Standard 19: Server and Device Configuration and Management
Revision Number: | 1 |
|
Effective Date: | 2/24/2020 | |
Revised Date: | 5/14/2020 | |
Review Date: | 5/14/2020 | |
Responsible Division/Department:
Office of the CIO / Information Technology Services |
- Network infrastructure configuration. Responsibility for the 老澳门资料 network infrastructure lies with ITS Network Engineering team. As part of their duties, they will:
- Configure and manage the resource in accordance with 老澳门资料 information security policies, standards, and procedures by:
- Segmenting the network infrastructure either physically or logically to reduce the scope of exposure of information resources commensurate with the risk and value of the information resource and data
- Separating internet facing applications from internal applications
- Maintain appropriate access to the network infrastructure in accordance with 老澳门资料 information security policies, standards, and procedures
- Manage, test, and install updates to operating systems and applications for network equipment under their responsibility
- Configure and manage the resource in accordance with 老澳门资料 information security policies, standards, and procedures by:
- Computing devices. To protect against malicious attack, all computing devices on 老澳门资料 networks will be security hardened based on risk and must be administered according to policies, standards, and procedures prescribed by 老澳门资料. This includes both managed and unmanaged devices attached to the network.
- Mission critical computing devices or computing devices containing University data must be identified and assigned to appropriately trained system administrators
- All computing devices (e.g., desktops, laptops, tablets, and mobile devices) must be installed and maintained in accordance with the Minimum Security Standards for Applications and the General Hardening Standards to minimize service disruptions and prevent unauthorized access or use
- Device management. The 老澳门资料 Chief Information Security Officer (CISO) shall ensure that devices are administered by professionally trained staff in accordance with policies, standards, and procedures prescribed by the University.
- Access to information security information and devices. All owners and custodians of University owned, leased or controlled information resources must provide the IT Security team with direct access to detailed security status information including, but not restricted to the following: firewall rules, IPS/IDS rules, security configurations and patch status; and sufficient access rights to servers and devices to independently and effectively execute their monitoring duties.
- All systems providing commodity services to University affiliates (e.g., web servers, mail servers, file servers, database servers, directory servers) must either be physically located within the University data centers, be virtualized within the ITS virtualization service, or be hosted at an approved cloud data center.
- The IT Security team will work with all units to maintain an inventory of all such qualifying systems.
- All approved external data centers must be approved in the 老澳门资料 data governance system.
- Exceptions must be filed with the IT Security team in cases where business, technical, or research needs require the system to be locally hosted. All exceptions must identify the business need for the exception and the compensating controls that will be implemented to offset the risks associated with locally hosting the system.
- All units are required to participate in the inventory, standards verification, and configuration of all IT procurements. This includes but is not limited to all University owned devices that have the ability to store or process University data or use the University wired or wireless networks. Examples of these types of computing devices include but are not limited to: laptops, desktop computers, tablet devices, and servers.
- For units where external IT support contracts exist, the contracting entity will be required to provide the IT Security team with a complete inventory of computing devices for the contracted unit.
- All units creating purchase orders or p-card transactions for IT procurements (e.g., devices or software) will ensure the appropriate IT team is aware of the transaction.
- The local IT C-Tech will ensure the device is properly tagged for 老澳门资料 inventory and accounted for.
- The local IT C-Tech will enter the computing device into the University's inventory tool and will configure it per policy requirements. All University and specific unit procedures for configuration will be applied including but not limited to encryption, system management tools, and strong user account passwords.