D103: Server Security Policy

Issued by: Office of the Chief Information Officer
Approved Date: February 22, 2021
Effective Date: May 1, 2021

Background Information

Servers play a valuable and important role in achieving the University’s mission, but they can also expose the University and constituents to undue risk and expense. Servers must be adequately managed, maintained, supported, protected and used selectively. This policy serves to outline conditions and responsibilities associated with installing and maintaining a server at Stony Brook University.

Policy

Servers are authorized only for those activities that directly support the education, research, public service or health care missions of the University. 

  • Access: Local and remote access to University servers must be granted in accordance with University policy and procedure. Service owner(s) must ensure that only authorized users have access to the server, that this access is enforced using technical controls, and that the effectiveness of those controls are to be adequately monitored.
  • Authorization: All servers must be approved by management in the functional and technical service owner’s hierarchy and installed in accordance with the conditions outlined in this policy. 
  • Server Inventory: Before a new server may be connected to any network, certain information must be identified and documented including, but not limited to: functional and technical service owner(s), authorizing manager, server technical details and location, primary service(s) and purpose, sensitive information classification, and attestation of compliance.
  • Security Standards and Regulatory Requirements: Each service owner must ensure that compliance with applicable laws and regulations, such as FERPA, HIPAA/Hitech, and the Gramm-Leach-Bliley Act are maintained. Servers must also comply with or exceed published Stony Brook cybersecurity minimum standards. Evidence of compliance must be provided upon request.  
  • Updates: Technical service owners will subscribe to and monitor for vendor announcements and other resources to determine the need to apply patches to software or hardware, and will apply patches to operating systems and applications as soon as possible.
  • Vulnerability Checking: Authorized DoIT employees may scan or test any server for known or suspected vulnerabilities at any time, without notice. Service owners must cooperate with and facilitate these checks.
  • Technical Service Owner Qualifications: Servers must always have at least one identified technical service owner and they must be professionally obligated (e.g. performance program, job description) to fulfill technical support responsibilities in accordance with published policy and standards.

Enforcement

Servers not in compliance with this policy are subject to removal from the University network or subject to a shutdown order according to published vulnerability remediation timelines. A fully executed risk acceptance form may allow an extension of these timelines if this option is presented by the CIO or designee. If determined by the University CIO or designee that the urgency of outstanding risk exceeds published timelines, a server may need to be disconnected or shutdown immediately.

Any substantiated act(s) by an employee that violates this policy may result in sanctions or other disciplinary action as covered by Labor Management processes, collective bargaining agreements, and/or applicable University policies.

Scope

This Policy applies to all individuals who manage, are responsible for, or have access to Stony Brook University (SBU) information resources.

Definitions

Service Owner: Any individual who is a primary contact and responsible for a particular application, server, network or associated business function or process. These owners may be broken down into areas of responsibility, such as Server, Application, Network, etc.

Server: A Computer or virtually published service designed to share resources (applications, files, etc.) with other computing devices or software (i.e., clients). Servers may be on the University network or hosted on a remote network and may be servicing clients on the University network or via the internet. 

Management - Individuals within the organization that have supervisory responsibilities

Additional definitions are listed in P300: Information Security Program Administration Policy

Inquiries

Specific questions concerning this policy should be referred to:

Office of the Chief Information Officer

Room 231, Educational Communications Center

(631) 632-9085

Relevant Standards, Codes, Rules, Regulations, Statutes, and Policies

P300: Information Security Program Administration Policy

P301: Cyber Incident Response Policy

P302: Sensitive Information Classification Policy

Stony Brook Cybersecurity Minimum Standards

Vulnerability Remediation Timelines

SUNY Information Security Policy

Server Registration Form