(1) The purpose of this Policy is to outline practices for administering servers that will ensure an acceptable risk posture against real-world threats. The aim is to defend servers against cyber security threats in a practical and pragmatic manner. (2) This Policy applies to: (3) This Policy does not apply to services that are procured as the “software as a service”. (4) An inventory of servers (‘Server Registry’), in the style of a configuration management database, will be maintained to assist with applying this Policy. The Server Registry documents each server’s compliancy status, operating system platform, associated services it supports, and application software in use. The following examples qualify as a server under this definition for the purpose of this Policy: (5) The server’s operating system and other software must be configured to prevent security weaknesses both upon initial deployment and on an ongoing basis. (6) Operating system and application security patches must be applied in line with the requirements of the ACSC's essential eight strategies to mitigate cyber security incidents. (7) These requirements can be achieved with the following practices: (8) At minimum, the data associated with the service needs to be recoverable in the event of an incident or disaster. Process and tools must be used to properly back up important data and a methodology for timely recovery must be proven. (9) This backup methodology must be tested by the service owner at least annually. If the same backup system is used for a number of applications at least one of these applications must be recovery tested by the service owner annually. (10) Tools and processes are used to detect, prevent, and correct installation and execution of malicious software on servers. (11) This can be achieved with the following practices: (12) The Cyber Security Team is responsible for regularly scanning to detect vulnerabilities on Servers and for communicating vulnerability assessments with the service owner and server administrator. (13) The server only runs network services, protocols and ports that are necessary to achieve its business purpose. (14) This can be achieved with the following practices: (15) Administrative privileges must be minimised and only used when required. A high standard of security is applied to privileged accounts. These privileges must be reviewed by the Cyber Security Team at least annually. (16) Ensure secrets relating to administrative access are changed when deemed appropriate, e.g. when administrative staff have left or if the Secrets have not been changed for more than 2 years. (17) Application and operating system audit and event logs are configured and maintained in a useful state. For important servers the logs are monitored either automatically or manually. (18) All authentication and account and group management events must be logged. (19) These logs must be retained for a minimum of 2 years. (20) Where possible servers should be configured to automatically forward logs to an IMTS central log server. (21) Effective logging includes: (22) System and application user accounts are tracked and controlled by the relevant faculty or division to ensure old and unnecessary accounts are removed and unable cannot be used for unauthorised access. When staff or contractors leave the University or change roles their accounts are restricted and removed in accordance with the IT Acceptable Use Policy and IT User Account Management Procedures. (23) As a condition of use, users must agree to comply with the IT Acceptable Use Policy and other IT policies. (24) Any external service or system requiring outbound email to be sent on behalf of the University, must use an appropriate subdomain with email security applied (such as DMARC). (25) Business and technical system owners who own or manage systems and applications that send email must engage IMTS to assess and implement. (26) Individual servers are deemed considered to be compliant with this Policy when the following are confirmed: (27) A server is deemed considered non-compliant when the above has not been met or following there has been an unsatisfactory audit or vulnerability scan. The identification of non-compliant servers may result in either: (28) The Chief Information Digital Officer, or delegated authority may approve an exemption where it is impractical to satisfactorily comply with this Policy in whole or part and it is demonstrated that the risk is acceptable. These exemptions may be granted for an individual server or a class of server or device. (29) Individual server exemptions will be recorded in the server registry. Exemptions applying to a class of device will be recorded. (30) Examples of individual exemptions include, but are not limited to: (31) Examples of class exemptions include, but are not limited to: (32) The Chief Information Digital Officer has the following responsibilities: (33) The Cyber Security Team has the following responsibilities: (34) The service owner has the following responsibilities: (35) The business owner has the following responsibilities: (36) The server administrator has the following responsibilities:IT Server Security Policy
Section 1 - Purpose of Policy
Section 2 - Application and Scope
Section 3 - Policy Principles
Server Registry
Secure Operating System and Software
Data Recovery Capability
Malware Defences
Continuous Vulnerability Assessment and Remediation
Limit and Control Network Ports, Protocols and Services
Controlled Use of Administrative Privileges
Maintenance, Monitoring and Analysis of Audit Logs
Account Monitoring and Control
Compliant and Non-compliant Servers
Top of PageSection 4 - Exemptions
Top of PageSection 5 - Roles and Responsibilities
Top of PageSection 6 - Definitions
Word/Term
Definition (with examples if required)
ACSC
Australian Cyber Security Centre
NTP
Network Time Protocol
Secrets
Key phrase or information used to form passwords for UOW Systems.
Server
A computer or device which provides services over a network and is configured to allow access by multiple users. The following examples qualify as a server under this definition for the purpose of this policy:
A physical or virtual server running in a University data centre offering a web application component
A desktop computer with file sharing enabled that is accessed by a number of people
A building controller device that is accessed over the network by a management server
A virtual server instance running in a public cloud that is operated by or for the University
Service
A data storage, manipulation, presentation, communicationcommunication, or other capability which is implemented using a client-server or peer-to-peer architecture based on network protocols running at the application layer of a network. For exampleexample, any web based application which may be supported by several Servers offering front and backend data processing and storage.
Business Owner
An individual within the University who is nominated to assume responsibility for a Service and is authorised to make business decisions with regard to the Service.
Server Administrator
An individual role or team who is nominated to administer particular servers. Must have sufficient technical skills and experience to ensure Servers are supported and administered properly. This may include third party support arrangements.
Service Owner
An individual role or team within the University who is nominated to assume responsibility of a Service and is authorised to make technical decisions with regards to the Service.
Server Registry
An information system maintained by Information Management & Technology Services in the style of a configuration management database that documents servers in scope of this policy.
University
University of Wollongong and controlled entities.
University Network
The network infrastructure used by the University including all network services on main campus, satellite campuses, and controlled entities.
User
A person assigned a User Account by the University or a person who is otherwise authorised to use University IT Facilities and Services.
User Account
An identity assigned to a User, with an associated username, for the purpose of accessing IT Facilities and Services that require authentication by the User.
View Current
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.