• About Us
• Services
• Labs & Facilities
• Help & Instruction
• Policies, Procedures & Standards
• Search
  CCC site only
  All WPI IT sites
  
• CCC Home
• Quick Links
  • Helpdesk
  • Software Instruction
  • Network Operations
  • Telecommunications
  • Web Information System

Computer Systems Standard

Purpose

The purpose of this standard is to secure and protect the information and applications that reside on WPI-owned workstations and serversions. This standard seeks to mitigate internal and external risks which include but are not limited to:

• Unauthorized access
• Interception of data during transmission
• Loss of information in a disaster
• Corruption of data or systems
• Unauthorized transfer of information to third parties

Scope

The scope covers systems in one or more of the following categories.

• Administrative and academic computers
• Computers in classrooms and general purpose computing labs
• Systems storing sensitive data:
• WPI confidential information
• Governmentally regulated information
• WPI intellectual property
• Information covered under any executed non-disclosure agreement

This standard excludes devices covered by the Mobile Device and Personally-Owned Device Management Standard.

Standard

Servers

Physical Requirements

Servers are:

• Located in a reasonable operating environment
• Connected to appropriate surge suppression and backup power
• Located in a locked, limited access room

General Requirements

Servers are:

• Configured to store sensitive data within a local RAID array configured for RAID levels 1, 1+0, 3 or 5 or store the data on a SAN configured in the same fashion.
• Comprehensively detailed in the Data Protection and System Recovery Plan.
• Listed in the Capacity and Replacement Plan
• Running a local software firewall to limit access from anywhere to sensitive services which might be running on the server.
• Running an anti-virus package which automatically updates whenever appropriate.
• Running a host-based Intrusion Detection System (IDS) on critical files for system operation.

System Operation Standard

All servers meet the following standards:

• Unnecessary services are disabled
• Unnecessary software is removed
• Separation of development and production, where technically and financially feasible
• Separate server for Internet Access, where technically and financially feasible
• All daemon processes run under unprivileged accounts and/or in chroot jails whenever possible
• System logs are logged locally and to a central logging server whenever possible and reviewed regularly
• Encrypt data when feasible
• Eliminate general user access from critical system infrastructure whenever possible

System Access Standard

All server accessibility meets the following standards:

• Passwords follow the WPI Password Standard, WPI Password Standard
• Whenever possible, passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users
• Users are given the minimal of privileges necessary to perform their function and these privileges are checked at least once a year
• Access methods into the servers use encrypted username/password verification mechanisms at minimum and use fully encrypted connections whenever possible
• Access to servers containing personal records or business data is limited to on-campus connections only. Off-campus access is enabled through the WPI VPN
• Use of authenticated privilege escalation only when necessary which allows for user tracking
• No remote super user access

Workstations

Physical Requirements

Workstations in computer labs are:

• Physically secured and/or cabled to the desk whenever possible.
• Physical access is monitored and limited to appropriate personnel.

Workstations in limited-access offices are:

• Physically secured when the user is not present.

General Requirements

Workstations in labs are:

• Recoverable by a pre-determined back-up and recovery solution.
• Devoid of any personal records and business data. Labs are re-imaged regularly to ensure clean, stable systems and no stored information is left on the system.
• Running a local software firewall to limit access to services which might be running on the computer.
• Running an anti-virus package which automatically updates.
• Part of a central management methodology.

Workstations in limited-access offices are:

• Recoverable by a pre-determined back-up and recovery solution.
• Devoid of excessive personal or business data. Business data is stored on managed network storage whenever possible to log access and limit data loss due to hardware failure.
• Listed in the Capacity and Replacement Plan.
• Running a local software firewall to limit access to services which might be running on the computer.
• Running an anti-virus package which automatically updates.
• Whenever possible, part of a central management methodology.

System Operation Standard

All workstations meet the following standards:

• Unnecessary services are disabled.
• Unnecessary software is uninstalled.

System Access Standard

Access to workstations in computer labs adheres to the following standards:

• Whenever possible, passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
• Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
• Remote access services are secured and controlled.
• No local accounts exist besides those needed for system administrative staff.

Access to workstations in limited-access offices adheres to the following standards:

• Whenever possible, passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
• Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
• The system is devoid of excessive accounts of any privilege level and no local administrative accounts should exist.
• No ‘Guest’ account access is enabled.
• Remote access into workstations is restricted to encrypted connections only.

Revision History

• The Information Technology Division endorsed this standard on January 25, 2007.
• After a minor revision, the faculty Committee on IT Policy endorsed this standard on April 15, 2008.

Please visit the Data Security site for references and information on other Data Security standards.

Maintained by itweb
Last modified: Oct 02, 2008, 19:46 UTC

Computing and Communications Center - Worcester Polytechnic Institute
100 Institute Road, Worcester, MA 01609-2280
Phone: +1-508-831-5136 - Fax: +1-508-831-5483 - itweb