THIS IS A SAMPLE! Feel free to use or modify it for your own use! Want a Policies and Procedures Wiki like this? Sign up for a Staff.Wiki trial by clicking here.

Server Security

Definitions 

File Transfer Protocol (FTP): Is a standard Internet protocol for transmitting files between computers on the Internet. 

Overview 

The servers at (^Company^) provide a wide variety of services to internal and external users, and many servers also store or process sensitive information for (^Company^). These hardware devices are vulnerable to attacks from outside sources which require due diligence by the IT Department to secure the hardware against such attacks. 

Purpose 

The purpose of this policy is to define standards and restrictions for the base configuration of internal server equipment owned and/or operated by or on (^Company^)’s internal network(s) or related technology resources via any means. This can include, but is not limited to, the following: 

  1. Internet servers (FTP servers, Web servers, Mail servers, Proxy servers, etc.) 
  2. Application servers 
  3. Database servers 
  4. File servers 
  5. Print servers 
  6. Third-party appliances that manage network resources 

This policy also covers any server device outsourced, co-located, or hosted at external/third-party service providers, if that equipment resides in the official (^Company^) domain or appears to be owned by (^Company^).

The overriding goal of this policy is to reduce operating risk. Adherence to the (^Company^) Server Security Policy will: 

  1. Eliminate configuration errors and reduce server outages 
  2. Reduce undocumented server configuration changes that tend to open up security vulnerabilities 
  3. Facilitate compliance and demonstrate that the controls are working 
  4. Protect (^Company^) data, networks, and databases from unauthorized use and/or malicious attack 

Therefore, all server equipment that is owned and/or operated by (^Company^) must be provisioned and operated in a manner that adheres to company defined processes for doing so.

This policy applies to all (^Company^) company-owned, company operated, or company controlled server equipment. Addition of new servers, within (^Company^) facilities, will be managed at the sole discretion of IT. Non-sanctioned server installations, or use of unauthorized equipment that manage networked resources on (^Company^) property, is strictly forbidden. 

Policy Detail 

Responsibilities

(^Company^)’s VP of IT has the overall responsibility for the confidentiality, integrity, and availability of (^Company^) data. 

Other IT staff members, under the direction of the Director of IT, are responsible for following the procedures and policies within IT. 

Supported Technology

All servers will be centrally managed by (^Company^)’s IT Department and will utilize approved server configuration standards. Approved server configuration standards will be established and maintained by (^Company^)’s IT Department.

All established standards and guidelines for the (^Company^) IT environment are documented in an IT storage location.

The following outlines (^Company^)’s minimum system requirements for server equipment supporting (^Company^)’s systems. 

  1. Operating System (OS) configuration must be in accordance with approved procedures. 
  2. Unused services and applications must be disabled, except where approved by the Director of IT or the VP of IT. 
  3. Access to services must be logged or protected though appropriate access control methods. 
  4. Security patches must be installed on the system as soon as possible through (^Company^)’s configuration management processes. 
  5. Trust relationships allow users and computers to be authenticated (to have their identity verified) by an authentication authority. Trust relationships should be evaluated for their inherent security risk before implementation. 
  6. Authorized users must always use the standard security principle of “Least Required Access” to perform a function. 
  7. System administration and other privileged access must be performed through a secure connection. Root is a user account that has administrative privileges which allows access to any file or folder on the system. Do not use the root account when a non-privileged account will do. 
  8. All (^Company^) servers are to be in access-controlled environments. 
  9. All employees are specifically prohibited from operating servers in environments with uncontrolled access (i.e. offices). 

This policy is complementary to any previously implemented policies dealing specifically with security and network access to (^Company^)’s network.

It is the responsibility of any employee of (^Company^) who is installing or operating server equipment to protect (^Company^)’s technology based resources (such as (^Company^) data, computer systems, networks, databases, etc.) from unauthorized use and/or malicious attack that could result in the loss of member information, damage to critical applications, loss of revenue, and damage to (^Company^)’s public image. 

Steps will be taken to ensure resources are protected.

Want a Policies & Procedures Wiki like this? Sign up and try Staff.Wiki by clicking here.

Next Topic:
© Copyright 2024 WorkflowFirst Software LLC
v6.0.0.14094
Up Since 5/7/2024 10:53:17 PM