SP 6-10v – Server and Workstation Configuration

Colorado Community College System / System Procedure


SP 6-10v

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCES:

Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10b, Access and Authentication
System Procedure (SP) 6-10c, Anti-Virus and Anti-Spyware Management

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

BASIS

This procedure documents minimum requirements that Colorado Community College System and its Colleges’ (“CCCS”) Information Technology (“IT”) servers and workstations must meet before being deployed into a production environment.

APPLICATION

This procedure applies to Information Assets owned, leased, managed and maintained by the System IT Department (“System IT”) the College IT Department (“College IT”) or by third parties on behalf of CCCS.

DEFINITIONS

Server
Server is defined as a computer or device on a network that manages network resources. Examples include file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries).

Workstation
Workstation is defined as a computer used to perform tasks such as programming, engineering, and design.

PROCEDURE

The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

IT Servers and Workstations are often exploited to obtain Sensitive and Restricted information. Access obtained by unauthorized individuals could place the organization at risk. Securing System IT and College IT Servers and Workstations, regardless of how mission critical the systems are, must be completed in a manner that still allows the institution to operate efficiently.

IT Server and Computer Hardening

  • Default usernames and passwords must be changed and unique per device wherever applicable. Unnecessary accounts shall be disabled or removed/deleted.
  • Approved security fixes/patches must be installed prior to deployment.
  • A successful vulnerability scan shall be performed prior to server deployment.
  • CCCS IT System names must be consistent with established system naming conventions.
  • A business justification is required for each service, protocol and port allowed to make inbound connections into a server.
  • Unused or unnecessary services or software shall be removed or disabled.
  • Servers must reside behind a security perimeter and be protected by firewalls and anti-virus software.
  • Servers and Workstations shall be formally documented in an asset inventory.
  • Firewall software must be installed and used for Servers and Workstations.
  • Servers and Workstations will be set to lock with a screensaver after 15 minutes of inactivity.
  • Servers and Workstations must be updated/patched on a regular basis based on CCCS’s System and Device Patching Standard and industry best practices.
  • End of Life operating systems that are reaching end of support must be removed or retired prior to last day of support.

Security Configuration

  • Security configuration baselines that are based on vendor-specific and/or industry standard best practices shall be applied to System IT and College IT systems and Workstations. Exceptions will be documented and granted on an as needed basis.
  • Compliance to the security configuration baselines will be periodically measured and reported upon.
  • Deviations identified will be reviewed, prioritized for remediation, and corrected per CCCS’s remediation processes.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.