Site Loader

The purpose of this policy is to define standards, procedures, and restrictions for new servers being installed on [TT Tech High School]’s internal network(s) or related technology resources via any means. This can include, but is not limited to, the following: • Internet servers (FTP servers, Web servers, Mail servers, Proxy servers, etc. ). • Application servers. • Database servers. • File servers. • Print server. • Third-party appliances that manage network resources.This policy also covers any server device outsourced, co-located, or hosted at external/third-party service providers, if that equipment resides in the [ITT Tech High School]. com” domain or appears to be owned by [ITT Tech High School]. The overriding goal of this policy is to reduce operating risk. The [ITT Tech High School] Server Configuration Security Policy will: • Eliminate configuration errors and reduce server outages. • Reduce undocumented server configuration changes that tend to open up security vulnerabilities. Facilitate compliance with the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley which requires companies to institute IT controls and demonstrate that the controls are working. • Protect corporate data, networks, and databases from unauthorized use and/or malicious attack. Therefore, all new server equipment that is owned and/or operated by [ITT Tech High School ] must be provisioned and operated in a manner that adheres to company-defined processes for doing so. ScopeThis policy applies to all [ITT Tech High School] company-owned, company-operated, or company-controlled server equipment. Addition of new servers within corporate facilities will be managed at the sole discretion of IT. Non-sanctioned server installations, or use of unauthorized equipment that manage networked resources within the organizational campus, is strictly forbidden. Responsibilities The VP Finance of [ITT Tech. Corporate] has the overall responsibility for the confidentiality, integrity, and availability of corporate data. The VP Finance of [[ITT Tech.Corporate] has delegated the execution and maintenance of IT and Information Systems (IS) to the Director, Information Technology. Other IT and IS staff under the direction of the Director, Information Technology are responsible for following the procedures and policies within IT and IS. All [ITT Tech High School] employees have the responsibility to act in accordance with company policies and procedures. Supported Technology All servers will be centrally managed by [ITT Tech High School]’s IT department and will utilize approved server configuration standards.Approved server configuration standards will be established and maintained by [ITT Tech High School]’s IT. All established standards and guidelines for the [company name] Information Technology environment are documented in the Information Technology Standards and Guidelines. IT has established processes for documenting and changing Information Technology Standards and Guidelines. Notwithstanding the “Information Technology Standards and Guidelines” the following outlines [ITT Tech High School]’s minimum system requirements for a server equipment supporting [ITT Tech High School]’s systems. OS configuration must be in accordance with approved Information Technology Standards and Guidelines reference, Computing Resources Section 9 – Server Operating Systems. • Services and applications that are unused must be disabled except where approved by IT Security. • Access to services must be logged or protected through appropriate Access Control methods. • Security patches must be installed on the system as soon as possible through [ITT Tech High School]’s configuration management processes. • Authorized Users must always use the standard security principle of Least Required Access to perform a function. System administration and other privileged access must be performed through IPSec or Secure Shell connections. • All [ITT Tech High School]’s servers are to be located in access controlled environments. • All employees are specifically prohibited from operating servers in environments with uncontrolled access (e. g. offices). Server equipment that does not currently meet these minimum requirements will be removed from the network immediately and require upgrading before their use can be sanctioned by IT.This policy is complementary to any previously-implemented policies dealing specifically with security and network access to the enterprise network. Policy It is the responsibility of any employee of [ITT Tech High School] who is installing or operating server equipment to protect [ITT Tech High School]’s technology-based resources (such as corporate data, computer systems, networks, databases, etc. ) from unauthorized use and/or malicious attack that could result in loss of information, damage to critical applications, loss of revenue, and damage to our public image.Based on this, the following rules must be observed: 1. Equipment must be documented in [ITT Tech High School]’s server management system. The following information must be maintained: a. Host contact information and location of server equipment. b. Sever hardware and operating system/version. c. Server equipment purpose/function and applications. d. Password groups for privileged passwords. 2. Passwords on server equipment must be maintained in accordance with the [ITT Tech High School]’s Password Policy. 3.Changes to existing server equipment must follow [ITT Tech High School]’s change management processes/procedures. 4. Deployment of new server hardware, operating systems, services, and applications must be reviewed by IT Security as a part of [ITT Tech High School]’s change management processes/procedures. 5. Server equipment operating systems must only be installed from a [ITT Tech High School] approved source. Server equipment must operate with only licensed versions of the operating system and software. 6. All patches/hot-fixes released by vendor(s) must be installed.This applies to all services installed on the server equipment, even though those services may be temporarily or permanently disabled. 7. IT must have automated processes in place to ensure [ITT Tech High School]’s server equipment remains current with appropriate patches/hot-fixes. 8. All services and applications that are unused or not serving business requirements must be disabled except where approved by IT Security. 9. Remote system administration (through privileged access) must be conducted using SSH or IPSec connections or direct console access independent from DMZ networks. 0. All system, application and security related events on server equipment must be logged with log files archived. Archival of server event logs will meet the following minimum (or better where compliance with specific legislation is required) practice: a. All server event logs will be kept online for minimum of one week. b. Daily backups of event logs will be retained for at least one month. c. Weekly backups of event logs will be retained for at least on month. d. Monthly backups of event logs will be retained for a minimum of two years. 11.Security related events will be reported [ITT Tech High School]’s IT manager who will review logs and initiate security incident processes as appropriate. 12. [ITT Tech High School] will perform audits of server equipment on a regular basis using either internal or external auditing resources. Audits will be managed by [VP, Finance] in support of [ITT Corporate]’s Audit Policy. 13. IT will ensure that the configuration of server equipment outsourced, co-located, or hosted by external/third-party service providers is defined in the contract with the service provider.At a minimum the definition must document: a. Host contact information and location of server equipment. b. Server hardware and operating system/version. c. Server equipment purpose/function and applications. d. Configuration change management processes. e. Back-up requirements. f. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). g. Escalation procedures. 14. Any questions relating to this policy should be directed to [Name(s)] in IT, at [phone number(s)] or [e-mail address(es)]. 15. IT reserves the right to isolate or otherwise disable without notice ny server equipment that has been compromised by an attacker or, otherwise places the company’s systems, data, users, and clients at risk as documented in the IT Security Incident Policy. Non-Compliance The (i) Vice-President Finance, (ii) Chief Operating Officer, and (iii) immediate Manager or Director will be advised of breaches of this policy and will be responsible for appropriate remedial action which may include disciplinary action, including suspension or termination of employment. _____________________________________________________

Post Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *

x

Hi!
I'm Tamara!

Would you like to get a custom essay? How about receiving a customized one?

Check it out