7.5.6 Platform Hardening
A. Purpose
To describe the requirements for installing a new server or other platform device in a secure fashion and maintaining the security integrity of the device and application software. Servers and other platform devices are depended upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers and other platform devices are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.
B. Persons Affected
All individuals responsible for the installation of new Information Resources, the operations of existing Information Resources and individuals charged with Information Resource Security at The University of Texas at Tyler (the "University").
C. Definitions
- Information Technology (IT): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
- Information Resources Manager (IRM): Responsible to the State of Texas for management of the University's information resources. The designation of the information resources manager is intended to establish clear accountability for setting policy for information resources management activities, provide for greater coordination of the University's information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards, and Guidelines to protect the Information Resources of the University.
- Vendor: Someone who exchanges goods or services for money.
- Information Technology (IT): The University department responsible for computers, networking and data management.
- Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
- Information Security Officer (ISO): Responsible to the University's executive management for administering the information security functions within the University. The ISO is the University's internal and external point of contact for all information security matters.
D. Policy
- A server must not be connected to the University network until it is in an IT-accredited secure state and the network connection is approved by IT.
- The Platform Hardening Procedure provides the detailed information required to harden a server or other device and must be implemented for IT accreditation. Some of the general steps included in the Platform Hardening Procedure include:
- Installing the operating system from an IT approved source
- Applying vendor supplied patches
- Removing unnecessary software, system services, and drivers
- Setting security parameters, file protections and enabling audit logging
- Disabling or changing the password of default accounts
- IT and the ISO will monitor security issues, both internal to the University and externally, and IT will manage the release of security patches on behalf of the University
- IT will test security patches against IT core resources before release where practical.
- IT may make hardware resources available for testing security patches in the case of special applications.
- Security patches must be implemented within the specified time frame of notification from IT.
- Disciplinary Actions: Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.
E. References
https://security.utexas.edu/admin/
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023