Re: SLA for Non IT Managed Server?

["Semmens, Theresa" <theresa.semmens () NDSU EDU>]

NDSU requires that servers be approved and registered if they are not centrally managed. The URL provides more 
information, along with the policy and procedure that back this.

http://www.ndsu.edu/its/ndsu_server_registration/ 

Theresa Semmens, CISA
Chief IT Security Officer
North Dakota State University
IACC 210D
PO Box 6050
Fargo, ND 58108
Phone: 701-231-5870
Cell Phone: 701-212-2064
Fax: 701-231-8541
Theresa.Semmens () ndsu edu



Security is a process, privacy is a consequence
Security is action, privacy is a result of successful action
Security is the strategy, privacy is the outcome
Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope  
                                                        ~ Kevin Beaver & Rebecca Herold



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin 
Manjak
Sent: Wednesday, April 13, 2011 8:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SLA for Non IT Managed Server?

Kris,

We require all server systems to comply with our Connecting Servers to
the University Network standards
<https://wiki.albany.edu/display/public/askit/Standards+for+Connecting+Servers+to+the+University+Network>.

We scan on a monthly basis to identify servers and mandate that owners
sign off on the standards, certifying that they are in compliance and
verifying each of the services they are running.
Marty


On 4/12/2011 8:05 PM, Bates, Cathy C - (cbates) wrote:
> Kris,
>
> We do not have an SLA, but we are in the midst of working with our first college on this very issue.  Researchers who 
> want to manage their own servers in the Engineering College will need to meet with the Dean and me (UISO) to make 
> their case in terms of need and competency AND will have to have their server subject to periodic Qualys 
> vulnerability scans to determine if they are maintaining a secure server.
>
> Cathy
>
> Cathy Bates
> University Information Security Officer 
> Information Security Office | CC207
> University of Arizona
> (520) 626-2399
> cbates () email arizona edu
> http://security.arizona.edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kris 
> Monroe
> Sent: Tuesday, April 12, 2011 5:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] SLA for Non IT Managed Server?
>
> Anyone have something like an SLA that they require by signed by a non 
> IT owner of a server?
> For example, a Faculty member that wants to host a web server and a 
> database server to support their research project. I could see the SLA 
> outlining the faculty member is responsible for patching (OS, web 
> server, database), hardening, limiting the database to the one they have 
> discussed (that has no PII), is responsible for user accounts (including 
> provisioning/deprovisioning), etc. And that changing of the agreed upon 
> use requires a new or revised SLA.
> Thanks in advance!
> -Kris

-- 
Martin Manjak
Information Security Officer
University at Albany
CISSP, GSEC, GCWN

"What information consumes...is the attention of its recipients."
Herbert Simon, 1971