Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Server Security Standard

Scope:

This standard applies to servers procured through, operated or contracted by Loyola University Chicago that house or interact with Loyola Protected data per the Data Classification Policy.

Purpose: 

The purpose of this document is to establish standards for the base configuration of servers. Effective implementation of this standard will minimize security incidents involving University resources.

Standard:

Ownership and Responsibilities

All servers deployed at the University must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by the Information Security Officer.  Each operational group must establish a process for changing the configuration guides, which includes review and approval by the Information Security Team.

Server Location

Servers that store, process or transmit Loyola Protected data are classified as high security servers.  Additionally, administrators may request that a server which does not store, process, or transmit Loyola Protected data be classified as a high security server. All high security servers must physically reside within secured ITS data centers.

If the high security server stores Protected data it must be segmented into the High Security (Internal) network security zone, per the ITS Network Firewall Policy.

If the high security server interacts with other high security servers, and is required to publish content outside of the High Security network security zones, per the ITS Network Firewall Policy, then it must be segmented into the High Security DMZ network security zone.

General Configuration Guidelines

Backup

Monitoring

Compliance

Exceptions:

Exceptions to this policy will be handled in accordance with the ITS Security Policy.                                                              

Review:

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook.  These actions may include rendering systems inaccessible.

 

Appendix

Documents Referenced

Data Classification Policy

Change Management System Procedures

ITS Access Control Policy

ITS Incident Response Handbook

ITS Log Management Standard

Privileged Access Policy

ITS Vulnerability Assessment Policy

ITS Security Policy

References

RFC 1918

CIS_Win2003_MS_Benchmark_v2.0.pdf

CIS_Win2K_Srv_Benchmark_v2.2.1.pdf

CIS_AIX_Benchmark_v1.0.1.pdf

CIS_SQL2005_Benchmark_v1.0.pdf

CIS_VM_Benchmark_v1.0.pdf

CIS_VMware_ESX_Server_Benchmark_v1.0.pdf

CIS_SUSE_Linux_Benchmark_V2.0.pdf

CIS_RHEL5_Benchmark_v1.0.5.pdf

CIS_RHLinux_Benchmark_v1.0.5.pdf

CIS_FreeRADIUS_Benchmark_v1.0.pdf

CIS_BIND_Benchmark_v1.0.pdf

CIS_eDirectory8.7_Benchmark_v2.0.pdf

CIS_OESNetWare_Benchmark_v1.0.pdf

History

January 24, 2011: Initial Policy

October 19, 2012: Annual review for PCI Compliance

October 22, 2012: Corrected links, Removed vendor specific references

July 12, 2013: Annual review for PCI Compliance, Corrected Links

June 5, 2014: Annual review for PCI Compliance

August 7, 2014: Added section to comply with PCI-DSS v3.0 Req. 2.1

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy