Campus Server Standards (ACIS Policy)

Statement of Policy

In the past decade, as technology has changed, there has been a strategic and technical move away from mainframe computing to both centralized and decentralized university server environments. Networked-connected servers now act as the digital engines which make the university enterprise function. Most, if not all, departmental servers require connections to the campus backbone for access to networked university information resources and the Internet. In order to protect the electronic information assets of Lehigh University, all servers currently connected and requesting connection to the campus network must conform to clearly defined technical and security specifications developed and published by Library and Technology Services (LTS) in consultation with appropriate departmental representatives [1]. These standards are not intended to be a barrier to limit campus connectivity, but are needed to maintain a secure and fault-tolerant network for the campus computing community.

Implementation of Policy

1. Implementation Philosophy

   The University recognizes that different needs of campus constituents may lead to conflicts in server standards, priorities and operations. LTS will work with representatives from the appropriate constituent groups to seek balanced solutions to problems identified under this policy. Effective implementation of this policy requires the close cooperation of all server stewards across the campus.

2. Mediation of Disputes

   In the event that a dispute arises in the administration of this policy:

   1. ACIS will provide clarification of this policy statement or its implementation activities.
   2. Further arbitration of disputes arising from this policy will be brought to the Provost for resolution.

3. Library and Technology Services will review all requests to attach the following to the campus network:

   • Computing resources,
   • Servers,
   • Communications devices, and
   • Network peripheral devices (e.g., printers)

   The goal of this policy is to ensure that network-attached devices will have no consequential impact on the reliability, stability, or maintainability of the campus-wide network and that they conform to specified technical, security, operational, and maintenance standards prior to their connection.

   It is also the objective of this policy to ensure that departmental representatives are provided guidance on the appropriate technical and security standards when connecting servers to the campus network.

4. Library and Technology Services has the responsibility to disconnect a network-connected device or computing resource from the network if it has been identified as being the source of any action which:

   • Violates applicable "conditions of use" policies, for either on-campus or off-campus service providers
   • Violates local, state, federal or international laws
   • Is determined to be a nuisance or potential nuisance
   • Is determined to be compromised or is likely to be compromised.

5. Library and Technology Services will develop, publish and maintain a set of standards which will ensure that network connected servers or computing resources can interact appropriately with the campus-wide network, that network and server security is maintained, and that server hardware and software are maintainable. Standards may include but are not limited to such issues as:

   • Appropriate security facilities in place
   • Currency of operating system release levels
   • Backup procedures are in place and adequate
   • Hardware maintenance and/or support is in place
   • Software maintenance and/or support is in place
   • Departmental contact is assigned and available on-call
   • Appropriate technical documentation is available
   • All applicable software has been appropriately licensed

6. Library and Technology Services will perform an annual review and certification that each network connected server or computing resource conforms to the specified standards. Servers failing to meet the review standards may be disconnected. The actual action taken will depend on the severity of the discrepancies and the associated vulnerability of the server or the network. To that end Library and Technology Services will take all reasonable steps, consistent with the risk posed, to help departments resolve the non-compliance issue.

7. Library and Technology Services reserves the right to scan network-connected hosts to understand what resources are connected to the network and the vulnerability of each. Library and Technology Services will provide advanced notification to departmental network/computing managers, where applicable, prior to initiating such activities.

8. The standards used to assess network servers and computing resources will be reviewed and updated as necessary or at least twice annually.

[1] Departmental representatives refers to those departmental staff that are responsible for the operation of the server and its applications. These staff are alternatively referred to as "server owners" or "server stewards".

Original effective date: March 1, 2001