8.19 Server Administrator Policy

---

I. POLICY STATEMENT

---

The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the data, intellectual property, and Information Resources used to carry out UTSA business.

---

II. RATIONALE

---

A single computer server may contain a variety of information, including Data (publicly-available and protected data) and Computer Applications. The initial setup and continued maintenance of a Server is crucial. If the established procedures are not followed, there may be an increased risk of data loss or corruption and a possibility of the introduction of malware onto the Server and/or the UTSA computer network. The requirement for securing a server is defined in UT System Policy UTS165, Section 27.

---

III. SCOPE

---

Any individual responsible for the administration and installation of a Computer Server - physical or virtual - connected to the UTSA computer network must abide by this policy in order to ensure the Server has been properly set up in accordance with current procedures.  Servers used in support of teaching, classrooms, and labs may be exempted from this policy.  Exemptions will be handled on a case-by-case basis by the OIS.

---

IV. WEBSITE ADDRESS FOR THIS POLICY

---

http://www.utsa.edu/hop/chapter8/8-19.html

---

V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS

---

UTSA or UT System Policies or the Board of Regents' Rules & Regulations

1. HOP 4.1.1 Information Resources Acceptable Use and Security Policy
2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
3. UT System Policy UTS178, Required Reporting of Significant Events 
4. UTSA Data Classification Standard

Other Policies & Standards

3. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C
4. Higher Education Opportunity Act of 2008
5. Texas Computer Crimes Act
   

---

VI. CONTACTS

---

If you have any questions about HOP policy 8.19, Server Administrator, please contact the following office: 

Office of Information Technology (OIT) or Office of Information Security (OIS)
(210) 458-4555

---

VII. DEFINITIONS

---

A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Data: Information which is recorded - regardless of form or media – that is used to support the business of the university, whether in an administrative, academic, or research capacity.  Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other format.

Information Resources : Any and all computer printouts, online display devices, mass storage media (including external storage devices such as external hard drives and flash drives), and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDAs), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Owner: The manager or agent responsible for the business function supported by the Information Resource, or the individual upon whom responsibility rests for carrying out the program using the Information Resource.  (For example, Data Owner)

Server: A computer system that provides shared resources on the network (For example, Web server, print server, file server).

Server Administrator: Any individual responsible for the administration and installation of a computer server - physical or virtual.

User: An individual, automated application or process that is authorized by the Owner to access the resource, in accordance with the Owner's procedures and rules. The User is any person who has been authorized by the Information Owner to read, enter, or update that information. The User is the single most effective control for providing adequate security.

---

VIII. RESPONSIBILITIES

---

1. Server Administrator
   1. Submits a request to OIS to connect the server to access the UTSA computer network.
   2. Follows all procedures in Standard for Server Hardening.
   3. Reports any incidences of attacks, unauthorized data access/disclosure immediately to UTSA OIS.
   4. Ensures that each server under the Server Administrator’s control is housed in a location where only authorized personnel have access.
   5. Ensures the Server is protected by anti-malware software that is automatically updated.
   6. Ensures that the Server operating system and other software applications are up to date and that all vendor-supplied patches have been applied.
   7. Performs a risk assessment on the Server on a regular basis.
   8. For all log-in screens, uses the appropriate language specified in the Standard for Log-in Disclaimer Text.
   9. All Servers must be joined to the UTSA domain.
   10. Where possible, the log in must use the myUTSA ID and passphrase combination for user validation.
   11. The domain administrator group must not be removed from the Server settings.
   12. A Server Administrator cannot restrict OIT staff members from access to any system.  
2. OIT Staff Member
   1. Provides assistance and guidance to anyone tasked with setting up or maintaining a Server
   2. Provides a secure area where a Server can be housed - if space is available and the request is approved by OIT management.
   3. Continuously monitors the university computer network to prevent unauthorized access to Servers.
   4. Notifies the Server Owner and OIS of any unauthorized attempts to access the Server.
   5. Perform a risk assessment on the Server on a regular basis.
3. Data Center Staff Member
   1. Follows all established Data Center procedures.
   2. Continuously monitors the conditions in the Data Center.
   3. Notifies proper authorities (OIT, Facilities, Server Administrators, etc.) immediately of any change in the Data Center environment.
   4. Ensures that unauthorized personnel are prohibited from entering the Data Center.
   5. Performs a risk assessment on the Server on a regular basis.

---

IX. PROCEDURES

---

1. Server setup
   1. Follows the procedures in this policy and the accompanying Standard.
   2. Before installing the Server software, contact OIS for permission to add the Server to the UTSA computer network.
   3. Contact OITConnect to request a static IP address, if needed.
   4. Follow the documented steps from the appropriate checklist in the Standard for Server Hardening and retain the checklist document in a safe place.
   5. Produce the checklist document when required by Internal Audit and/or Institutional Compliance.
   6. Following initial setup, OIT will be responsible for the physical security and software/operating system updates for Servers under OIT control.
2. Policy Review
   1. In order to maintain currency of the Information Security Program, this policy is subject to review on a regular basis.

---

X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION

---

None

---

XI. FORMS AND TOOLS/ONLINE PROCESSES

---

None

XII. APPENDIX

---

None