Server Security Procedure

Transcription

1 Server Security Procedure Reference No. xx Revision No. 1 Relevant ISO Control No Issue Date: January 23, 2012 Revision Date: January 23, 2012 Approved by: Title: Ted Harvey Director, Technology Services Version History Version # Version Date Author Summary of Changes 1.0 Jan Ted Harvey Approvals Name Title Date of Approval Version # Ray Hoppins Distribution Name Title Date of Issue Version No. Server Security Procedure Document Control Document Title Document Location Server Security Procedure Server Security Procedure Page 1

2 Server Security Procedure Page 2

3 Table of Contents 1.0 Overview Purpose Scope Risks...6 The risks associated with the Procedure subject... Error! Bookmark not defined. 5.0 Procedure Detail...7 Detailed Procedure statements... Error! Bookmark not defined. More Content... Error! Bookmark not defined. Procedure Detail Sub Heading... Error! Bookmark not defined. More Content... Error! Bookmark not defined. 6.0 Enforcement...10 If any member of IT staff is found to have breached this Procedure, they may be subject to disciplinary action.... Error! Bookmark not defined. If any user is found to have breached this security Procedure, they may be subject to disciplinary action.... Error! Bookmark not defined. Any violation of the Procedure by a temporary worker, contractor or supplier may result in the termination of their contract or assignment Procedure Governance Definitions...13 Detail any necessary definitions... Error! Bookmark not defined. More Content... Error! Bookmark not defined. 9.0 References...14 List any reference material used... Error! Bookmark not defined. More Content... Error! Bookmark not defined. Server Security Procedure Page 3

4 1.0 Overview Access to operating systems should be controlled by a secure logon procedure. 2.0 Purpose The purpose of this Procedure is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Chinook s Edge. Effective implementation of this Procedure will minimize unauthorized access to Chinook s Edge proprietary information and technology. Server Security Procedure Page 4

5 3.0 Scope This Procedure applies to server equipment owned and/or operated by Chinook s Edge, and to servers registered under any Chinook s Edge-owned internal network domain. This Procedure is specifically for equipment on the internal Chinook s Edge network. For secure configuration of equipment external to Chinook s Edge on the DMZ, refer to the Internet DMZ Equipment Procedure. Server Security Procedure Page 5

6 4.0 Risks Server Security Procedure Page 6

7 5.0 Procedure Detail Ownership and Responsibilities 5.1 All servers deployed at Chinook s Edge shall be owned by Core Services, (an operational group that is responsible for system administration). Approved server configuration guides must be established and maintained by each member of Core Services, based on business needs and approved by Director Technology Services. All members of the Technology Services Department should monitor configuration compliance and document any exceptions that were tailored to their environment. There shall be a process for changing the configuration guides, which will include review and approval by the Director of Technology Services. Servers must be registered within the corporate enterprise management system (SCCM). At a minimum, the following information is required to positively identify the point of contact: o Server contact(s) and location, and a backup contact o Hardware and Operating System/Version o Main functions and applications, if applicable Information in the enterprise management sharepoint system must be kept up-to-date. Configuration changes for production servers must follow the appropriate change management procedures. 5.2 General Configuration Guidelines Operating System configuration should be in accordance with approved Tech Services guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Server Security Procedure Page 7

8 Where possible remote access protocols should use nonstandard documented ports. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. At minimum there should be a documented monthly update check. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not allow root or Administrator accounts to directly access systems remotely. Do not use root or Administrator when a non-privileged account will do. Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating in insecure areas in a school. 5.3 Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: o All security related logs will be kept online for a minimum of 1 week. o Daily incremental tape backups will be retained for at least 1 month. o Weekly full tape backups of logs will be retained for at least 1 month. o Monthly full backups will be retained for a minimum of 2 years. Security-related events will be reported to Technology, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: Server Security Procedure Page 8

9 o Port-scan attacks o Evidence of unauthorized access to privileged accounts o Anomalous occurrences that are not related to specific applications on the host. 5.4 Compliance Authorized personnel within Chinook s Edge will perform audits on a regular basis. The Director of Technology Services, in accordance with the Audit Procedure, will manage audits. Technology Services will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions. Server Security Procedure Page 9

10 6.0 Enforcement Compliance Authorized personnel within Chinook s Edge will perform audits on a regular basis. The Director of Technology Services, in accordance with the Audit Procedure, will manage audits. Technology Services will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions. The responsibility for implementing this Procedure belongs to Core Services. Responsibility for ensuring that new and existing systems remain in compliance with this Procedure resides with the Chinook s Edge Technology Director. If any technician is found to have breached this security Procedure, they may be subject to disciplinary action. Any violation of the Procedure by a temporary worker, contractor or supplier may result in the termination of their contract or assignment. Server Security Procedure Page 10

11 7.0 Procedure Governance The following table identifies who within CESD is Accountable, Responsible, Informed or Consulted with regards to this Procedure. The following definitions apply: Responsible the person(s) responsible for developing and implementing the Procedure. Accountable the person who has ultimate accountability and authority for the Procedure. Consulted the person(s) or groups to be consulted prior to final Procedure implementation or amendment. Informed the person(s) or groups to be informed after Procedure implementation or amendment. Responsible Core Team - Technology Services Accountable Director Technology Services Consulted Associate Superintendent System Services Informed All Technology Department Employees, All Contractors, All temporary workers. Server Security Procedure Page 11

12 Server Security Procedure Page 12

13 8.0 Definitions TERM DEFINITION DMZ De-militarized Zone. A network segment external to the corporate production network. Server For purposes of this Procedure, a Server is defined as an internal Chinook s Edge Server. Desktop machines and Lab equipment are not relevant to the scope of this Procedure. Server Security Procedure Page 13

14 9.0 References Server Security Procedure Page 14