Workstation/Server and Rogue Server Policies
The purpose of this policy is to define standards to be met by all equipment owned and/or operated by Faculty and Staff of the Kelley School of Business on the School’s network. These standards are designed to minimize the potential exposure to the Kelley School of Business from the loss of sensitive or confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use or misuse of Kelley School of Business resources.
All devices that are Internet facing and running on the Kelley School of Business network are subject to this policy.
The policy defines the following standards:
- Ownership responsibility
- Secure configuration requirements
- Operational requirements
- Change control requirement
All equipment or devices deployed on the Kelley School of Business network (including hosts, servers, switches, etc.) and/or registered in any DNS domain owned by the Kelley School of Business must follow this policy.
All new equipment which falls under the scope of this policy must be configured according to the referenced configuration documents, unless a waiver is obtained from Technology Operations & Services. All existing and future equipment deployed on the Kelley School of Business’ networks must comply with this policy.
3.1. Ownership and Responsibilities
Equipment and applications within the scope of this policy must be administered by support groups approved by Technology Operations & Services for system, application, and/or network management.
Support groups will be responsible for the following:
- All deployed equipment must be documented. At a minimum, the following information is required:
- Host contacts phone numbers (office and home) and physical location of equipment.
- Hardware and operating system/version.
- IP Addresses and DNS Hostnames.
- Main functions and applications deployed.
- Immediate access to equipment and system logs must be granted to members of Technology Operations & Services upon demand, per the Audit Policy.
- Changes to existing equipment and deployment of new equipment must be documented and approved by Technology Operations & Services.
To verify compliance with this policy, Technology Operations & Services will periodically audit equipment per the Audit Policy.
3.2. General Configuration Policy
All equipment must comply with the following configuration policy:
- Hardware, operating systems, services and applications must be approved by Technology Operations & Services as part of the pre-deployment review phase.
- Operating system configuration must be done according to the secure host installation and configuration standards set by the benchmarks published by The Center for Internet Security http://www.cisecurity.org/.
- All patches/hot-fixes recommended by the equipment and software vendors and Technology Operations & Services must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
- Services and applications not serving business requirements must be disabled.
- Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Technology Operations & Services and be in compliance with any UITS policies regarding such relationships.
- Services and applications not for general access must be restricted by access control lists.
- Insecure services or protocols (as determined by Technology Operations & Services) must be replaced with more secure equivalents whenever such exist.
- Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the networks. Where a methodology for secure channel connections is not available, one-time passwords (DES/SofToken) must be used for all access levels.
- All host content updates must occur over secure channels.
- Security-related events must be logged and audit trails saved to Technology Operations & Services-approved logs. Security-related events include (but are not limited to) the following:
- User login failures.
- Failure to obtain privileged access.
- Access policy violations.
- Technology Operations & Services will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.
3.3. New Installations and Change Management Procedures
All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:
- Technology Operations & Services must be invited to perform system/application audits prior to the deployment of new services.
- Technology Operations & Services must be engaged to approve all new deployments and configuration changes.
3.4. Physical Location of Servers and Equipment
All servers not maintained by the Kelley School of Business, Technology Operations & Services staff are required to be registered with Technology Operations & Services and housed in the Special Purpose Server Room (SPSR). Any waivers for housing servers in an alternate location must be obtained from Technology Operations & Services and will be granted on a case-by-case basis.
3.5. Special Purpose Server Room Policies
All equipment housed in the SPSR will adhere to the following guidelines:
- Anyone using the SPSR will not make use of any equipment for which they are not registered and responsible.
- All equipment in the SPSR will use only the data-jacks assigned to them by Technology Operations & Services.
- The key issued to individuals needing physical access to the SPSR will not be shared or transferred to any other party without the permission of Technology Operations & Services. Any person using such keys must be registered as a Support Group with Technology Operations & Services.
Any Faculty or Staff found to have violated this policy may be subject to financial penalties including, but not limited to, charges on personal or departmental RATS accounts for time and labor incurred by Technology Operations & Services in bringing such policies up-to-date.