Server: A physical or virtual asset that provides university information or services to multiple users or devices not physically interacting with the asset. Examples include web servers, database servers, and file servers.
Server Administrator: A university employee or contractor with responsibility for maintaining the functionality and security of a server.
University Server Registry: A system approved by the Information Security Officer designed to keep an accurate inventory of university servers.
This policy applies to servers that are owned, leased, or contracted by the university or are connected to a university network. This policy does not apply to workstations, printers, digital signage, or network equipment covered by the Networks and Telecommunication policy.
Each server subject to this policy will have a named Server Administrator, and the Server Administrator will:
- Maintain information about the server in the University Server Registry.
- Configure the server’s operating system and other software to prevent security weaknesses, both upon initial deployment and on an ongoing basis.
- Install security updates to the server’s operating system and other software on a timely basis.
- Address issues identified in periodic vulnerability and configuration assessments conducted by the Information Security Office.
- Ensure that the server is installed in physically secure location with appropriate environmental controls.
- Complete an annual risk assessment in a form approved by the Information Security Officer.
- Provide the Information Security Office with a Disaster Recovery Plan that addresses timely service restoration in the event of a disaster or incident.
Exceptions to these requirements must be approved by the Information Security Officer and documented in the University Server Registry.