IT Security Policy - Server Hardening Policy Template
Download Free IT Security Policy - Server Hardening Policy
Servers are depended upon to deliver data in a secure, reliable fashion. Data integrity, confidentiality and availability must be maintained. Servers must be installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service
The purpose of the Texas Tech Server Hardening Policy document is to describe the requirements for installation and operation of a server in a secure fashion, maintaining the security integrity of the server and application software.
The Texas Tech Server Hardening Policy applies to all individuals that are responsible for the installation of new Information Resources for research and business purposes, the operations of existing Information Resources, including but not limited to Custodians of IRs, and individuals charged with Information Resource Security.
Server Hardening Policy
A server must be registered and accepted by Texas Tech IT before it is connected to and operational on the Texas Tech network.
- At the time of registration and at periodic intervals thereafter, Owners and Custodians will be identified and registered with Texas Tech IT.
- At the time of registration, and at periodic intervals thereafter, all servers will be classified by the Owner or the Custodian on behalf of the Owner, as Mission Critical (MC) or Non-Mission Critical (NMC). If ANY information stored or processed by the server can be classified as MC, then the Server is MC.
- All servers, as Information Resources whether MC or NMC, are subject to the Texas Tech IT Acceptable Use and Network Access Policies.
- All servers, whether MC or NMC, are subject to the following rules:
- Only authorized software as defined in the Texas Tech Authorized Software Policy may be installed.
- Custodian(s) must implement a method of Identifying and Managing user accounts according to the Texas Tech Account Management and Special Access Policies.
- Custodian(s) will install and maintain current Anti-Virus software according to the Texas Tech Virus Detection Policy.
- All systems shall display a logon banner with warning statements
- Custodian(s) will take necessary steps to ensure that the Operating System (OS) is kept secure according to the current Standards for OS Platform Hardening maintained by the Texas Tech IT Division, including, but not limited to:
- Resetting of default passwords.
- Installation of security patches in a timely manner, or as required by the appropriate Texas Tech ISO.
- Deactivation and/or de-installation of unnecessary software or services.
- Activation of OS and application software security controls which establish protection of the server and data.
- Owners and/or Custodians must maintain a Business Continuity Plan commensurate with the impact of a failure or loss of the server, in accordance with the Texas Tech Backup-Business Continuity Policies.
- Servers classified as Mission Critical (MC) are subject to the following additional rules:
- Reside in a Physically Secure environment, according to the Physical Access security policies.
- Custodian(s) must implement appropriate Access controls and the corresponding documented approval procedures which assure the protection of data against unauthorized access.
- Custodian(s) must maintain auditing and security logs which record and archive security events necessary to fulfill the requirements of the Incident Response Policies.
- Custodian(s) will implement Change Control procedures which assure the integrity of data and applications, in accordance with the IT Change Control Policies.
- Custodian(s) will maintain any additional security controls such as Intrusion Detection software as specified by the ISO.
- Custodians of Mission Critical servers must:
- Have appropriate training and/or certification as specified by Texas Tech IT for the hardware and software.
- Have a Criminal Background Check performed and reviewed by the Owner before being given custodianship.
Texas Tech University Health Sciences Center Additions All servers are required to pass a vulnerability assessment performed by the TTUHSC ITS prior to use. Administrators are required to correct all network/operating system vulnerabilities identified as high or medium risk during the vulnerability assessment. Examples of medium or high risk issues would include:
a) Accounts with blank or weak passwords
b) Outdated version or patch levels of server software and services.
TTUHSC will monitor the release of security patches and routinely monitor to ensure systems are in compliance. Failure to comply with patch guidelines can result in server(s) being removed from the network.
TTUHSC IT will perform due diligence in testing security patches before release when practical.
Texas Tech University System Additions None.
Violation of this policy may result in disciplinary action as described by either institutional Operating Policies regarding Employee Conduct, Discipline and Separations, or the Student Affairs Handbook.