Purpose

The purpose of this standard is to secure and protect the information and applications that reside on WPI-owned workstations and servers.

This standard seeks to mitigate internal and external risks which include but are not limited to:

  • Unauthorized access.
  • Interception of data during transmission.
  • Loss of information in a disaster.
  • Corruption of data or systems.
  • Unauthorized transfer of information to third parties.

Scope

The scope covers systems in one or more of the following categories.

  • Administrative and academic computers
  • Computers in classrooms and general purpose computing labs
  • Systems storing sensitive data:
    • WPI confidential information
    • Governmentally regulated information
    • WPI intellectual property
    • Information covered under any executed non-disclosure agreement

Standard

Servers

Physical Requirements

Servers are:

  • Located in a reasonable operating environment.
  • Connected to appropriate surge suppression and backup power.
  • Located in a locked, limited access room.

General Requirements

Servers are:

  • Configured to store sensitive data within a local RAID array configured for RAID levels 1, 1+0, 3, or 5 or store the data on a SAN configured in the same fashion.
  • Comprehensively detailed in the Data Protection and System Recovery Plan.
  • Listed in the Capacity and Replacement Plan.
  • Running a local software firewall to limit access from anywhere to sensitive services which might be running on the server.
  • Running an anti-virus package which automatically updates whenever appropriate.
  • Running a host-based Intrusion Detection System (IDS) on critical files for system operation.

System Operation Standard

All servers meet the following standards:

  • Unnecessary services are disabled.
  • Unnecessary software is removedUnnecessary software is removed.
  • Separation of development and production, where technically and financially feasible.
  • Separate server for Internet Access, where technically and financially feasible.
  • All daemon processes run under unprivileged accounts and/or in chroot jails whenever possible.
  • System logs are logged locally and to a central logging server whenever possible and reviewed regularly.
  • Encrypt data when feasible.
  • Eliminate general user access from critical system infrastructure whenever possible.

System Access Standard

All server accessibility meets the following standards:

  • Passwords follow the WPI Password Standard.
  • Whenever possible, passwords use a centralKerberos password database to both simplify the number of passwords and centralize management of users.
  • Users are given the minimal of privileges necessary to perform their function and these privileges are checked at least once a year.
  • Access methods into the servers use encrypted username/password verification mechanisms at minimum and use fully encrypted connections whenever possible.
  • Access to servers containing personal records or business data is limited to on-campus connections only. Off-campus access is enabled through the WPI VPN.
  • Use of authenticated privilege escalation only when necessary which allows for user tracking.
  • No remote super user access.

Workstations

Physical Requirements

Workstations in computer labs are:

  • Physically secured and/or cabled to the desk whenever possible.
  • Physical access is monitored and limited to appropriate personnel.

Workstations in limited-access offices are:

  • Physically secured when the user is not present.

General Requirements

Workstations in labs are:

  • Recoverable by a pre-determined back-up and recovery solution.
  • Devoid of any personal records and business data. Labs are re-imaged regularly to ensure clean, stable systems and no stored information is left on the system.
  • Running a local software firewall to limit access to services which might be running on the computer.
  • Running an anti-virus package which automatically updates.
  • Part of a central management methodology.

Workstations in limited-access offices are:

  • Recoverable by a pre-determined back-up and recovery solution.
  • Devoid of excessive personal or business data. Business data is stored on managed network storage whenever possible to log access and limit data loss due to hardware failure.
  • Listed in the Capacity and Replacement Plan.
  • Running a local software firewall to limit access to services which might be running on the computer.
  • Running an anti-virus package which automatically updates.
  • Whenever possible, part of a central management methodology.

System Operation Standard

All workstations meet the following standards:

  • Unnecessary services are disabled.
  • Unnecessary software is uninstalled.

System Access Standard

Access to workstations in computer labs adheres to the following standards:

  • Whenever possible passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
  • Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
  • Remote access services are secured and controlled.
  • No local accounts exist besides those needed for system administrative staff.

Access to workstations in limited-access offices adheres to the following standards:

  • Whenever possible passwords use a central Kerberos password database to both simplify the number of passwords and centralize management of users.
  • Users are given the minimal of privileges necessary to perform their function and these privileges should be checked at least once a year.
  • The system is devoid of excessive accounts of any privilege level and no local administrative accounts should exist.
  • No Guest account access is enabled.
  • Remote access into workstations is restricted to encrypted connections only.

Revision History

The Information Technology Division endorsed this standard on January 25, 2007.

After a minor revision, the faculty Committee on IT Policy endorsed this standard on April 15, 2008.