Server Security Policy
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Tuxis. Effective implementation of this policy will minimize unauthorized access to Tuxis proprietary information and technology.
All employees, contractors, consultants, temporary and other workers at Tuxis and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Tuxis
- Servers must be registered within the corporate management system. At a minimum, the following information is required to positively identify the point of contact:
- Server contact(s) and location, and a backup contact
- Hardware and Operating System/Version
- Main functions and applications, if applicable
- Information in the corporate management system must be kept up-to-date.
- For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic.
- Services and applications that will not be used must be disabled where practical.
- Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.
- The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.
- Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do.
- If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
- Servers should be physically located in an access-controlled environment.
- Servers are specifically prohibited from operating from uncontrolled cubicle areas.
All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
- All security related logs will be kept online for a minimum of 1 week.
- Daily full backups will be retained for at least 7 days.
- Monthly full backups of logs will be retained for at least 1 month.