Skip to main content
uta
uta

Information Security Office

Minimum Security Standards for Servers and Workstations

Purpose

These minimum standards are intended to meet the requirements in Texas Administrative Code 202 (TAC 202) and UT System UTS-165 (UTS 165). Adherence to the standards will increase the security of servers and workstations, and help safeguard university information and data. These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the university's data.

Compliance with these requirements does not imply a completely secure system. Instead, owners of UT Arlington information resources should integrate these requirements into a comprehensive system security plan that meet or exceed these requirements.

Scope

These standards apply to all UT Arlington owned or controlled systems, which include servers (centralized or decentralized physical, virtual or cloud based) and workstations (tablets, laptops or desktops) that store, transmit or process UT Arlington data classified as Confidential, Controlled, or Published following UT Arlington's established Data Classification Standard.


Audience

All Information Resource Owners and all Information Resource Custodians of systems as indentified in the above scope.


Definitions

The definitions found in this section are to be interpreted consistently with other definitions in Texas Administrative Code 202, University of Texas System 165, and other policies found the Handbook of Operating Procedures covering Information Technology and Security. Where definitions do not exist in this policy, the definitions shall be derived from those policies or regulations. Some definitions are copied verbatim from TAC 202 or UTS 165.

High Impact Information Resources - Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.  Such an event could:

  • cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;
  • result in major damage to organizational assets;      
  • result in major financial loss; or
  • result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

High Risk Computing Device - a computing device meeting any of the following criteria:

  • is located in a public or high-traffic area and is used by a person who has access to Confidential Data;
  • is used to create, store, or process Confidential Data or is used within a functional area that handles such data;
  • is used by any executive officers or their support staff; or
  • contains data that if accessed, changed, or deleted by an unauthorized party could have highly adverse impact on the University or U. T. System.

Information Resources Custodian (Custodian) - an individual, department, Institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to Information Resources.  Custodians include Information Security Administrators, institutional information technology/systems departments, vendors, and any third-party acting as an agent of or otherwise on behalf of an Institution.

Information Resources Owner (Owner) - the manager or agent responsible for the business function that is supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program that uses the resources.  The Owner is responsible for establishing the controls that provide the security and authorizing access to the Information Resource.  The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information.  Where appropriate, ownership may be shared.  Note: In the context of this Information Security Policy and Standards, Owner is a role that has security responsibilities assigned to it by Texas Administrative Code (TAC) 202.72.   It does not imply legal ownership of an Information Resource.   All University Information Resources are legally owned by the University of Texas System or the member Institution. 


Minimum Standards

This section lists the minimum standards that should be applied and enabled in Category I, II, and III data systems that are connected to the university network. Standards for Category I are generally required.

If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a security exception must be requested.

IT Owners and IT Custodians, lead researchers, and/or systems administrators are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.

Backups

Practice Category I Category II & III
System administrators should establish and follow a procedure to carry out regular system backups. Required Recommended
Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. Required Recommended
Systems administrators must maintain documented restoration procedures for systems and the data on those systems. Required Recommended

Change Management

Practice Category I Category II & III
There must be a change control process for systems configuration. This process must be documented. Required Recommended
System changes should be evaluated prior to being applied in a production environment.

  • Patches must be tested prior to installation in the production environment if a test environment is available.
  • If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch.
Required Recommended

Computer Virus Prevention

Practice Category I Category II & III
Anti-virus software must be installed and enabled. Required Required
Anti-spyware software must be installed and enabled if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software. Recommended Recommended
Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily. Required Recommended
Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software. Required Recommended

Physical Access

Practice Category I Category II & III
Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended. Required Recommended
All Laptops and desktops must have full disk or full volume encryption Required Required
All systems (servers, desktops and laptops) must be configured to lock the screen or log off after 15 minutes of idle time. Employees must lock their systems when unattended. Required Required
Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. Required Recommended

System Hardening

Practice Category I Category II & III
Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured. Required Recommended
Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures. Required Required
If automatic notification of new patches is available, that option should be enabled. Required Required
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. Required Recommended
Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed. Required Recommended
Services or applications running on systems manipulating Category-I data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs. Required Recommended
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. Required Recommended
If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. Required Recommended
Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. Required Recommended
The required university login banner should be displayed. Required Recommended
Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control. Required Recommended
Access to non-public file system areas must require authentication. Required Recommended
Strong password requirements will be enabled, as technology permits, based on the category of data the account is allowed to access. Required Required
Apply the principle of least privilege to user, administrator, and system accounts. Required Recommended

System Hardening

Practice Category I Category II & III
If the operating system comes with a means to log activity, enabling and testing of those controls is required. Required Recommended
Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. Required Recommended
The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Required Recommended
All administrator or root access must be logged. Required Recommended

Security Review for New Software and Systems

Departments evaluating the implementation of new software and/or systems, involving all categories of data, should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products. Security reviews tend to be informal and can often be performed quickly, while ensuring that best practices are being considered.

Non-Compliance and Exceptions

For all system administrators — if any of the minimum standards contained within this document cannot be met on systems manipulating Category-I or -II data that you support, an exception must be requested that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Compliance.

UT Arlington employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, UT Arlington employees are required to comply with state laws and regulations.