A-Z Policy Listing

IT SERVER SECURITY POLICY

Date first approved:

17 March 2005

Date of effect:

17 March 2005

Date last amended:
(refer Version Control Table)

Date of Next Review:

December 2021

First Approved by:

University Council

Custodian title & e-mail address:

Cyber Security Manager

sah@uow.edu.au

Author:

Cyber Security Manager, Infrastructure, IMTS

Responsible Division & Unit:

Information Management & Technology Services (IMTS)

Supporting documents, procedures & forms of this policy:

Cyber Security Policy

Relevant Legislation &

External Documents:

 

Audience:

Public

Submit your feedback on this policy document using the Policy Feedback Facility.

Contents

1 Purpose of Policy

    1. The purpose of this policy is to outline practices for administering servers that will ensure an acceptable risk posture against real-world threats. The aim is to defend servers against cyber security threats in a practical and pragmatic manner.

2 Definitions

Word/Term

Definition (with examples if required)

Cyber Security Team

Capability appointed by the Director, IMTS. Responsibilities of the Cyber Security Team are outlined in the Cyber Security Policy.

Director, IMTS

Director, Information Management & Technology Services

NTP

Network Time Protocol

Server

  • computer or device which provides services over a network and is configured to allow access by multiple users. The following examples qualify as a server under this definition for the purpose of this policy:
  • A physical or virtual server running in a University data centre offering a web application component
  • A desktop computer with file sharing enabled that is accessed by a number of people
  • A building controller device that is accessed over the network by a management server
  • A virtual server instance running in a public cloud that is operated by or for the University

Service

A data storage, manipulation, presentation, communication or other capability which is implemented using a client-server or peer-to-peer architecture based on network protocols running at the application layer of a network. For example any web based application which may be supported by several Servers offering front and backend data processing and storage.

Service Owner

An individual role within the University who is nominated to assume responsibility for a Service and is authorised to make business decisions with regard to the service.

Server Administrator

An individual role or team who is nominated to administer particular servers. Must have sufficient technical skills and experience to ensure Servers are supported and administered properly. This may include third party support arrangements.

Server Registry

An information system maintained by Information Management & Technology Services in the style of a configuration management database that documents servers in scope of this policy.

University

University of Wollongong and controlled entities

University Network

The network infrastructure used by the University including all network services on main campus, satellite campuses, and controlled entities.

3 Application & Scope

    1. This Policy applies to:

      a. Servers that are connected to a University network; and

      b. Servers that are operated for or on behalf of the University regardless of which network they are connected to.

    2. This policy does not apply to Services that are procured as the “software as a service” model but does apply to other cloud models of procurement such as “infrastructure as a service” and “platform as a service”.

4 Policy Principles

Server Registry

    1. An inventory of Servers (‘Server Registry’), in the style of a configuration management database, will be maintained to assist with applying this policy. The Server Registry documents each Server’s compliancy status, operating system platform, associated Services it supports, and application software in use.

Ownership and Responsibility

    2. An individual role within the University is nominated and assumes responsibility for each Service (‘Service Owner’) and is authorised to make business decisions for the Service.

    3. The Service Owner must nominate an individual role or team to administer the Servers (‘Server Administrator’) that provide the Service. They must have sufficient technical skills and experience to ensure the Servers are supported and administered properly. This can include third party support arrangements.

Secure Operating System and Software

    4. The Server's operating system and other software must be configured to prevent security weaknesses both upon initial deployment and ongoing.

    5. Critical security patches must be applied within 30 days of release from the vendor.

    6. The requirements of clauses4.4 and 4.5 can be achieved with the following practices:

      a. using an industry standard check list to configure the operating system and software. For example the Security Consensus Operation Readiness Evaluation check lists at http://www.sans.org/score/. This process is often referred to as hardening and involves such things as disabling unnecessary accounts, disabling unnecessary services, configuring non-executable stacks and heaps, enabling host based firewalls and so forth;

      b. implementing automated patching tools and processes that ensure security patches are installed for both applications and for operating system software; or

      c. moving to the latest software versions when old versions are no longer supported with patches.

Data Recovery Capability

    7. At minimum, the data associated with the service needs to be recoverable in the event of an incident or disaster. Process and tools must be used to properly back up important data and a methodology for timely recovery must be proven.

    8. This backup methodology must be tested by the Service Owner at least annually. If the same backup system is used for a number of applications at least one of these applications must be recovery tested by the Service Owner annually.

Malware Defences

    9. Tools and processes are used to detect, prevent and correct installation and execution of malicious software on servers.

    10. This can be achieved with the following practices:

      a. implementing relevant specialist anti-malware software that provides anti-virus, anti-spyware, and host based intrusion prevention;

      b. configuring servers to not auto-run content from removable media such as USB tokens, drives and DVDs etc; or

      c. enabling anti-exploitation features such as data execution prevention, address space layout randomisation, virtualisation / containerisation, etc.

Continuous Vulnerability Assessment and Remediation

    11. The Cyber Security Team is responsible for regularly scanning to detect vulnerabilities on servers and for communicating vulnerability assessments with the Service Owner and Server Administrator.

Limit and Control Network Ports, Protocols and Services

    12. The Server only runs network services, protocols and ports that are necessary to achieve its business purpose.

    13. This can be achieved with the following practices:

      a. disabling any service that is not needed and uninstalling it after 30 days; or

      b. applying host-based firewalls with a default deny rule that drops all traffic except those services and ports that are explicitly allowed. If a server is not accessed over the internet a network firewall should prevent it being visible from internet.

Controlled Use of Administrative Privileges

    14. Administrative privileges must be minimised and only used when required. A high standard of security is applied to privileged accounts. These privileges must be reviewed by the Server Administrator at least annually.

Maintenance, Monitoring and Analysis of Audit Logs

    15. Application and operating system audit and event logs are configured and maintained in a useful state. For important servers the logs are monitored either automatically or manually.

    16. All authentication and account and group management events must be logged by the Service Administrator.

    17. These logs must be retained by the Service Administrator for a minimum of 2 years.

    18. Effective logging includes the following:

      a. server system clock is kept accurate and synchronised;

      b. log settings include date, time, source and destination addresses and other useful information;

      c. storage space is sufficient to meet retention requirements; and

      d. logs are rotated and retained as required.

Account Monitoring and Control

    19. System and application user accounts are tracked and controlled by the relevant faculty or division to ensure old and unnecessary accounts are removed and unable to be used for unauthorised access. When staff or contractors leave the University or change roles their accounts are restricted and removed in accordance with the IT Acceptable Use policy and IT User Account Management Procedures.

    20. As condition of use, users must agree to comply with IT Acceptable Use Policy and other IT policies.

5 Exemptions

    1. The IMTS Director may approve an exemption where it is impractical to satisfactorily comply with this policy in whole or part and it is demonstrated that the risk is acceptable. These exemptions may be granted for an individual Server or a class of Server or device.

    2. Individual server exemptions will be recorded in the Server Registry. Exemptions applying to a class of device will be published on the University Intranet.

    3. Examples of individual exemptions include, but are not limited to:

    3.1. A device exempted from complying with principles of malware defence and maintenance, or monitoring of audit logs because there is simply no provision to achieve these.

    3.2. An instrument controller may be permitted to remain on a legacy operating system if it is impractical to upgrade and sufficient firewall controls are used to minimise risk of remote compromise.

    4. Examples of class exemptions include, but are not limited to:

    4.1. CCTV cameras exempted from being individually identified in the server registry and instead are treated as a single server class as their management and configuration is uniform.

    4.2. Desktops offering remote desktop service exempted because network controls minimise exposure of the service.

6 Compliant and Non-compliant Servers

    1. Individual Servers are deemed to be compliant with this policy when the following are confirmed:

      a. responsibilities have been assigned for Service Owner and Server Administrator;

      b. the business purpose of the server and key risk areas are recorded; and

      c. the Server Administrator and Service owner have confirmed that the policy principles have been adequately met and a compromise or other incident involving the server is unlikely to cause the University unreasonable damage.

    2. A server is deemed non-compliant when the above has not been met or following an unsatisfactory audit or vulnerability scan. Non-compliant servers may result in either:

      a. migration of server into central management model;

      b. access to server limited with network firewall technology; or

      c. decommissioning of the server or isolation from the network in extreme circumstances.

7 Responsibilities

Director, IMTS

    1. The Director IMTS has the following responsibilities:

      a. approving exemptions for individual Servers or a class of Server or device;

      b. approving complementary operational procedures and standards to support this policy; and

      c. approving Service Owner role.

Cyber Security Team

    2. The Cyber Security Team has the following responsibilities:

      a. advocating and ensuring stakeholders are aware of their responsibilities and available support;

      b. maintaining the Server Registry;

      c. conducting audits on servers from time to time involving the Service Owner and Server Administrator to ensure compliance with this policy; and

      d. undertaking routine network vulnerability scanning and reporting results to the Server Administrator. Every effort will be made to prevent vulnerability scans from interfering with the normal operation of Servers.

Service Owner

    3. The Service Owner has the following responsibilities:

      a. communicating with the Cyber Security Team the business purpose of the Server, any key risk areas and other information required for the Server Registry;

      b. appointing a Server Administrator with sufficient technical skills and experience to ensure Servers are supported and administered properly. This can include third party support arrangements; and

      c. ensuring the provisions of this policy have been adequately met and a compromise or other incident involving Servers is unlikely to cause the University unreasonable damage.

Server Administrator

    4. The Server Administrator has the following responsibilities:

      a. ensuring the provisions of this policy are adequately met for the Servers being maintained;

      b. maintaining sufficient records to indicate the application of this policy; and

      c. communicating with the Cyber Security Team to assist with the effective operation of this policy.

8 Version Control and Change History

Version Control

Date Effective

Approved By

Amendment

1

17 March 2005

Vice-Chancellor

First Version

2

6 May 2009

Vice-Principal (Administration)

Migrated to UOW Policy Template as per Policy Directory Refresh

3

9 March 2010

Vice-Principal (Administration)

Future review date identified in accordance with Standard on UOW Policy

4

1 March 2011

NA

Updated links to Related Documents

5

30 Nov 2012

Vice-Principal (Administration)

Updated to reflect change from OHS to WHS

6

4 November 2013

Chief Administrative Officer

Updated to reflect title change from University Librarian to Director, Library Services.

7

30 January 2014

Vice-Chancellor (VCAG)

Updated University nomenclature

8

9 December 2016

University Council

Major review of IT Policy suite

Here to Help

Need a hand? Contact the Governance Unit for advice and assistance on policy issues.