NDSU Policy 710 Computer and Electronic Communication Facilities Standards and Procedures
The following standards and procedures are required for all computers (servers and desktops).
Failure to follow established security standards can result in sanctions. (NDUS Policy and Procedure 1901.2, Section 6)
- Colleges and departments must determine and classify types of data stored on servers and desktops. (NDUS 1901.2, Sections 3.1.1, 5.7, 5.11 and NDUS 1901.2 Data Classification and Information Security Standard)
- All servers and desktops containing sensitive or confidential data must have methods installed and enabled to protect data. (NDUS 1901.2, Sections 2.1-2, 3.3, 3.1.1-2, 3.5.1, 4.1, and 4.3)
- Access should be given only to those who require access to such data. That access should be only what is necessary (e.g., read, write, modify, etc.) (NDUS 1901.2, Section 3.5.
- It is recommended that confidentiality agreements be signed and secured from users accessing data which needs to be protected from unauthorized access. An example of a confidentiality agreement can be found here.
Data Security Standards
Colleges and departments must determine and classify types of data stored on servers and desktops. (NDUS 1901.2, Sections 3.1.1, 5.7, 5.11, and NDUS 1901.2 Data Classification and Information Security Standard)
Access should be given only to those who require access to such data. That access should be only what is necessary (e.g., read, write, modify, etc.) (NDUS 1901.2, Section 3.5)
It is recommended that confidentiality agreements be signed and secured from users accessing data which needs to be protected from unauthorized access. An example of a confidenitiality agreement can be found on the NDSU attorney's Web site.
Physical Security Standards
- Colleges and department servers must be located in a secure area with up-to-date documentation of who has access. (NDUS 1901.2, Section 5.1.1 and the "NDUS Physical Information Technology Security Standards")
- The area should be one which is not publis and only accessible by those who require access. Doors and windows must be locked when not in use. A log of who has keys to the area must be maintained. Keys must be collected from those who no longer need access to the area.
- Servers should be located in a climate controlled environment.
- Use of a UPS (Uninterruptable Power Supply) is recommended. It should have line conditioning for electrical and network cabling.
- It is recommended that servers are cabled and locked to an immovable surface or stored in a cage that is locked.
- If desktops are located in a public area, they must be cabled and locked to an immovable surface.
- Fire suppression services must be available (fire extinguishers).
Electronic Security Standards
Anti-virus software must be installed and current with all recent signatures (NDUS 1901.2, Section 3.4)
Install and enable a firewall. (NDUS 1901.2, Section 3.4)
- Configure and allow only necessary/required traffic
- Review logs regularly for inappropriate or unneeded access
- Logs must be kept a minimum of thirty (30) days
Review the purpose of the server/desktop to only allow services, applications, and access as they pertain to the purpose. For example, if being used as a Web server, data or data bases should not be maintained on the same machine. (NDUS 1901.2, Section 3.4, and the "NDUS Server Information Technology Security Standard")
Run only the services needed on the server. (NDUS 1901.2, sections 3.4, 5.1.2, and the "NDUS Server Information Technology Standard")
- The services must be related to the role it is serving
- Install only software and applications that are needed for the purpose of the machine
- Use SFTP (Secure File Transfer Protocol) or SSH (Secure Shell) protocols
- Disable Telnet and FTP (File Transfer Protocol)
- Disable all services that will not be used and/or needed
Configure all services to log all connections and authentication information. (NDUS 1901.2, Sections 3.4, and 5.1.2, and the "NDUS Server Information Technology Security Standard")
- Assign an appropriate technical staff member to review logs and report an unusual activity
- Logs must be kept for a minimum period of thirty (30) days
User Account Standards (NDUS 1901.2, Sections 3.4 and 3.5
A unique login and password must be created for each user.
Password standards must conform to NDSU and NDUS policies and procedures. (SeeNDUS Policy and Procedure 1901.2, Section 3.4, Use of Personally Managed Systems)
The administrator/root account must be renamed and a strong password created. Only the individual managing the server should have access to the administrator account.
It is recommended the server is not run in administrator mode. Administrator mode should be used only when necessary.
Force new users to change their password when they first log in.
The guest account must be deleted or renamed and a strong password set.
Disable or delete old accounts/logins that belong to those who no longer need access.
- For those who are terminated either voluntarily or willfully, the accounts must be locked or deleted.
If the account is a shared account, the password must be changed each time some one is added or leaves the group. Passwords should be changed on a regular basis for these accounts.
Reassignment/Surplus of Electronic Equipment
(NDUS 1901.2, NDUS Server Information Technology Security Standard, and NDUS 1901.2 Data Classification and Information Security Standard)
colleges and departments shall use a secure deletion program that conforms to DoD (Department of Defense) standard to erase data from hard disks and media prior to reassignment, surplus, or disposal.
Colleges and departments shall maintain changes to inventory.
Operating system and any application software that was initially shipped with the computer must be included with the computer.
For more information, please contact: