
    • Windows Server 2003 Security Guide, maintained by Microsoft
    • Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, maintained by Microsoft
  • UNIX
  • UNIX Security Checklist v2.0, maintained by the CERT Coordination Center (CERT/CC)

In addition, servers are required to remediate all applicable vulnerabilities found in the current SANS “Twenty Most Critical Internet Security Vulnerabilities”, available at http://www.sans.org/top20.

2. Servers will be placed in a safe environment.

Servers which store Personal Information must be placed in a safe location which ensures adequate environmental protection for the server. These protections include:

  • Dedicated space – not located in an office, cubicle, or common space
  • Controlled access – the location must have mechanisms which restrict entry on a 24-hour a day basis
  • Adequate air cooling and circulation to protect from overheating
  • Protection from dirt and moisture
  • Power protection, including backup batteries and surge protection

3. Physical access to servers will be restricted.

Only authorized SMU staff members and approved third parties will be allowed physical access to servers. Business unit operating procedures define individual access rights to configure, maintain, and test SMU servers.

Third-party access must be approved by a Department Head / Director from the Information Technology department responsible for the server. The department responsible for the server must maintain a list of approved third-parties which is reviewed and updated annually, at minimum. A list of all third-parties who access the server will be provided during the registration process.

4. Network access to servers will be restricted.

SMU servers will have their access to the network and Internet restricted to the minimum amount necessary for the server to offer the services for which the server is intended. The intended use of the server will be documented during the registration process.

Servers will only be permitted to communicate with other designated servers and clients. Servers will be assigned to groups, by which access to the Internet and other networks will be restricted.

5. Operating systems and other software will be patched.

Vendor-supplied operating system patches, software patches, and service packs will be applied to the system when they are available, after being tested to ensure that they do not compromise functionality or security.

Critical patches will be tested and installed within one week, taking into account critical University operations and business activities. Exceptions must be documented by the Information Technology department responsible for the server. This log must be available for review upon the request of the SMU Information Security Officer.

6. Extraneous services will be removed from servers.

All unnecessary services, protocols, and applications will be disabled and/or removed from servers. Servers will be configured with the minimum required components necessary to offer the services for which the server is intended. The intended use of the server will be documented during the registration process.

7. Accounts will be configured appropriately.

Accounts will be established for each individual user, and the appropriate level of access necessary for the user to perform his job will be granted. All unnecessary accounts will be removed from servers.

When separate accounts are not an option, SMU faculty/staff members must receive approval to share a single account and password from the IT Department Head / Director responsible for the server. A list of all users who share an account will be documented during the registration process.

Accounts will be set to become locked after 10 (or fewer) invalid login attempts.

8. Passwords will be configured appropriately.

In order to comply with SMU password requirements in University Policy 12.6 Password Management:

  • Server accounts will be configured to use strong passwords
  • Vendor-supplied and default passwords will be changed

9. Anti-virus software and/or host-based intrusion detection software will be used on servers.

Anti-virus and host based intrusion detection software will be configured to receive or obtain updated definitions on a regular basis, and servers will be scanned regularly for virus, worm, Trojan, or other unauthorized activity by the IT department responsible for the server.

10. Firewalls will be used to protect servers which store Personal Information

Servers are required to be protected by a properly configured hardware-based firewall administered by authorized IT staff. Firewalls must block unnecessary traffic to and from the server.

The SMU Information Security Officer must have access to all logs, or copies of all logs, and firewall configurations for firewalls which protect servers storing Personal Information.

11. Server logs will be stored and maintained.

Servers are required to store their system logs. These logs will be stored on a separate server, and will be maintained in accordance with University Record Retention procedures (in development). The server on which the logs are stored must meet the security requirements for servers which store Personal Information. Logs will be kept for a minimum of three months online and one year offline, unless otherwise required by law.

At minimum, the following logs will be stored:

  • User access
  • Administrative actions
  • Security event

The SMU Information Security Officer must have access to all logs, or copies of all logs, for servers which store Personal Information.

12. Servers will be registered.

The Department Head / Director responsible for the server must complete the required registration process for servers which store Personal Information.

C. REGISTRATION PROCESS FOR SERVERS WHICH STORE PERSONAL INFORMATION

All servers which store Personal Information must be registered annually with the SMU Information Security Officer by the business unit responsible for the Personal Information, and receive approval from the Vice President for Business and Finance. Under no circumstances may Personal Information be stored on any server without the written approval of the Vice President for Business and Finance. Registration forms are available at http://www.smu.edu/infosec/xxxxxxx.

To register a server that stores Personal Information:

1. A registration form must be completed by the Department Head / Director responsible for the server, and submitted to the SMU Information Security Officer. The registration form includes a section which specifies that all security procedures must be adhered to. The registration form must be signed by the Department Head / Director responsible for the server, indicating that they will comply with these requirements.

Required registration information for each server includes, but is not limited to:

  • Server name, IP address, MAC address, operating system, and asset tag number
  • Physical location, including building and room number
  • Intended use or purpose of the server and applications
  • List of networks / groups with which the server needs to communicate
  • Individual responsible for the server, position, and department / business unit
  • What type of Personal Information is stored on the server
  • List of any third parties who access or administer the server
  • Location where log files are available for the SMU Information Security Office

2. Upon receipt of the registration form, the SMU Information Security Officer will review the information, make note of any concerns, and return the registration form to the Department Head / Director who submitted it.

3. The registration form (with the SMU Information Security Officer’s comments) must then be submitted by the Department Head / Director responsible for the server storing Personal Information to the Vice President for Business and Finance.

4. The Vice President for Business and Finance will review the information on the registration form, review any concerns provided by the SMU Information Security Officer, and approve or reject the request to store Personal Information.

a. If approved, the Vice President for Business and Finance will sign off on the registration form. The registration form will be sent to the SMU Information Security Officer, who will perform security assessments on the server to ensure that all security requirements have been met. Assessments may be performed both before and after the Personal Information is stored on the server, at the discretion of the SMU Information Security Officer.

  1. If all security requirements have been met, the SMU Information Security Officer will sign off on the registration form, keep a copy of the signed form, and return the original form to the Department Head / Director responsible for the server. The Department Head / Director must produce the original, signed registration form for review upon request by the Vice President for Business and Finance or the SMU Information Security Officer.
  2. If all security requirements have not been met, the SMU Information Security Officer will provide a list of items which do not meet SMU security standards. These items must be remedied before the server can store any Personal Information. If these items are not addressed in a timely manner, the SMU Information Security Officer will notify the Vice President for Business and Finance, who may revoke permission for the Personal Information to be stored.

b. If rejected, the Vice President for Business and Finance will return the registration form, along with reasons for the rejection, to the Department Head / Director responsible for the server, who may:

  1. Remediate any issues and begin the registration process again;
  2. Decide not to store Personal Information at all; or
  3. Attempt to find an alternative solution which complies with security requirements.

Under no circumstances may Personal Information be stored, collected, or contained on any server without the approval of the Vice President for Business and Finance, and which has not successfully met all security requirements and successfully undergone security assessments.

5. The department / business unit responsible for the server bears responsibility for tracking any updates or changes regarding the server, and for registering servers annually.

D. SECURITY ASSESSMENTS

1. All servers will undergo security assessments, including vulnerability testing, when:

  1. they initially enter production
  2. there has been any significatn change to the network (new system component installations, changes in netwrok topology, firewall rule modifications, product upgrades)
  3. there has been a major software revision or upgrade
  4. there has been a breach or compromise on the network on the network on which the server is located
  5. there has been a breach or compromise involving that server

2. Servers which store Personal Information will undergo security assessments on an annual basis, at minimum. All security assessments must be performed by an agent or entity approved by the SMU Information Security Officer. These assessments may include, but are not limited to: physical security inspections, environmental examinations, vulnerability tests, and log audits. The Department Head / Director of the Information Technology department responsible for the server is responsible for ensuring that security assessments are performed. Results of these assessments must be made available to the SMU Information Security Officer, upon request.

3. The SMU Information Security Officer may elect to conduct security assessments on servers which store Personal Information, or firewalls which protect these servers, at any time.

4. The Information Technology department responsible for servers which store Personal Information, or firewalls which protect these servers, are responsible to remedy any vulnerability or other issue identified by security assessments within 5 business days. Any exception must be provided, in writing, to the Vice President for Business and Finance and the SMU Information Security Officer before the 5 business days have passed. The Vice President for Business and Finance will review the exception notification and determine what course of action to take.