The Georgetown University Information Security Office has begun a server registration program to identify and assess the risks associated with servers throughout the university. The primary goal of this program is to locate servers that are critical business systems, servers with electronic protected information (ePI), and servers that require inbound Internet connectivity.
- Critical business systems. Critical business systems are information systems that provide critical functionality to the University and would cause significant loss when unavailable or compromised.
- Servers with ePI. Servers that contain electronic protected information which includes, but not limited to, social security numbers, student records, employee records, credit card numbers, medical records, and financial records.
- Inbound Internet Connectivity. Inbound Internet connectivity indicates that a server is available to the Internet for server based requests. This includes web, mail, dns, and database servers that are accessible to some or all of the Internet.
The importance of the server registration program is to understand where we have exposure to critical systems, sensitive data, and servers that are open to attack from the Internet.
- Server Registration Form. To register your server you must visit the server registration page and complete the online form identified on that page. You will be required to log in with NetID credentials and the form will request that you provide information concerning the server details and responsibilities in the security and administration of this server.
- Server Baseline Review. Once you have submitted the registration form, you will be contacted by the University Information Security Office to complete a baseline security review. A baseline security review evaluates your server configuration and processes to the university's established acceptable standard. The current baseline is version 1.0 with the primary focus of appropriate protection for data and access control. You will receive the results and security recommendation based on priority. It is the expectation of the University Information Security Office that the responsible administrators identified in the server registration, will plan and implement security recommendations in a reasonable timeframe.
- On-going Follow-up. Internet attacks and hacking incidents will continue to increase and the University Information Security Office will alter and adjust the university baseline standard accordingly and require follow-up reviews. Additionally, the University Information Security Office will follow-up on security baseline reviews and recommendations progress.
- Least Permissive. Georgetown University's current network access model is based on the most permissive model or default allow. Default allow means that all traffic is allowed, with the exception of what is explicitly denied. The means that by default, that all incoming connections are allowed to each computer on our network. The migration to the least permissive model will change our networks access model to default deny for incoming traffic. In other words, all traffic IN from the Internet is explicitly denied unless specifically allowed though the server registration program. Please note that this a common network architecture for workstation networks and applications such as instant messaging, iTunes, Internet browsers, and mail programs will continue to function without issue.
Would you like additional information? If so, please contact David C. Smith, University Information Security Officer to arrange a meeting or answer follow-up questions.
David C. Smith
3300 Whitehaven Stree, #2000
Washington, DC 20007
Do you have an security emergency or incident to report? Please contact firstname.lastname@example.org.