College of Science Server Policy

Policy Number: COS-1003

Policy Subject: Purchasing, installing, and configuration of servers by the College of Science (COS)

Responsible Office: Associate Dean for Research, COS

Related Policies and Standards:

• University Policy 1114 Data Stewardship
• University Policy 1311 Information Technology Security Program 
• Information Technology Security Standard 

I. Scope

This Policy applies to all centers, institutes, and academic and operational departments and offices of the College of Science at George Mason University. The policies and procedures provided herein apply to all College of Science faculty, staff, students, visitors and contractors. 

This policy provides general requirements for purchasing, installing and configuring server resources in a secure manner as well as maintaining the security integrity of the hardware and application software. 

II. Policy Statement

All college employees, students, and contractors shall comply with the COS Server Policy and University Information Technology Security Program including the Information Technology Security Standard and are responsible for implementing controls commensurate with system risk. 

III. Definitions

Server: A server is a system (software and suitable computer hardware) that responds to requests across the Mason network or the Internet, if hosted off campus, to provide, or help to provide, a network service. All systems that are intentionally configured to be accessible via the internet are considered to be servers. A system may only be accessible from the university network but provides a server service and therefore is a server.

System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system.

System Administrator: A System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner. Their responsibilities can include administration at the system infrastructure layer and/or system application layer. Any given system may have more than one System Administrator depending on the size and complexity of the system. The System Administrator assists with the day-to-day administration of the IT systems, and implements security controls and other requirements of the IT security program on IT systems for which the System Administrator has been assigned responsibility. System Administrators are responsible for documenting and enabling user access.

IV. Responsibilities

The College Director of Information Technology and Security must be consulted before systems are purchased.  The Office of Research Computing also should be contacted prior to any storage, HPC, or cluster purchases to see if centralized resources are available or can be purchased that meet your needs.  The college encourages the use of centralized shared resources whenever possible to maximize the return on investment and encourage long-term protected, supported and sustainable assets for research. 

System owners and administrators must ensure servers are configured and maintained in a manner in accordance with all University Computing Policies and Standards.  Whenever possible servers should be located in Aquia (university supported data center) unless other adequate facilities are available.  Cooling, power and physical security requirements should be addressed.  Only non-critical servers should be housed outside of Aquia.   

Appropriate measures must be taken when configuring and managing server based resources to ensure the confidentiality and integrity of information in accordance with University Policy 1114, Data Stewardship. 

In addition to university requirements, configuration, security settings, and  change history must be documented and maintained for the life of the server. 

After a server is fully configured, ITSO should be contacted to scan the server for vulnerabilities.  Any identified known vulnerabilities will be remedied if applicable.  The use of centrally administrated vulnerability scanning is required.  All servers will be placed in a COS Server Firewall Zone (public or private depending on needs) or other appropriate zone-based firewall as designated by ITS.  Host-based firewall rules should be used to secure the server as required. 

All pertinent information regarding the server should be reported to the Director of Information Technology and Security, including a brief description of purpose, location of the server (aisle, rack, u-number), ip address, hostnames, system owners and administrators, and emergency contact info

V.  Other Information

VI. Compliance

Documentation supporting checklist usage and configuration changes will be maintained until the server is retired and will be made available upon request for audit purposes.

A. Exceptions: 

Exceptions to this policy must be documented in writing and approved by Associate Dean of Research Computing. 

VI. Review and Update

This Policy will be reviewed annually in July.

VII. Effective Date

The policies herein are effective February 15, 2018.

Approved:
Peggy Agouris
Dean, College of Science
Date approved: February 15, 2018

Revised: September 28, 2020