The University maintains enterprise class secured data centers for the housing of university servers. All servers used to store, process or transmit sensitive information must be registered with the Information Security Office.

All server computing devices must:

• Be maintained in an environment and manner designed to physically and logically restrict access to authorized users; 
• Be used in a manner designed to maintain data, system and network integrity; and
• Have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible. 

Note: These standards apply for servers fully managed by IT as well as those partially or fully managed by other university entities or constituents.

Administrative Standards

Implementation

• The Dean of each school or administrative Division Head is responsible for server device administration within their area, for ensuring the implementation of the Server Computing Device security policies, standards, and procedures including implementing methods to: 
  • Educate the school or division server administrators on Server Computing Device security practices. 
  • Configure and maintain the school or division servers to meet the Server Computing Device policy and other applicable standards. 

Documentation

• Procedures for complying with these policies and standards, as well as any additional school or administrative division policies and standards must be developed and maintained by the Dean or Division Head's designee for each school, administrative division or other subsidiary unit.
• All school or division policies, standards and procedures for servers must be well documented, up-to-date and meet or exceed the minimum requirements established in this policy. 
• After review and approval by the Dean or Division Head's designee, documentation of procedures for the school or division is to be forwarded, in electronic format, to the Information Security Office for review and university records. All major updates to the documentation and their effective dates should be forwarded to the Information Security Office. 

Compliance

• Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures. 
• The Information Security Officer may work with Audit Services, IT and others to schedule periodic audits of servers to further ensure compliance with the policies and standards. 

Use of Computing Devices

• Computing devices and access to the network and internet are provided to perform university functions. 

Licensing

• Licensing documentation must be maintained for software loaded on any servers attached to the university's network or otherwise hosted by the University. 

Technical and Physical Standards

System Maintenance

• All server operating systems and other software should be kept up-to-date by reviewing and installing appropriate security updates, patches and tools on a regular schedule but not less than every thirty days. 
• All critical server operating systems must have change and maintenance logs to record all approvals and activity to the system.

Physical System Access

• All servers must be kept in a secured access controlled environment. Reasonable efforts should be made to limit and/or monitor physical access to servers to authorized personnel. See IS PS009 Data Facility Security. 
• In addition to physical security requirements above, for systems used to store, transmit or access electronic Protected Health Information (ePHI), each responsible area must also: 
  • Implement and maintain physical safeguards to restrict access to only authorized users for all server devices that store, transmit or access ePHI.
  • Define the functions allowed on a server device that stores, transmits or accesses ePHI.

Software

• Server class operating systems and software must be used for university servers. 
• A process to evaluate software should be followed assessing the impact on the current environment and remediating any noted risks prior to installation and integration into the university's environment; unnecessary services and permissions must be disabled; configurations documented and testing and approvals ensured.

Non-University IT Managed (Division) servers must

• Be approved for the specified use by the school or division's Dean or Vice President and technology management; 
• Be currently supported for security updates; and 
• Be in full compliance with all applicable information security policies.

Logical System Access and Security

• Passwords

All servers must require entry of a user ID and complex password. See IS PS008 Passwords. 

• Administrator Account, other Privileged Accounts and User Accounts
  • Administrator and Privileged Accounts 
    • Individuals with server administrative rights must be familiar with and abide by IS PS007 User Accounts and Acceptable Use as well as all technology standards, policies and procedures in using these rights. The default administrator and all other default privileged accounts should be renamed and passwords changed where technically possible. 
    • The Administrator or other equivalent accounts must not be used as active user accounts. All accounts with administrative rights should be restricted on a least privileged basis, only be used when necessary and must have a complex password. 
    • All accounts with the ability to issue privileged commands must be unique and traceable to a specific individual.
  • User Accounts
     Any operating system or enterprise/back office software requiring accounts to be set-up for users must use the least required access approach for configuring user access to these accounts. 
• Activity and Transaction Auditing, Logging and Monitoring
  • User activity within the system should be monitored. Audit and/or transaction logs should be maintained, monitored and/or audited as appropriate for the system. Appropriate auditing, logging and monitoring activity must be defined in the context of applicable laws and regulations as well as reasonable practice to ensure the integrity and security of the system. 
  • All servers processing sensitive information should log any transactions or other events that cause the creation, updating/modification or deletion of this type of information as required by regulation or University standards. 
  • Logging should be done at the server operating system, database and/or application levels, as appropriate, to ensure that these activities are captured and reviewed. 
  • Logs should be retained according to the university's records retention schedule.
  • Logs are to be secured to ensure that only authorized persons can access them, unauthorized changes are detected and prevented, and logging cannot be deactivated, modified or deleted.
  • Logs should be monitored for capacity and size to ensure they are not overwritten before the information can be reviewed.
  • Critical systems and applications connected to the internet must store audit logs on media that cannot be modified and that is moved at least daily to other locations not directly accessible from the internet.
  • A procedure must exist to grant temporary access to individuals with a justified business need to review.
  • Logs should include as much of the following information as is technically and reasonably possible: date, time, user ID, transaction/activity type, event type (write, update/modify, delete, read), data changed (data before and after change or data after change) and other information necessary to analyze and/or reconstruct transactions, activity or events. 
  • All critical systems should have change and maintenance logs to record approvals and activity and should use problem resolution logs to record all problem resolution activity and root cause analysis.
  • All configuration and maintenance changes should follow logging standards.
  • Systems used to store, transmit or access electronic Protected Health Information (ePHI): Server devices in this category must enable logging as described above for ePHI data. 
• System Time-Out
  • All server authentications or server software accessed by end-users must be configured to lock after a short period of inactivity (10 minutes is the recommended time unless system requirements necessitate a longer time) and require a user ID and password or other authentication mechanism to unlock or reactivate. Automated programs and services should also be configured with an authentication time-out unless this prevents proper functioning of the program or service.
• Security and Integrity of Data
  • All servers used to store, process or transmit sensitive information must maintain this information in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure this data. If this data is transmitted over any networks other than the university's internal network, the data or the transmission protocol should be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of equipment loss or hardware failure). 
    • Systems used for electronic Protected Health Information (ePHI):  Server devices in this category must use encryption as described above unless the device is physically maintained, used and accessed only in a highly secure access controlled environment and meeting security requirements per HIPAA regulation. 
    • Systems used to store, transmit or access other personally identifiable sensitive information:
       This information includes personally identifiable grades and other enrollment information, salary and other financial information, social security number, addresses, phone numbers as well as other information of a personal nature. Server devices in this category must use encryption as described above unless the device is maintained, used and accessed only in a highly secure, access controlled environment. 
• Network Connectivity
   All servers and devices within the university and department's network that are accessible via public networks, including internet commerce servers, payment servers, database servers and web servers are on subnets and must use a hardwired network connection. 
• Wireless Network Access
    All servers must use a hardwired network connection. 
• Protection from Malicious Software
• All servers must - 
  • Run real time virus protection if such software is available for the computing device; 
  • Utilize a hardware (preferred) and/or software firewall either for the server or for a dedicated network server subnet; 
  • Use spyware protection and detection programs, if available; 
  • Disable, or set to manually start if occasionally used, all operating system and software services not required for the proper functioning of the server. 

See IS PS014 Protection from Malicious Software.

• Data Backup and Recovery
  • Files containing valuable information must be backed up (note that the university's network drives may be suitable for this process). 
  • Backups must be performed on a regular basis. 
  • Users are responsible for ensuring that backups or synchronization of sensitive and/or critical information on mobile devices are performed regularly to prevent loss of data.
  • Backups must be maintained in a secure environment removed from the physical location of the server. 
  • Backups should be encrypted and password protected and must be encrypted if custody of the backups is entrusted to either a third party (non-UofL personnel) or to personnel outside the university's hybrid covered entity in the case of ePHI. 
  • Ability to successfully recover backup files must be tested periodically (at least every 180 days) and at the time of any significant hardware or software updates or changes to the system. 

See IS PS015 Backup and Retention of Data, IS PS002 Business Continuity and Disaster Recovery.

E-Mail, Calendar and Personnel/Group Scheduling Servers - Additional technical standards

• Interoperability
   Systems designed to perform email, calendaring or scheduling must automatically inter-operate with the university furnished enterprise solution for these tasks. This includes all university schools, divisions, and other affiliated entities. 
  • E-mail must flow in a timely fashion between the systems and remain within the university's network while doing so. 
  • Calendar and personnel/group scheduling functions must work in both directions so that personnel using the Enterprise system or personnel using a specific school, administrative division or other university entity solution are able to transparently review personnel availability, schedule meetings, and related expected functions.

Policy Authority/Enforcement: The university's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with university leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.