Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Server Security Policy - Institute of Education

advertisement 
Server Security Policy
Document Status
Security
Classification
Level 4 - PUBLIC
Version
1.0
Status
DRAFT
Approval
Life
Review
Owner
3 Years
By June 2013
Secure Research Database Analyst
Retention
Change History
1
Contents
Server Security Policy ............................................................................................ 1
Document Status ................................................................................................... 1
1.
Introduction ..................................................................................................... 3
2.
Scope ............................................................................................................. 3
3.
Physical Security ............................................................................................. 3
4.
Environmental Controls .................................................................................... 3
5.
Logical Security ............................................................................................... 4
6.
Controls against Malicious Code ...................................................................... 5
7.
Software.......................................................................................................... 5
8.
Monitoring ....................................................................................................... 5
9.
Clock Synchronisation ..................................................................................... 6
10.
Backup ........................................................................................................ 6
11.
Hardware Warranties and Replacement ........................................................ 6
12.
Disposal ....................................................................................................... 7
2
1. Introduction
1.1
Institute of Education purchased, installed and maintained servers provide
the platform for all its IT systems and services. The physical and logical
security of IOE servers is consequently a vital component in guaranteeing
the confidentiality, integrity and availability of IOE’s data.
2. Scope
2.1
This policy applies to all authorised servers hosted within the Institute of
Education.
2.2
This policy also applies to Storage Area Networks hosted within the IOE.
3. Physical Security
3.1
All servers will be hosted within dedicated server rooms.
3.2
All server rooms will have secure perimeters.
3.3
All server rooms will have access restricted by Access Control and
additionally by barrel-lock keys. Access will be limited to members of IT
Services engaged in server, network and telecommunications installation
and maintenance work.
3.4
The IOE currently has 3 dedicated server rooms, situated at Level 3 in the
20 Bedford Way building, Level 6 in the 20 Bedford Way building and in
the basement of 59 Gordon Square.
3.5
All servers will be marked with an individual system tag and the server
name.
4. Environmental Controls
4.1
All servers will be protected from surges, spikes, sags or brownouts in the
electricity supply by the use of Uninterruptible Power Supplies.
4.2
All servers will be protected from excessively high or low temperatures by
temperature control.
4.3
All servers will be protected from excessively high or low humidity by
humidity control.
3
4.4
All servers will be situated in racks, raising them above ground level and
therefore reducing the liability of damage through flooding.
4.5
Server room air conditioning equipment will be fitted with dust filters.
4.6
All environmental control equipment will be regularly maintained.
5. Logical Security
5.1
Access to server operating systems shall only be granted to the Systems
Support Group (SSG) and authorised third party suppliers.
5.2
Access to applications and storage spaces shall be tightly controlled by
the use of Access Control Lists.
5.3
Remote access to server operating systems shall only be granted by
default to SSG. Remote access may be granted to other authorised users
on a case by case basis, where the request is made by the head of
department/faculty and where the request is appropriate and necessary.
5.4
User access, where facilitated, will be provided on a basis of least
privilege, tight Group Policy implementation, granular NTFS access
controls and limited access to programs.
5.5
Use of utility programs is restricted to members of the Systems Support
Group.
5.6
Servers will, where possible, sit on a restricted subnet, with access to
other subnets only being granted via firewall.
5.7
Normally server operating systems will not be remotely accessed by
external suppliers (see Remote Access Policy).
5.8
Desktop sessions on a server will automatically lock after being inactive for
10 minutes.
5.9
Desktop server sessions will only be available by encrypted Remote
Desktop Protocol connections. As large processing jobs need to be
undertaken within sessions, inactive sessions shall not shut down, nor will
a restriction on connections times be imposed. The only method a session
can be reconnected is by the re-authentication of the appropriate user
account.
4
5.10
Server software and firmware will be patched in a timely manner. Noncritical and test systems will be patched first to test system and application
operability.
6. Controls against Malicious Code
6.1
Anti-virus software will be installed on every server and kept up-to-date.
6.2
All servers will sit behind firewalls.
6.3
User access to server desktop environments, where required for remote
desktop purposes, will be tightly controlled by Group Policy in order to
block access to system programs, tools, files and processes. User access
will have no administrative rights, installation rights or elevated privileges.
6.4
Internet Explorer will only run in Enhanced Security Configuration mode.
6.5
The servers will run different anti-virus software to workstations
7. Software
7.1
All software on servers must be authorised and requested by system
owners.
7.2
Software on servers must only be installed by the Systems Support Group
or, if granted permission in writing by the system owner, a third party.
7.3
All software installations, updates and removal will be subject to the IOE’s
Change Management Policy
7.4
Regular reviews of software and data content on servers classed as
mission critical must be carried out. The responsibility to initiate reviews
lies with the system owner.
7.5
Unauthorized software or data will be removed.
8. Monitoring
8.1
Server status and Operating System performance, including system
resource usage and bandwidth usage, shall be monitored.
5
8.2
Server hardware status shall be monitored.
8.3
Audit logs shall record user activities, exceptions and information security
events. System administrator and system operator activities shall also be
logged.
8.4
Logs will be held for 30 days and then deleted on a rolling basis.
8.5
Audit log information is only accessible by domain administrators.
8.6
Domain Controller logs will be exported and held on a separate server.
9. Clock Synchronisation
9.1
IOE Domain controller servers will be synchronised with an authoritative
external time source – the JANET NTP time servers
9.2
Other servers will synchronise with the IOE domain controller servers.
10.
Backup
10.1
All IOE servers are backed up nightly.
10.2
A differential backup is taken each night. A full backup is taken each
weekend.
10.3
Nightly backups are stored for 1 week. Weekly backups are stored for 1
month. Monthly backups are stored for 1 year. Yearly backups are stored
indefinitely.
10.4
Backups are to be considered a disaster recovery measure. They are not
provided to restore user-deleted data.
11.
Hardware Warranties and Replacement
11.1
All servers must be purchased by the relevant project, department or
faculty for whom the server is required.
11.2
By default all IOE servers are provided with 3 years warranty.
11.3
Warranties may be extended for a further two years (up to a maximum of
five years from the point of purchase).
6
11.4
Hardware failures on in-warranty servers will be subject to a 4 hour
working day replacement service, after fault diagnosis and reporting has
occurred.
11.5
At the point of warranty expiration, physical servers shall be replaced
11.6
Full provision must be made by all projects, departments and faculties to
fund the replacement of their servers, at the point of warranty expiration,
through the server replacement budget.
11.7
All production servers must be in warranty
12.
Disposal
12.1
When servers are removed from service, their hard drives will be removed
and degaussed before disposal.
12.2
Memory will also be removed from the chassis.
7
Related documents
Security Questions and Answers
Security Questions and Answers
DS_Tut1 - DistributedSys
DS_Tut1 - DistributedSys
Silicon Valley powers down: New products and practices aim to
Silicon Valley powers down: New products and practices aim to
Characteristics Enterprise Computing Hardware
Characteristics Enterprise Computing Hardware
Sample questions to ask online storage vendors
Sample questions to ask online storage vendors
Lamar State College-Orange The LSC
Lamar State College-Orange The LSC
Concepts of Management Computing
Concepts of Management Computing
Download
advertisement