Purpose
The purpose of this standard is to secure and protect the information and applications that reside on WPI-owned workstations and servers.
This standard seeks to mitigate internal and external risks which include but are not limited to:
- Unauthorized access.
- Interception of data during transmission.
- Loss of information in a disaster.
- Corruption of data or systems.
- Unauthorized transfer of information to third parties.
Scope
The scope covers systems in one or more of the following categories.
- Administrative and academic computers
- Computers in classrooms and general purpose computing labs
- Systems storing sensitive data:
- WPI confidential information
- Governmentally regulated information
- WPI intellectual property
- Information covered under any executed non-disclosure agreement
- WPI confidential information
Standard
Servers
Physical Requirements
Servers are:
- Located in a reasonable operating environment.
- Connected to appropriate surge suppression and backup power.
- Located in a locked, limited access room.
General Requirements
Servers are:
- Configured to store sensitive data within a local RAID array configured for RAID levels 1, 1+0, 3, or 5 or store the data on a SAN configured in the same fashion.
- Comprehensively detailed in the Data Protection and System Recovery Plan.
- Listed in the Capacity and Replacement Plan.
- Running a local software firewall to limit access from anywhere to sensitive services which might be running on the server.
- Running an anti-virus package which automatically updates whenever appropriate.
- Running a host-based Intrusion Detection System (IDS) on critical files for system operation.
System Operation Standard
All servers meet the following standards:
- Unnecessary services are disabled.
- Unnecessary software is removedUnnecessary software is removed.
- Separation of development and production, where technically and financially feasible.
- Separate server for Internet Access, where technically and financially feasible.
- All daemon processes run under unprivileged accounts and/or in chroot jails whenever possible.
- System logs are logged locally and to a central logging server whenever possible and reviewed regularly.
- Encrypt data when feasible.
- Eliminate general user access from critical system infrastructure whenever possible.
System Access Standard
All server accessibility meets the following standards:
- Passwords follow the WPI Password Standard.
- Whenever possible, passwords use a centralKerberos password database to both simplify the number of passwords and centralize management of users.
- Users are given the minimal of privileges necessary to perform their function and these privileges are checked at least once a year.
- Access methods into the servers use encrypted username/password verification mechanisms at minimum and use fully encrypted connections whenever possible.
- Access to servers containing personal records or business data is limited to on-campus connections only. Off-campus access is enabled through the WPI VPN.
- Use of authenticated privilege escalation only when necessary which allows for user tracking.
- No remote super user access.
Workstations
Physical Requirements
Workstations in computer labs are:
- Physically secured and/or cabled to the desk whenever possible.
- Physical access is monitored and limited to appropriate personnel.
Workstations in limited-access offices are:
- Physically secured when the user is not present.
General Requirements
Workstations in labs are:
- Recoverable by a pre-determined back-up and recovery solution.
- Devoid of any personal records and business data. Labs are re-imaged regularly to ensure clean, stable systems and no stored information is left on the system.
- Running a local software firewall to limit access to services which might be running on the computer.
- Running an anti-virus package which automatically updates.
- Part of a central management methodology.
Workstations in limited-access offices are:
- Recoverable by a pre-determined back-up and recovery solution.
- Devoid of excessive personal or business data. Business data is stored on managed network storage whenever possible to log access and limit data loss due to hardware failure.
- Listed in the Capacity and Replacement Plan.
- Running a local software firewall to limit access to services which might be running on the computer.
- Running an anti-virus package which automatically updates.
- Whenever possible, part of a central management methodology.
System Operation Standard
All workstations meet the following standards:
- Unnecessary services are disabled.
- Unnecessary software is uninstalled.
System Access Standard
Access to workstations in computer labs adheres to the following standards:
- Whenever possible passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
- Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
- Remote access services are secured and controlled.
- No local accounts exist besides those needed for system administrative staff.
Access to workstations in limited-access offices adheres to the following standards:
- Whenever possible passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
- Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
- The system is devoid of excessive accounts of any privilege level and no local administrative accounts should exist.
- No Guest account access is enabled.
- Remote access into workstations is restricted to encrypted connections only.
Revision History
The Information Technology Division endorsed this standard on January 25, 2007.
After a minor revision, the faculty Committee on IT Policy endorsed this standard on April 15, 2008.