| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
|
The University's Executive Compliance Committee (ECC) has made a policy change that requires all commodity servers to be physically or virtually located in the University Data Center. Such a change helps to address a number of risks that the committee has been monitoring over the years. Note: The policy change has been published, but it will not be made effective until September 01, 2014.
Commodity servers are defined as systems providing basic information technology services to university affiliates (e.g., web services, mail services, file services, database services, directory services, collaboration services).
There were roughly 600 commodity servers identified as having high-volume activity that were located outside of the University Data Center. The ECC has asked the Information Security Office to work with each affected unit on the final disposition of each server.
Exception Process
https://security.utexas.edu/exception/
You should consider structuring your exceptions around the following:
http://security.utexas.edu/policies/irusp.html#section_5_19
- business case for exception
- physical controls for exception
- logical controls for exception
What is meant by logical controls?
5.18.5. Unattended computing devices must be secured from unauthorized access. Physical security options include barriers such as locked doors or security cables. Logical security options include screen saver passwords and automatic session time-outs.
which would apply to both systems (5.18.5) and to physical access of the room itself via authentication mechanism (e.g. BACs). Whatever system is in place would probably have to comply with permissions, logging/auditing.