The purpose of this policy is to establish standards for base server configurations owned and/or operated by CCIT. As well as serve as an operating guide for CCIT System Administrators.
This policy applies to equipment owned or operated by CCIT, or entrusted to CCIT by any third party via appropriate SLA's, MOU's or other serviceable agreement. This policy does not apply to any test bed equipment that does not represent a privacy or security risk. Should other exclusions to this policy be necessary, internal exclusions to this policy will be documented and approved for reason while external exclusions of any related equipment that is housed by CCIT for a third party will be documented along with transfer of responsibility via the SLA, MOU or similar agreement.
1.0 All server equipment must be associated with a CSO operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and security requirements. Operational groups should monitor systems for configuration compliance and implement exception guidelines tailored to their environment. Each operational group must establish a process for changing the configuration guides, which will include review and approval by CSO management, and the Office of Information Security and Privacy. The following configuration guides will be recognized as attachments to this governing policy.
2.0 All server equipment must be registered in the Configuration Management Database (CMDB). The following information is required to properly identify the server.
2.1 Owning Operational group
2.2 Customer contact if it is a hosted system
2.3 Hardware model and Operating System version
2.4 Main functions and applications
2.5 Patch update schedule (normal, manual, other)
2.6 Regulatory compliance (if applicable - PCI, HIPPA, etc.)
2.7 Information in the CMDB must be kept up to date. Configuration changes must follow documented change management procedures.
3.0 Global Configuration Guidelines.
3.1 Services and applications that will not be used must be disabled where practical.
3.2 The most recent security patches must be installed on the system as soon as practical.
3.2.1 Documentation and justification of non-compliance to updated patches must be kept and made available when requested.
3.3 Privileged access using root or administrator accounts will only be used when the use of non-privileged accounts is not practical.
3.3.1 Root activity shall be documented
3.4 Servers will be installed in accordance with methods approved by CSO's HWA group.
3.5 All equipment to which this policy applies shall be housed in a controlled access CCIT data center.
3.6 No system to which this policy applies shall be accessed with elevated privileges from a public area or an unsecured network.
3.7 Where possible an approved system-warning banner should be used when users access systems.
4.0 Event Monitoring
4.1 Security related events on systems deemed critical or sensitive must be logged and audit trails saved as follows:
4.1.1 Security related logs will be kept for one year
18.104.22.168 Exceptions will be documented
4.1.2 Tape backups, daily incremental and full, will be kept for a minimum of 42 days. Because of automated processing cycles, some data may remain available for up to 62 days.
4.1.3 Logs will be sent to a SIEM for OISP monitoring of security events.
4.2 Security related events will be reported to OISP for evaluation before actions are taken to repair the system. Corrective measures will be a collaborative effort of the responsible operational group and OISP following an incident response plan. Security related events include, but are not limited to:
4.2.1 Denial of Service.
4.2.2 Evidence of unauthorized access.
4.2.3 Evidence of services or applications that are not related to the intended service of the system.
Communications (who needs to know, who does it affect or apply to)
This policy applies to equipment owned or operated by CCIT, or entrusted to CCIT by any third party via appropriate SLA's, MOU's or other serviceable agreement and therfore applies to any/all University staff, faculty, administrators, officers and students (collectively, "users"), including those in partnership with Clemson University through affiliations, recognized vendors and/or those operating under contractual obligations with CCIT who CCIT maintains a relationship with for the purposes of maintaining servers under the control or possession of CCIT.
Violations of this policy, and its attachments, will be reported to the manager and director of the responsible operational group. The university will impose disciplinary sanctions on employees who violate the above policy. The severity of the imposed sanctions will be appropriate to the violation and/or any prior discipline issued to that employee.
Audit trail - A chronological sequence of records containing system activity and usage.
CSO -- Computer Systems and Operations
CCIT Data Center -- climate-controlled, physically secured room(s) dedicated to the support of computer systems, network systems, or other related hardware. The CCIT Data Centers are located in the ITC and P&A buildings.
OISP - Office of Information Security and Privacy
RFC - Request For Change
Server equipment - Any computer system or IO device involved in monitoring, processing, or serving applications or data, exclusive of network equipment, such as switches and routers.
SIEM - Security Information and Event Management
System Administrator -- the person or persons responsible for technical and software support for the system in question.
References and Related Documents
Next Revision: May, 2011
Administrative Update: Feb 2, 2011
Approved, CCIT Executive Staff May 2010