Please refer to the University of Colorado’s Administrative Policy Statement (APS) 6005 IT Security Program and System-wide Baseline Security Standards which apply to all individuals who access or control CU Boulder information technology resources.
This Standard identifies the minimum requirements for all University servers to ensure the integrity and security of University Data and the shared information technology environment, including networks, services, and systems. A university server is considered any physical, virtual, or cloud-based device that manages network resources, hosts data owned by the University, or connects to a University-owned network.
All University servers used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or whether the server is primarily connected to the campus network. Non-University owned servers that connect to the University campus network must meet these requirements. These actions are necessary to ensure resource availability, reinforce the University's security and compliance posture, and protect the confidentiality of data assets.
The following IT capabilities must be met to ensure consistent application of protections and adherence to the CU baseline security standards, provide visibility into campus threats, and support incident response. At all times university servers must:
- University servers must run current, supported software. The use of out-of-date operating systems or software that is not being actively updated and is considered end of life is prohibited.
- Provide role-based access control for both operating system and service/application access.
- Log authentication and authorization events for the server and service(s) provided.
- Be enrolled in the campus anti-malware and detection and response application or an approved equivalent for real-time scanning to detect, prevent, and remove malware, malicious activity, and mitigate potential vulnerabilities.
- Be enrolled in the campus vulnerability scanning solution or an approved equivalent.
- Apply operating system and application security updates in compliance with the “Identification and Management of Security Flaws in IT Systems” Standard (https://www.colorado.edu/information-technology/sites/default/files/atta...).
- If hosting University owned information, the server must be backed up on a minimum weekly basis to a physically separate medium. All backups must be encrypted and applications or hardware devices utilized to encrypt backups must use a cryptographic module that, at minimum, meets the current Federal Information Processing Standard 140 (FIPS-140). Systems classified as High Impact (in accordance with the definitions at https://www.cu.edu/security/about-adverse-impact) must ensure timely recovery. A minimum of 30 days of backups must be maintained on a rolling basis.
- The system must have an active stateful firewall operational at all times whose ruleset is audited and updated on a semi-annual basis.
- Maintain up-to-date system ownership and management contacts with OIT.
- Custom-developed applications must be maintained and periodically assessed for vulnerabilities.
More information about the OIT supported and approved applications associated with the server requirements listed above can be found on the OIT website.
University employees and authorized individuals who are unable to meet all components of the standard must apply to OIT for a server exception. If a compelling business reason exists, exceptions to the requirements outlined in this standard may be granted by the Provost and Chief Operating Officer in consultation with the VC/CIO. Inquiries regarding exceptions should be made to the VC/CIO.
University servers subject to specific data protections (e.g., federal regulations, data use agreements) that exceed the requirements identified within this Standard must meet whichever controls are most stringent.
University servers not capable of meeting the requirements identified in this Standard must work with OIT Information Security to determine the appropriate compensating security controls for such servers. Should a server be identified as high risk to the University network, it must be removed.
Administration and Enforcement
Servers that do not meet this Standard pose a risk to the CU Boulder campus and its data. Per the Acceptable Use Policy, the Chief Information Officer or Information Security Officer may suspend a server’s access to the campus network or any campus computing resources when it reasonably appears necessary to preserve the integrity, security, or functionality of campus computing resources or to protect the university from liability.
Authorized Individuals: This includes those in roles such as:
- Person of Interest (POI): an individual affiliated with the university but not paid as an employee who is granted an IdentiKey for official university needs.
- Sponsored Affiliate: an individual affiliated with the university who is granted an IdentiKey for official university needs when an HR appointment, including POI, is not a possibility.
- An individual who may be authenticated by external means, but authorized by a CU IT service provider to access CU-managed IT services or data (e.g., an external research collaborator authenticated via federated techniques)
End of life: A designation by the vendor when a product is unable to be supported and should be replaced. This generally occurs when the operating system is no longer supported, and the hardware cannot support a new operating system.
Non-University owned: Any end-user device that was not purchased with University funds.
Standard: Specifies the correct approach for solution implementation that must be followed to abide by the overarching policy.
University data: Official information of the institution, including but not limited to university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, electronic communications, student data, and patient data.
Sr. AVC for OIT and CIO
July 15, 2022