|| OFFICIAL |
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
Server Computing Devices
July 23, 2007
The University maintains enterprise class secured data centers for the housing of university servers. All servers used to store, process or transmit sensitive information must be registered with the Information Security Office.
· be maintained in an environment and manner designed to physically and logically restrict access to authorized users;
· be used in a manner designed to maintain data, system and network integrity; and
· have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible.
Note: These standards apply for servers fully managed by IT as well as those partially or fully managed by other university entities or constituents.
The Dean of each school or administrative Division Head is responsible for server device administration within their area, for ensuring the implementation of the Server Computing Device security policies, standards, and procedures including implementing methods to:
Educate the school or division server administrators on Server Computing Device security practices.
Configure and maintain the school or division servers to meet the Server Computing Device policy and other applicable standards.
Procedures for complying with these policies and standards, as well as any additional school or administrative division policies and standards must be developed and maintained by the Dean or Division Head's designee for each school, administrative division or other subsidiary unit.
All school or division policies, standards and procedures for servers must be well documented, up-to-date and meet or exceed the minimum requirements established in this policy.
After review and approval by the Dean or Division Head's designee, documentation of procedures for the school or division is to be forwarded, in electronic format, to the Information Security Office for review and university records. All major updates to the documentation and their effective dates should be forwarded to the Information Security Office.
Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
The Information Security Officer may work with Audit Services, IT and others to schedule periodic audits of servers to further ensure compliance with the policies and standards.
Use of Computing Devices
Technical and Physical Standards
All server operating systems and other software should be kept up-to-date by reviewing and installing appropriate security updates, patches and tools on a regular schedule but not less than every thirty days.
All critical server operating systems must have change and maintenance logs to record all approvals and activity to the system.
Physical System Access
All servers must be kept in a secured access controlled environment. Reasonable efforts should be made to limit and/or monitor physical access to servers to authorized personnel. See IS PS009 Data Facility Security.
In addition to physical security requirements above, for systems used to store, transmit or access electronic Protected Health Information (ePHI), each responsible area must also:
Implement and maintain physical safeguards to restrict access to only authorized users for all server devices that store, transmit or access ePHI,
Define the functions allowed on a server device that stores, transmits or accesses ePHI
Server class operating systems and software must be used for university servers.
A process to evaluate software should be followed assessing the impact on the current environment and remediating any noted risks prior to installation and integration into the university's environment; unnecessary services and permissions must be disabled; configurations documented and testing and approvals ensured.
Non-University IT Managed (Division) servers must
be approved for the specified use by the school or division's Dean or Vice President and technology management,
be currently supported for security updates, and be
be in full compliance with all applicable information security policies.
Logical System Access and Security
All servers must require entry of a user ID and complex password. See IS PS008 Passwords.
All server authentications or server software accessed by end-users must be configured to lock after a short period of inactivity (10 minutes is the recommended time unless system requirements necessitate a longer time) and require a user ID and password or other authentication mechanism to unlock or reactivate. Automated programs and services should also be configured with an authentication time-out unless this prevents proper functioning of the program or service.
Security and Integrity of Data
All servers used to store, process or transmit sensitive information must maintain this information in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure this data. If this data is transmitted over any networks other than the university's internal network, the data or the transmission protocol should be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of equipment loss or hardware failure).
Systems used for electronic Protected Health Information (ePHI):
Server devices in this category must use encryption as described above unless the device is physically maintained, used and accessed only in a highly secure access controlled environment and meeting security requirements per HIPAA regulation.
Systems used to store, transmit or access other personally identifiable sensitive information:
This information includes personally identifiable grades and other enrollment information, salary and other financial information, social security number, addresses, phone numbers as well as other information of a personal nature. Server devices in this category must use encryption as described above unless the device is maintained, used and accessed only in a highly secure, access controlled environment.
All servers and devices within the university and department's network that are accessible via public networks, including internet commerce servers, payment servers, database servers and web servers are on subnets and must use a hardwired network connection.
Wireless Network Access
All servers must use a hardwired network connection.
Protection from Malicious Software
All servers must -
Run real time virus protection if such software is available for the computing device;
Utilize a hardware (preferred) and/or software firewall either for the server or for a dedicated network server subnet;
Use spyware protection and detection programs, if available;
Disable, or set to manually start if occasionally used, all operating system and software services not required for the proper functioning of the server.
See IS PS014 Protection from Malicious Software.
Data Backup and Recovery
Files containing valuable information must be backed up (note that the university's network drives may be suitable for this process).
Backups must be performed on a regular basis.
Users are responsible for ensuring that backups or synchronization of sensitive and/or critical information on mobile devices are performed regularly to prevent loss of data.
Backups must be maintained in a secure environment removed from the physical location of the server.
Backups should be encrypted and password protected and must be encrypted if custody of the backups is entrusted to either a third party (non-UofL personnel) or to personnel outside the university's hybrid covered entity in the case of ePHI.
Ability to successfully recover backup files must be tested periodically (at least every 180 days) and at the time of any significant hardware or software updates or changes to the system.
See IS PS015 Backup and Retention of Data, IS PS002 Business Continuity and Disaster Recovery.
E-Mail, Calendar and Personnel/Group Scheduling Servers - Additional technical standards
Systems designed to perform email, calendaring or scheduling must automatically inter-operate with the university furnished enterprise solution for these tasks. This includes all university schools, divisions, and other affiliated entities.
E-mail must flow in a timely fashion between the systems and remain within the university's network while doing so.
Calendar and personnel/group scheduling functions must work in both directions so that personnel using the Enterprise system or personnel using a specific school, administrative division or other university entity solution are able to transparently review personnel availability, schedule meetings, and related expected functions.
Policy Authority/Enforcement: The university's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with university leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0/ July 23, 2007 / Original Publication
1.1/ January 29, 2013 / Content Review
1.2/ September 24, 2014 / Content Review
2.0/ March 8, 2016 / Content review and update to new template
Reviewed Date(s): September 24, 2014, March 8, 2016
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.