Educause Security Discussion mailing list archives

Re: Secure Server Procedure

From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Tue, 27 Feb 2007 11:55:29 -0700

Some ideas...

You can find standards for securing servers from Microsoft (online) from
CIS (Center for Internet Security) and from NIST that I think are
helpful.  Another way to approach it would be to design a solution that
assures passing the full PCI standard, that's a really good base for
secure operations.

What you need to do is match these to your objectives and services and
pick what's best aligned to your goals, objectives, and the tactics in
place - perhaps something like ISO 20002:2007 type standard (or
something from NIST) could inform the selection of controls and the
baseline that best fits your effort.  The CIS tools allow you to
productionalize the distribution of policy, so they may be as helpful as
anything in that they not only give you a standard (which you can alter)
but a method for enforcing and pushing it out.

I'm not an admin nor have I had to do this, I'm just repeating the line
from the whitepapers and the industry as I've read it on the above.  I
have used all these sources to some positive end on creating agreement
for security standards.  If nothing else there is a good basis for
commendable practice in them. It seems that the CIS stuff is all about
what you are trying to accomplish.

Best wishes,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
-----Original Message-----
From: Charlie D. Kutil [mailto:kutil () TAMHSC EDU] 
Sent: Friday, February 23, 2007 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure Server Procedure

We are defining some new servers that we wish to classify as Secure
Servers.  We have a policy in place for server hardening, however we do
not have a step based procedure or checklist. Is anyone willing to share
their procedure for developing a Secure Server?

Thank you,
Charlie Kutil

Charlie Kutil, M.P.H., CISSP
Information Policy & Security Officer
Office of Information Technology (OIT)
Texas A&M Health Science Center
Coastal Bend Health Education Center
(O) 361-825-2805
(C) 361-876-3781

Current thread:

Secure Server Procedure Charlie D. Kutil (Feb 23)
- <Possible follow-ups>
- Re: Secure Server Procedure Chad McDonald (Feb 27)
- Re: Secure Server Procedure Brian Smith-Sweeney (Feb 27)
- Re: Secure Server Procedure Casas, Victoriano (ISO) (Feb 27)
- Re: Secure Server Procedure Jim Dillon (Feb 27)