ITCS System Assessment System Name: Server Names: Assessment Date: Tech Excel Ticket: Contact Information Department requesting this system: Contact name/phone/alternate: Director name/phone: Primary sysadmin OS Apps Alternate sysadmin OS Apps Vendor contact name/phone: Name/phone: Name/phone: System Information Purpose: Incept date: IP address: OS-bits: Function: File Web Type: Physical Blade Status: New Current Location: Cotanche GE99/101 Antimalware: Symantec None Web server: IIS Apache Database: SQL Oracle Version: Size: Server: E-Commerce/POS: Other applications: Remote admin access: VPN Other: System unit manufacturer/model: Processor: Memory: Storage: ITCS Internal Information MOU Required: MOU Service Level: Department DR documentation required: Communicates with Banner: AD container required: System Assessment Application Appliance Replacement Other: Database VM Repurposed Print Test Replicated VM Temp Tomcat MySQL JBoss Access Other: ITCS Internal Server Platinum Gold Disaster Recovery Plan Yes No Yes No Silver Business Continuity Plan None Page 1 of 6 System Support Providers Areas of Responsibilities ITCS Dept Vendor Comments Review Hardware (Data Center) Environmental Controls Physical Controls Repairs/Warranty Service Operating System (Systems) Configuration/Provision Management/Patching Log Monitoring/Retention Applications (Apps Team) Configuration Management Patching Database (DBA Team) Data Backup (SAN Team) Note: ITCS support is provided for Departmental Servers on a “best effort” basis contingent on available ITCS resources from 8am to 5pm Monday through Friday, not including holidays. This support does not extend to operating systems or applications not routinely supported by ITCS. ITCS Weekend and On-Call Support is not available for Departmental Servers. Emergency notifications can be made to the Enterprise Operations Center (EOC) at 328-9160. Data Types Stored on Server(s) No data stored on this server. Personal identifiers (SSN, Banner ID, Driver License) Student information (grades, employment info, requires FERPA compliance) Personal health information (requires HIPAA compliance) Credit card (requires PCI compliance) Non-sensitive data Client Authentication and Access to Server/Data No direct client access Domain ID Application ID From the ECU campus network From the Internet via the ECU campus network Dedicated ECU VLAN Dedicated stand-alone network ITCS Automated Data Backup Frequency: None Daily Backup size: Backup Objects: Entire system VMDK OS Applications: location = Database: type and location = General data: location = Networking Information Mandatory Firewall: None System Assessment Weekly Hardware Client software Monthly Other None TBD Software (host-based) Page 2 of 6 Automated Vulnerability Scanning Yes No Asset Group: Enterprise Departmental Other: Group Manager: Scanners: Charges The department requesting servers or ITCS data backup must provide a FOAP to purchase: virtual or blade servers Operating System storage and backup space backup software for physical or blade servers (including annual maintenance fee for backup software when due) automated vulnerability scanning required by ECU Internal Audit ($50 per server for 5 years) Server Items Server: proc, GB RAM Storage: GB Backup: GB Operating System Argent status monitoring Vulnerability Scanning Total Server Cost Cost Server Items Server: proc, GB RAM Storage: GB Backup: GB Operating System Argent status monitoring Vulnerability Scanning Total Server Cost Cost Total FOAP Charge N/C 400.00 50.00 N/C 400.00 50.00 Cost 0.00 Departmental FOAP: ______________________________________ Approved by: ________________________________________ ___________________________________________ Name (print) Signature Notes 1. System Assessment Page 3 of 6 Service Support Agreement and Approval Certifications Servers connected to the ECU campus data network must have a server assessment performed by ITCS to verify compliance with applicable University, state, and federal requirements. Requests for new servers must have an approved assessment before purchase or connection to the ECU data network. Technical Support for Departmental Servers: Departments are responsible for providing a qualified full-time system administrator responsible for the operating system, applications, data, and security controls on their Departmental Servers. ITCS technical support is available to Departmental Server Administrators on a “best effort” basis contingent on available ITCS resources from 8am to 5pm Monday through Friday, not including holidays. This support does not substitute for a full-time qualified departmental system administrator or extend to operating systems and applications not routinely supported by ITCS. ITCS Weekend and On-Call Support is not available for Departmental Servers. Requesting ITCS Assistance: Request ITCS assistance by contacting the IT Help Desk (328-9866) or by visiting the Help Desk website at http://www.ecu.edu/9866 . Emergency notifications can be made to the Enterprise Operations Center (EOC) at 328-9160. Hardware Hosting: ITCS will provide servers physically housed in the ITCS Data Centers located in the Cotanche building and Brody GE99/GE101 with conditioned power, temperature, and humidity controls, fire suppression systems, and monitor the physical security of servers. EOC staff will provision all network, electrical, and environmental services to the Data Center and equipment racks where departmental servers are installed. EOC Staff will monitor the following within the Data Center 24x7, excluding Thanksgiving and Christmas Day: network connectivity, electrical supply, environmental services, blade chassis, and ESX servers hosting virtual servers. Network Support: Standard network connections are provided for authorized installed equipment and monitored for traffic throughput. By default, all IP ports are closed until the department explicitly lists all ports required for proper operation of the server. Connectivity support is available 8am to 5pm Monday through Friday (holidays not included). After hours issues will be resolved next business day. Security breaches may result in disconnection of the server from the network by ITCS Network Administration. Security Controls and System Administration Connecting an unpatched or unsecured server to the ECU network is prohibited. The person or department deploying the server will be held responsible for the server’s contents and any detrimental effect the server causes on the ECU network or Internet. The following requirements are mandatory (exceptions must be granted in writing by the Director of IT Security and renewed annually): 1. All servers must be assessed by ITCS before purchase, implementation, or connection to the ECU network. Contact the IT Help Desk (328-9866) and open a Service Request for a server assessment. 2. Servers must be managed by a qualified system administrator (sysadmin) properly trained in the maintenance and security of the server, its operating system, its applications, and its data. 3. Servers must run operating systems and applications that are fully supported by their manufacturers with regularly issued security patches and upgrades. Servers running outdated unsupported operating systems or applications are prohibited from connecting to the ECU network. 4. All Windows or Macintosh servers connected to the ECU data network must run the latest version of Symantec antimalware software, installed and configured to automatically update at least daily (continuous updates are strongly recommended). If Symantec antimalware software cannot run due to conflicts with other applications, the Department must apply for and receive written authorization from the Director of IT Security before the server is connected to the ECU network. 5. Whenever applicable, servers, their contents, and their functions must adhere to all state and federal regulations (e.g., HIPAA, FERPA, GLBA), industry regulations (e.g., PCI), ECU Computer Use Policy, ECU Network Use Policy, and ISO 27000 series standards. System Assessment Page 4 of 6 6. ITCS may scan any device (including servers) connected to the ECU data network for vulnerabilities and/or to verify compliance. If a networked device is non-compliant, it may be taken out of production or removed from the ECU network until compliance is verified. 7. Before connecting any server to the ECU network: a. The operating system administrator must request a static IP address and firewall rules for the server by opening a Service Request with the IT Help Desk. Firewall rule requests must contain an explicit listing of all IP ports needed for proper operation of the server and its applications. By default, all IP ports are closed. b. If possible, the operating system and all applications must be configured to automatically install all available security updates at least monthly. If automatic installation is not possible, all available security patches must be installed within 30 days of their release by the assigned sysadmin. c. Auditing must be enabled and properly configured in the operating system. d. Auditing should be enabled and properly configured in all applications, if available. 8. As soon as the server is connected to the ECU network and before it is put into testing or production: a. The operating system and all installed applications must be updated with all available security patches. b. On Windows and Macintosh computers, Symantec antimalware software must be installed, configured, enabled, and updated with the latest patches and virus signatures as required by the ECU Antivirus Policy. c. On Windows computers, the latest version of Microsoft Baseline Security Analyzer must be installed and run. All security issues noted in the MBSA report must be corrected immediately. d. All default passwords for software on the computer or accessed by the computer must be changed, adhering to complexity requirements defined by the ECU Password Strength Policy. These password must be changed every 90 days thereafter days as required by the ECU Password Strength Policy. e. If the above steps cannot be completed immediately, the computer must be disconnected from the ECU network immediately until it can be patched and secured against unauthorized access as required by ECU Computer Use Policy, Network Use Policy, and Antivirus Policy. 9. After the server is in production: a. All passwords must be changed at least every 90 days adhering to complexity requirements defined by the ECU Password Strength Policy. b. On Windows computers, the Microsoft Baseline Security Analyzer should be run regularly and whenever the system configuration is patched/modified to ensure the changes have not introduced vulnerabilities. c. All patches available for the operating system or applications must be installed within 30 days of their availability. d. All files on the server should be scanned regularly by the Symantec antimalware software previously installed on Windows and Macintosh systems. 10. If the server is suspected of being compromised: a. It must be disconnected from the network immediately and remain disconnected until it has been authorized for reconnection by ITCS. b. The sysadmin must contact the IT Help Desk and open a service ticket to have the server evaluated for compromise. System Lifecycles: Physical servers should be replaced or removed from service when their factory warranties expire. ITCS will not support servers with expired hardware warranties. Virtual servers have a 5-year lifecycle from the date of provisioning. When the lifecycle ends, the server must be re-funded by the original funding entity to subsidize the replacement of hardware hosting the virtual servers. System Assessment Page 5 of 6 Departmental Responsibilities 1. Provide qualified full-time system administrator responsible for the operating system, applications, data, and security controls on their Departmental Server. 2. Assist in the investigation of security incidents involving their servers. 3. Adhere to procedures and policies consistent with industry best practices (e.g., PCI, ISO 27000 series, system security), ECU Policies and Standards, state and federal statutes (e.g., NC Identity Theft Protection Act, HIPAA, FERPA) that apply to their servers. 4. Notify IT Security if the server receives, stores, or transmits sensitive data (e.g., Social Security numbers, credit card numbers, student data, patient information) prior to server installation. 5. Ensure vendor applications meet minimum security requirements consistent with the protection of the type of data received, stored, or transmitted. 6. Provide an accurate list of files to be backed up, if ITCS is providing data backup services. 7. Provide funding for data backup software, including annual maintenance fees, if ITCS is providing data backup services. All parties agree to maintain the specifications listed herein for the named server(s). Any changes that can alter the security or compliance of the server(s) and must be reviewed by all parties below before the modification is purchased or implemented. ITCS will review this assessment as needed or when the equipment is replaced. By signatures below, the purchase, installation and operation of the named server(s) is approved. Departmental Representative (Chair/Dean or Manager/Supervisor of Department) _________________________________________________ _________________________________________________ _________________________________________________ ______________________________ Name (print) Signature Title Date Director, IT Infrastructure or Designate Thomas L. Lamb Director, IT Infrastructure _________________________________________________ ______________________________ Name Signature System Assessment Title Date Page 6 of 6