Penn State home
Engineering
About the College
CEDCC Home
 

Main Policy Page
Acceptable Use Policy
Password Policy
Anti-virus Policy
Remote Access Policy

Lab Anti-virus Policy
Account Audit Policy
Server Security Policy
Standard Firewall Rules Policy
Firewall Rules Exceptions Policy
Virtual Private Network Policy
Wireless Communications Policy
Remote Access Policy
Backup Policy
Incident and Disaster Tolerance/Response Policy
High Performance Cluster Policy and Procedures

 

 
College of Engineering --- Server Security Policy: COE–SSP–01  
 

1.0 Purpose
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by the College of Engineering, including servers operated at the departmental level. Effective implementation of this policy will minimize unauthorized access to College of Engineering proprietary information and technology.
           
2.0 Scope
This policy applies to server equipment owned and/or operated by all agents of the College of Engineering, and to servers registered under the College of Engineering-owned internal network domain.

This policy is specifically for equipment on the internal College of Engineering network including administrative systems as well as student and research labs.
             
3.0 Policy

3.1 Ownership and Responsibilities
All internal servers deployed at the College of Engineering must be owned by an academic, research or any other operational group that is responsible for system administration. Approved server configuration guidelines must be established and maintained by each group, based on business needs and approved by the Dean’s Office. Groups should monitor configuration compliance and implement a policy tailored to their environment. Each operational group must establish a process for changing the configuration guidelines, which includes review and approval by the College.  All internal policies must be reviewed and approved by the Dean’s Office or the Dean’s designated representative.

 3.2 General Configuration Guidelines

  • Operating System configurations should be in accordance with approved College guidelines to ensure a significant level of security against unauthorized access.
  • Services and applications that will not be used must be disabled, where practical.
  • Access to services should be logged and/or protected through access-control methods such as TCP Wrappers or other security mechanisms.
  • The most recent security patches must be installed on the system within 48 hours of release.  The only exception being when immediate application would interfere with business requirements.
  • Trust relationships between systems are a security risk; their use should be avoided. Do not use a trust relationship when some other method of communication will do.
  • Always use standard security principles of least required access to perform a function.
  • Do not use a privileged account when a non-privileged account will do.
  • If a methodology for secure channel connection is available and technically feasible, privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
  • Servers should be physically located in an access-controlled environment.
  • Servers are specifically prohibited from operating in areas accessible to persons other than the intended system administrators.

3.3 Monitoring

  • All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
    • All security related logs will be kept online for a minimum of 1 week.
    • Archived logs will be retained for a minimum of six months.
  • Security-related events will be reported to the College, who may review logs and report incidents to the University Security Office. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
    • Dictionary attacks
    • Unauthorized network scanning
    • Denial of service attacks
    • Evidence of unauthorized access to privileged accounts
    • Anomalous occurrences that are not related to specific applications on the host.

3.4 Compliance

  • Audits will be performed on a regular basis by authorized organizations within the College of Engineering.
  • Audits will be managed by the University Security Office or College, in accordance with the Audit Policy. The College will present pertinent findings to the appropriate support staff for remediation or justification.
  • Every effort will be made to prevent audits from causing operational failures or disruptions.

4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action by their Administrative unit, the College, or the University.  Systems involved with severe security breaches may be confiscated for forensic analysis.
             
5.0 Definitions

Term

Definition

Server

For purposes of this policy, this is defined as a server internal to the College of Engineering providing services approved by ECS or the department.  Desktop machines and Lab equipment are not germane to the scope of this policy.

Denial of service attack

An attack designed to prevent a system from providing services to its users.

Dictionary attack

The automated use of a ‘dictionary’ of potential passwords used to attempt the compromise an account or a series of accounts.

             
6.0 Revision History
                 
Last Updated:  11/3/2006

 
 

Communications & Computing | Electronic Design | ECS Home Page | COE Home Page

© All Rights Reserved by The Pennsylvania State University, College of Engineering | Text Only Version
E-mail problems or comments to Webmaster