ITCS System Assessment

idiotcanvasΑσφάλεια

17 Νοε 2013 (πριν από 7 χρόνια και 11 μήνες)

654 εμφανίσεις

System
Assessment


Page
1

of
6




ITCS
S
ystem

Assessment


System Name:


Server Name
s
:



A
ssessment

Date
:



Tech Excel
Ticket
:


Contact Information

Department
requesting

this system:

Contact name/phone/alternate:

Director name/phone:

Primary sysadmin


OS


Apps

N
ame/phone:

Alternate
sysadmin


OS

Apps

N
ame/phone:

Vendor contact name/phone:


S
ystem

Information

Purpose:

Incept date:

IP address:

OS
-
bits:

Function:


File



Web



Application


Database


Print



Test

Type:



Physical


Blade


Appliance


VM



Replicated VM

Status:



New



Current

Replacement


Repurposed


Temp

Location:


Cotanche


GE
99/101


Other:

Antimalware:


S
ymantec


None

Web server:


IIS



Apache


Tomcat


JBoss

Database:


SQL



Oracle


MySQL


Access


Other:



Version:



Size:



Server:

E
-
Commerce/POS:

Other applications:

Remote admin access:

VPN


Other:

System unit manufacturer/model:

Processor:

Memory:

Storage:


ITCS Internal Information

MOU Required:


MOU



ITCS Internal Server

Service Level:


Department


Platinum


Gold



Silver

D
R d
ocumentation
required
:


Disaster Recovery Plan


Business Continuity Plan


None

C
ommunicates with Banner:


Yes


No

A
D
container required
:



Yes


No


System
Assessment


Page
2

of
6


System Support Providers

Areas of
Responsibilities

ITCS

Dept

Vendor

Comments

Review

Hardware (Data Center)







Environmental Controls







Physical Controls







Repairs/Warranty

Service






Operating System (Systems)







Configuration/Provision







Management/Patching







Log Monitoring/Retention






Applications

(Apps Team)







Configuration







Management







Patching






Database (DBA Team)






Data

Backup (SAN Team)






Note:

ITCS support is provided for Departmental Servers on a “best effort” basis contingent on available ITCS
resources from 8am to 5pm Monday through Friday, not including holidays.
This support does not extend to
operating systems or applications not routinely supported by ITCS.
ITCS Weekend and On
-
Call Support is not
available for Departmental Servers. Emergency notifications can be made to the Enterprise Operations Center
(EOC) a
t 328
-
9160.


Data Types Stored on Server(s)


No data stored on this server.


Personal identifiers (SSN, Banner ID,
Driver License)


Student information (grades, employment info, requires FERPA compliance)


Personal health information (requires HIPAA compliance)


Credit card (requires PCI compliance)


Non
-
sensitive data



Client Authentication
and
Access to Server/
Data


No direct client access

Domain ID

Application ID

Client software

None


From the ECU campus network


From the Internet via the ECU campus network


Dedicated ECU VLAN


Dedicated stand
-
alone network


ITCS Automated Data Backup


Frequency:

None


Daily



Weekly


Monthly


Other


TBD

Backup size:

Backup Objects:


Entire system


VMDK


OS


Applications: location =


Database: type and location =



General data: location =


Networking Information

Mandatory Firewall:

None

Hardware

Software (host
-
based)




System
Assessment


Page
3

of
6

Automated Vulnerability Scanning



Yes


No

Asset Group:


Enterprise

Departmental

Other:

Group Manager:

Scanners:


Charges

The department requesting servers or ITCS data backup must provide a FOAP

to purchase:



virtual or blade servers



Operating System



storage and backup space



backup software for physical or blade servers (including annual maintenance fee for backup
software when due)



automated vulnerability scanning
required by ECU Internal Audit
($50 per server for 5 years)


Server Items

Cost

N/C

Server: proc, GB RAM



Storage: GB



Backup: GB



Operating System



Argent status monitoring

40
0
.00


Vulnerability Scanning

50.00


Total
Server
Cost





Server Items

Cost

N/C

Server: proc, GB RAM



Storage: GB



Backup: GB



Operating System



Argent status monitoring

400.00


Vulnerability Scanning

50.00


Total
Server
Cost





Total
FOAP Charge

Cost


0.00



Departmental FOAP: ______________________________________


Approved by:


________________________________________

___________________________________________



Name (print)




Signature


Notes

1.





System
Assessment


Page
4

of
6

Service Support Agreement and Approval Certifications


Servers connected to the ECU campus data network must have a server assessment performed by ITCS to
verify compliance
with applicable University, state, and federal requirements. Requests for new servers
must have an approved assessment before purchase or connection to the ECU data network.


Technical Support for Departmental Servers:

Departments are responsible for providing a qualified
full
-
time system administrator responsible for the operating system, applications, data, and security
controls on their Departmental Servers. ITCS technical support is available to Departmental Serve
r
Administrators on a “best effort” basis contingent on available ITCS resources from 8am to 5pm Monday
through Friday, not including holidays.
This support does not substitute for a full
-
time qualified
departmental system administrator

or extend to opera
ting systems and applications not routinely
supported by ITCS. ITCS Weekend and On
-
Call Support is not available for Departmental Servers.


Requesting ITCS Assistance:

Request ITCS assistance by contacting the IT Help Desk (328
-
9866) or by
visiting the H
elp Desk website at
http://www.ecu.edu/9866

. Emergency notifications can be made to the
Enterprise Operations Center (EOC) at 328
-
9160.


Hardware Hosting:
ITCS will provide servers physically housed in the ITCS Da
ta Centers located in the
Cotanche building and Brody GE99/GE101 with conditioned power, temperature, and humidity controls,
fire suppression systems, and monitor the physical security of servers. EOC staff will provision all
network, electrical, and envi
ronmental services to the Data Center and equipment racks where
departmental servers are installed. EOC Staff will monitor the following within the Data Center 24x7,
excluding Thanksgiving and Christmas Day: network connectivity, electrical supply, envir
onmental
services, blade chassis, and ESX servers hosting virtual servers.



Network Support:

Standard network connections are provided for authorized installed equipment and
monitored for traffic throughput. By default, all IP ports are closed until t
he department explicitly lists all
ports required for proper operation of the server. Connectivity support is available 8am to 5pm Monday
through Friday (holidays not included). After hours issues will be resolved next business day. Security
breaches ma
y result in disconnection of the server from the network by ITCS Network Administration.


Security Controls and System Administration


Connecting an unpatched or unsecured server to the ECU network is prohibited. The person or
department deploying the
server will be held responsible for the server’s contents and any detrimental
effect the server causes on the ECU network or Internet. The following requirements are mandatory
(exceptions must be granted in writing by the Director of IT Security and renew
ed annually):

1.

All servers must be assessed by ITCS before purchase, implementation, or connection to the ECU
network. Contact the IT Help Desk (328
-
9866) and open a Service Request for a server
assessment.

2.

Servers must be managed by a qualified system adm
inistrator (sysadmin) properly trained in the
maintenance and security of the server, its operating system, its applications, and its data.

3.

Servers must run operating systems and applications that are fully supported by their
manufacturers with regularly i
ssued security patches and upgrades. Servers running outdated
unsupported operating systems or applications are prohibited from connecting to the ECU
network.

4.

All Windows or Macintosh servers connected to the ECU data network must run the latest version
o
f Symantec antimalware software, installed and configured to automatically update at least daily
(continuous updates are strongly recommended). If Symantec antimalware software cannot run
due to conflicts with other applications, the Department must apply

for and receive written
authorization from the Director of IT Security before the server is connected to the ECU network.

5.

Whenever applicable, servers, their contents, and their functions must adhere to all state and
federal regulations (e.g., HIPAA, FERP
A, GLBA), industry regulations (e.g., PCI), ECU Computer Use
Policy, ECU Network Use Policy, and ISO 27000 series standards.

System
Assessment


Page
5

of
6

6.

ITCS may scan any device (including servers) connected to the ECU data network for
vulnerabilities and/or to verify compliance. If

a networked device is non
-
compliant, it may be
taken out of production or removed from the ECU network until compliance is verified.

7.

Before

connecting any server to the ECU network:

a.

The operating system administrator must request a static IP address and f
irewall rules for
the server by opening a Service Request with the IT Help Desk. Firewall rule requests
must contain an explicit listing of all IP ports needed for proper operation of the server
and its applications. By default, all IP ports are closed.

b.

If possible, the operating system and all applications must be configured to automatically
install all available security updates at least monthly. If automatic installation is not
possible, all available security patches must be installed within 30 days

of their release by
the assigned sysadmin.

c.

Auditing must be enabled and properly configured in the operating system.

d.

Auditing should be enabled and properly configured in all applications, if available.

8.

As soon as the server is connected to the ECU networ
k and
before

it is put into testing or
production:

a.

The operating system and all installed applications must be updated with all available
security patches.

b.

On Windows and Macintosh computers, Symantec antimalware software must be installed,
configured, enabled, and updated with the latest patches and virus signatures as required
by the ECU Antivirus Policy.

c.

On Windows computers, the latest version of Microso
ft Baseline Security Analyzer must be
installed and run. All security issues noted in the MBSA report must be corrected
immediately.

d.

All default passwords for software on the computer or accessed by the computer must be
changed, adhering to complexity req
uirements defined by the ECU Password Strength
Policy. These password must be changed every 90 days thereafter days as required by the
ECU Password Strength Policy.

e.

If the above steps cannot be completed immediately, the computer must be disconnected
from

the ECU network immediately until it can be patched and secured against
unauthorized access as required by ECU Computer Use Policy, Network Use Policy, and
Antivirus Policy.

9.

After the server is in production:

a.

All passwords must be changed at least every 9
0 days adhering to complexity
requirements defined by the ECU Password Strength Policy.

b.

On Windows computers, the Microsoft Baseline Security Analyzer should be run regularly
and whenever the system configuration is patched/modified to ensure the changes h
ave
not introduced vulnerabilities.

c.

All patches available for the operating system or applications must be installed within 30
days of their availability.

d.

All files on the server should be scanned regularly by the Symantec antimalware software
previously i
nstalled on Windows and Macintosh systems.

10.

If the server is suspected of being compromised:

a.

It must be disconnected from the network immediately and remain disconnected until it
has been authorized for reconnection by ITCS.

b.

The sysadmin must contact the IT

Help Desk and open a service ticket to have the server
evaluated for compromise.


System Lifecycles:

Physical servers should be replaced or removed from service when their factory
warranties expire. ITCS will not support servers with expired hardware wa
rranties.

Virtual servers have a 5
-
year lifecycle from the date of provisioning. When the lifecycle ends, the server
must be re
-
funded by the original funding entity to subsidize the replacement of hardware hosting the
virtual servers.



System
Assessment


Page
6

of
6

Departmental R
esponsibilities

1.

Provide qualified full
-
time system administrator responsible for the operating system,
applications, data, and security controls on their Departmental Server.

2.

Assist in the investigation of security incidents involving their servers.

3.

Adhere

to procedures and policies consistent with industry best practices (e.g., PCI, ISO 27000
series, system security), ECU Policies and Standards, state and federal statutes (e.g., NC Identity
Theft Protection Act, HIPAA, FERPA) that apply to their servers.

4.

N
otify IT Security if the server receives, stores, or transmits sensitive data (e.g., Social Security
numbers, credit card numbers, student data, patient information) prior to server installation.

5.

Ensure vendor applications meet minimum security requirement
s consistent with the protection
of the type of data received, stored, or transmitted.

6.

Provide an accurate list of files to be backed up, if ITCS is providing data backup services.

7.

Provide funding for data backup software, including annual maintenance fees
, if ITCS is providing
data backup services.




All parties agree to maintain the specifications listed herein for the named server(s). Any changes that
can alter the security or compliance of the server(s) and must be reviewed by all parties below
before the
modification is purchased or implemented. ITCS will review this assessment as needed or when the
equipment is replaced.


By signatures below, the purchase, installation and operation of the named server(s) is approved.



Departmental
Representative

(Chair/Dean or Manager/Supervisor of Department)



_________________________________________________


_________________________________________________

Name (print)






Title



_________________________________________________


____________
__________________

Signature






Date



Director, IT Infrastructure or Designate



Thomas L. Lamb





Director, IT Infrastructure

Name







Title



_________________________________________________


______________________________

Signature






Date