Server Management Standard

Purpose

  • Instruct system, application and service administrators, owners and users on the appropriate use of Server Management Standard controls required as a condition for access to University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 )
  • Requirements identified herein reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”) and to protect the privacy of members of the University community. 

Applies To

This Standard applies to all University of Oregon or vendor owned servers connected to university networks, or any other server connected to university networks, including virtual machines or servers located in a cloud environment. 

Definitions

See ISO Standards - Glossary and Iconography for details.

Standard

  • University owned servers SHALL be inventoried and managed by the IT unit or individual providing support, using processes and systems approved by the Information Security Office.
  • University owned servers SHALL apply controls associated with the appropriate risk level for the data the server will process, store or access, as specified on Table1.

Associated Controls

Table 1: Endpoint Standard - Classification Designations
 

Information System Classification

M - Mandatory; R - Recommended; NR - Not Required; 

UO ControlsHigh Risk (Red)Moderate Risk (Amber)Low Risk (Green)
UO.1 CMS: RegistrationMMM
UO.2 CMS: Management (OS)MMM
UO.3 CMS: Management (Apps)MMR
UO.4 Vulnerability ScanningMMM
UO.5 Penetration TestingMRNR
UO.6 Organizational communication and data flows are mappedMRNR
UO.8 Resources are Prioritized Based on their Classification MMM
UO.15 Physical SecurityMMR
UO.17 System HardeningMMR
UO.19 Security UpdatesMMM
UO.20 Application Block ListingMMR
UO.21 Anti-MalwareMMM
UO.22 Auto-Lock Screen or ConsolesMMR
UO.23 Firewall (Host-based)RRR
UO.25 Encryption: Data-at-RestMRNR
UO.26 Encryption: Data-in-TransitMRNR
UO.27 Encryption: Full DiskMMR
UO.28 User Access Control: Unique Access AccountMMR
UO.29 User Access Control: Least Privilege AccessMMM
UO.33 User Access Control: Inactive Session TimeMMR
UO.34 User Access Control: Two Factor AuthenticationMMR
UO.41 Data is Destroyed According to PolicyMMM
UO.45 Logging and RetentionMMM
UO.46 Log MonitoringMMM
UO.48 Incident Recovery: Backup & RecoveryMRR
UO.49 Incident Recovery: Restoration TestingMMR
UO.50 Determine criticality of Information system componentsMMM
UO.51 Resiliency requirements will be established based on data classificationMMM

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.

Requesting Exceptions

Any user who suspects a violation of the standard should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website.

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu .

Additional information can also be found visiting the following resources:

Revision History

Revision History
VersionPublishedAuthorDescription
1.005/10/2024Information Security Office (ISO)Original publication
1.109/09/2024Information Security Office (ISO)Added UO.29 and UO.34
Publication
Status:Standard
Published:05/10/2024
Last Reviewed:09/09/2024
Last Updated:09/09/2024
Approvals
 Date DiscussedDate Approved
Information Security and Privacy - Governance Sub-Committee (ISP-GC)  
Chief Information Security Officer