ISO Home

About
Advisories
Forms
Report an Incident
ISO Bridge

Security Awareness

• Newsletters
• Security Brochures
• Spyware
• Phishing
• Ransomware
• Spam Email
• Social Engineering
• USB Security

Policies and Guidelines

• Policy, Procedure
• SSN Use 
• Telecommuting
• Vendor Remote Access
• Password Security
• Mobile Device Security
• Secure Data Transfer
• Cloud/3rd Party Use Guidance
  ↳ Cloud Procurement
• UTA Box Accounts
  ↳ Non-UTA account sharing with UTA Box
• Minimum Standards
• Configuration Guidelines
• Two Factor Authentication
• Approved Data Storage

Encryption

• About Encryption
• Full Disk Encryption
  ↳ Maintaining Compliance
• Encryption Compliance Calculation
• Personal Full Disk Encryption

Data Classification

• Classification of Data
• Classification Standard
  

Security Resources

• LOK-IT Encrypted USB Drive
• Blazeware Protection
• Security Operations Center
• Patch Your Computer
• Securing Your Email
• VPN
• Data Loss
• Identity Theft
• Antipiracy, Copyright
• Digital Certificates
• Security Tools, Links

Configuration Guidelines

Servers

Linux     Windows

NOTE: All servers must be registered with the ISO in order to comply with the Data Classification Standard. Click HERE to register your server.

Objective

This document provides ISO-approved baseline configuration standards for University owned servers. The CIS Security Benchmarks for each operating system can be found at the links above.

 All servers must be compliant with Section ADM 5-602 of the HOP which states "All servers must be located in a location that is approved by the Office of Information Technology". 

The process for creating a secure server can be summarized as follows:

1. Use the first checklist (Server Creation) to aggregate the necessary information for creating a server.
2. Use the second checklist (Minimum Standards) to insure basic security.
3. Use the OS specific checklists (links above) to secure the server and insure compliance with University Standards.

Server Creation Checklist

Item	Explanation
Server Location	ARDC or a campus location
-Approved?	OIT approval for location
Virtual or Physical
-Asset Tag # (if physical)
-Serial # (if Physical)
Server Name
Server Owner	Usually the head of the department or entity requesting the server (“application owner” in the HOP).
Server Administrator	OIT administrator or departmental administrator
Server Purpose
-Firewall Considerations	What firewall changes will be made to allow this server to be utilized?
-Data Sensitivity	MANDATORY: register with the ISO HERE.
Creation Date
Vulnerability Assessment	All servers must be scanned by the ISO before go-live.

 

Minimum Standards

This section lists the minimum standards that should be applied and enabled in Category I, II, and III data systems that are connected to the university network. Standards for Category I are generally required.
If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a security exception must be requested.
IT Owners and IT Custodians, lead researchers, and/or systems administrators are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.

Backups

Practice	Category I	Category II & III
System administrators should establish and follow a procedure to carry out regular system backups.	Required	Recommended
Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.	Required	Recommended
Systems administrators must maintain documented restoration procedures for systems and the data on those systems.	Required	Recommended

 

Change Management

Practice	Category I	Category II & III
There must be a change control process for systems configuration. This process must be documented.	Required	Recommended
System changes should be evaluated prior to being applied in a production environment. Patches must be tested prior to installation in the production environment if a test environment is available. If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch.	Required	Recommended

 

Computer Virus Prevention

Practice	Category I	Category II & III
Anti-virus software must be installed and enabled.	Required	Required
Anti-spyware software must be installed and enabled if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software.	Recommended	Recommended
Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily.	Required	Recommended
Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.	Required	Recommended

 

Physical Access

Practice	Category I	Category II & III
Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended.	Required	Recommended
Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access.	Required	Recommended

 

System Hardening

Practice	Category I	Category II & III
Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.	Required	Recommended
Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.	Required	Required
If automatic notification of new patches is available, that option should be enabled.	Required	Required
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.	Required	Recommended
Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.	Required	Recommended
Services or applications running on systems manipulating Category-I data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs.	Required	Recommended
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate.	Required	Recommended
If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.	Required	Recommended
Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.	Required	Recommended
The required university login banner should be displayed.	Required	Recommended
Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.	Required	Recommended
Access to non-public file system areas must require authentication.	Required	Recommended
Strong password requirements will be enabled, as technology permits, based on the category of data the account is allowed to access.	Required	Required
Apply the principle of least privilege to user, administrator, and system accounts.	Required	Recommended

 

System Hardening

Practice	Category I	Category II & III
If the operating system comes with a means to log activity, enabling and testing of those controls is required.	Required	Recommended
Operating system and service log monitoring and analysis should be performed routinely. This process should be documented.	Required	Recommended
The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.).	Required	Recommended
All administrator or root access must be logged.	Required	Recommended

Security Review for New Software and Systems

Departments evaluating the implementation of new software and/or systems, involving all categories of data, should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products. Security reviews tend to be informal and can often be performed quickly, while ensuring that best practices are being considered.

Non-Compliance and Exceptions

For all system administrators — if any of the minimum standards contained within this document cannot be met on systems manipulating Category-I or -II data that you support, an exception must be requested that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Compliance.

UT Arlington employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, UT Arlington employees are required to comply with state laws and regulations.