BSU 6462-C

Rev: draft 12-04-03

DRAFT

SERVER ADMINISTRATION POLICY

PURPOSE:

The purpose of this policy is to protect the data of Boise State University, provide a reliable network and reduce the risk of data loss or loss of service due to absence or departure of personnel, disasters, etc.

I. Preface

This policy applies to all colleges, departments and offices of Boise State University. This policy applies to all computing devices located at Boise State University that offer services to other computing devices as defined by section IV. A.1. Examples of these devices include, but are not limited to, Novell servers, Microsoft servers, Macintosh servers, and Unix servers.

II. Modification of Policy

A. The Executive Director of Information Technology (IT) is responsible for this policy including its maintenance and compliance. ~~with the policy~~.
B. A subcommittee of the Network Administrators Group (the Server Administration Policy Subcommittee) will review this policy periodically and make recommendations regarding additions, deletions and/or modifications ~~to this policy~~ to the Executive Director of IT. Others wishing to make recommendations may make them directly to the Executive Director of IT.

III. Exceptions to Policy

A. Any college, department or office that wishes an exception to this policy must present its written request to the Server Administration Policy Subcommittee.

B. The Server Administration Policy Subcommittee will forward requests for exception with the subcommittee’s recommendation to the Executive Director of IT. The Executive Director of IT will then either approve or deny the exception. The subcommittees’ recommendation, and the Executive Director of ITs’ decision will be forwarded to the requester within 30 days.

C. Only the Executive Director of IT may authorize an exception to this policy.

IV. Policy

A. Servers

1. Definition: Servers are computers explicitly purchased to provide services to other computers on the network. These services include, but are not limited to, file sharing, printing, database access, email, web services, authentication, and any other applications that are accessible via the network. When a server is needed to provide services or hold data, then it is important enough to devote the resources to ensure the server will be available and reliable. This should be done through the use of redundant equipment, a consistent backup scheme, and a detailed plan for a timely recovery of the services provided university users.

B. Requirements

1. Virus Protection – Server antivirus software is required. It must be installed, running, and virus definitions kept up-to-date.
2. Documentation – Server IP address(es), licenses, services provided, and contact information (primary and alternate) must be documented and readily available.
3. Secure System Configuration – Servers must be secured to the greatest extent possible, including the disabling of all unnecessary services, configuration of file sharing services to provide reasonable and appropriate security, and changing of all default passwords.
4. Patches – Security and operating system (OS) patches or hot fixes must be applied in a timely fashion that is appropriately balanced between the type of OS installed and severity of risk to the Boise State University Network.
5. Backups – Appropriate backups of the server’s OS, applications, data, and configuration documentation must be maintained, with type and frequency of the backups dependant upon the criticality of service(s) hosted.
6. Compliance with Server Standards and Procedures – Servers must follow the standards and procedures detailed in the Server Standards and Procedures, developed and maintained by the Server Administration Policy Subcommittee.

C. Non-Compliance with this Policy.

1. First offence – non-compliance with this Policy will result in a warning notice ~~of non-compliance~~ being sent from the Server Administration Policy Subcommittee to the responsible System Administrator. The warning notice shall include a description of the violation referencing specific policy and recommending the necessary corrective action and acceptable time frame for such action. A copy of this notice will be maintained by the subcommittee in the event another incident occurs.
2. Second offence – a second offence or non-compliance with this Policy will result in a warning notice of non-compliance from the Server Administration Policy Subcommittee to the responsible System Administrator with copies to the appropriate ~~manager,~~ Dean or Director and the Executive Director of IT. The warning notice shall include a description of the violation referencing specific policy and recommending the necessary corrective action and acceptable time frame for such action.
3. Continued offences – continued non-compliance or a third violation of this Policy will result in the termination of network services to the offending department or college. The Executive Director of IT will direct that such services be terminated with notice to the appropriate Dean or Director with a copy to the IT Governance Council. Such services will not be reestablished until the Server Administration Policy Subcommittee notifies the Executive Director of IT that the violation has been resolved in accordance with established policy.