Versions Compared

Version Old Version 3 New Version Current
Changes made by

Nancy Braen

Nancy Braen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents

...

Panel
titleColorwhite
titleBGColor#0F4D92
titleMSS 1

YALE-MSS-1: System Classification

YALE-MSS-1.1: Classify the IT System and Meet the Minimum Security Standards

Info
iconfalse

The ITS Linux team offers managed support for IT systems classified as servers, which we ensure to be suitable for all levels of risk classification.



MSS DetailsITS Linux Implementation
1.1.1 Classify the IT System as high, moderate, or low risk based on data classification, availability requirements, and external obligations

The ITS Linux team works with the system owner to determine the risk classification, based on the importance and sensitivity of the data.

1.1.2 Determine your system type

The ITS Linux team is responsible for servers; that include Web servers, file servers, database servers and email servers.
1.1.3 Determine if your system is Internet AccessibleThe ITS Linux team works with the system owner to determine if the server is internet accessible.
1.1.4 Define roles and responsibilities for meeting and maintaining the Minimum Security Standards and any external security requirements throughout the lifespan of the systemThe ITS Linux team works with the system owner to determine the roles and responsibilities.
1.1.5 Ensure roles and responsibilities for meeting and maintaining all security requirements throughout the life cycle of the system are accepted by all partiesThe ITS Linux team works with the system owner to ensure that roles and responsibilities are accepted by all parties.
1.1.6 Provide appropriate level of staffing to manage your systems in accordance with their security requirementsThe ITS Linux manager will ensure that there is appropriate level of staffing.
1.1.7 Budget for maintaining the ongoing support and maintenance of the system to meet its security requirements throughout the lifespan of the system

The ITS Linux team works with the system owner to provide the overall cost of maintaining the server.

It is the responsibility of the system owner to budget for these costs.

1.1.8 Ensure a valid policy exception request is filed when a Minimum Security Standard cannot be metIt is the responsibility of the system over to ensure a valid policy exception request is filed.

YALE-MSS-1.2: Apply any additional security requirements required by external obligations 

Info

The ITS Linux team supports managed servers that are required to comply with external requirements. External obligations (such as FERPA, HIPAA, and the like) inform decisions at build time, such as network placement, access limitations, system architecture, etc, and during run time, such as response SLAs, patching cadences, etc.

It is the system owner's responsibility to understand their external obligations and make the ITS Linux team aware of the constraints the system must run under.


MSS DetailsITS Linux Implementation
1.2.1 Ensure you can meet any obligations in the event of a security incident or data breachThe system owner is responsible for identifying external obligations; the ITS Linux team will implement appropriate controls based on those obligations.

YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place

Info

The ITS Linux team is not responsible for entering into contract negotiations with vendors, nor for maintaining those contracts. It is the responsibility of the system owner to ensure appropriate contracts are in place for their system and application software.


MSS DetailsITS Linux Implementation
1.3.1 Ensure the Data Addendum process is followed when storing data in a vendor's cloudThe system owner is responsible for ensuring cloud vendors sign appropriate contracts. The ITS Cloud team is responsible for broad data agreements with Amazon, Azure, and other cloud vendors with whom we contract.
1.3.2 A Business Associate Agreement (BAA) is in placeThe system owner is responsible for all BAAs with vendors.

YALE-MSS-1.4: Designate and protect Critical IT Infrastructure 

Info

Most or all Critical IT Infrastructure is managed by the ITS Linux team or their peers (The Network team, the Windows team, the Data Center Operations team, etc.) For those components managed by the Linux team, we attest that those systems adhere to the MSS.


MSS DetailsITS Linux Implementation
1.4.1 Maintain a tailored security plan that matches the security best practices for that specific system/technology

The ITS Linux team applies best security practices on all managed servers. This includes but is not limited to:

  • limiting access
  • only running necessary services
  • properly configuring running services
  • regular patching
1.4.2 Ensure the tailored security plan is periodically reviewed and advanced, at least on an every other year basisThe ITS Linux team participates in a yearly security audit by Price Waterhouse Cooper. We also amend our security plan as we learn of new best practices and as threats emerge.
1.4.3 Physically secure the Critical IT System in accordance with the Minimum Physical Security Standards for Critical IT Spaces

All systems managed by the ITS Linux team are located in one of the following:

  • a physically secured Yale data center
  • a locked rack in a colocated facility (CyrusOne; Equinix)
  • a cloud vendor's secure site (AWS; Azure)

YALE-MSS-1.5: Plan for data recovery requirements 

Info

Recovery of data is ensured by the ITS Linux team for all managed servers. By default, our systems are recoverable as full system images; file level backups can be implemented if required by the system owner at (potentially) additional cost. The default backup schedule (which determines how much data could be lost) should be understood by the system owner.


MSS DetailsITS Linux Implementation
1.5.1 Determine the maximum amount of data that can be lost during a disruption before incurring significant impact to operations

The system owner is responsible for understanding the maximum acceptable data loss on the platform - often described as the Recovery Point Objective (RPO.)

  • The RPO for the VMware environment is guaranteed by the ITS Storage Team. VM image snapshots are taken nightly, and volumes are replicated off-site.
  • The RPO of Cloud platforms (AWS; Azure) is guaranteed by the ITS Cloud Team.

YALE-MSS-1.6: Plan for meeting and maintaining the security requirements for the IT System 

Info

The ITS Linux team, for all managed servers, understand our responsibility to the security of the systems we manage. We work closely with system owners to ensure appropriate, timely response and attention for all managed servers. Despite that, the system owner cannot cede all security responsibilities to the Linux team. As noted below, there are a number of security requirements that are the sole responsibility of the system owner.


YALE-MSS-1.7: Complete a Security Planning Assessment (SPA) 

The system owner is responsible for completing the SPA. The ITS Linux team will answer questions pertaining to the SPA, and this document lists what the ITS Linux team guarantees as part of our managed server offering.

...

Panel
titleColorwhite
titleBGColor#0F4D92
titleYALE-MSS-11
titleColorwhite
titleBGColor#0F4D92
title

YALE-MSS-11: Security Training


YALE-MSS-11.1: Require security training for all users of Yale Data and Yale IT Systems 

MSS GuidelinesITS Linux Implementation
11.1.1: Ensure all staff are informed, understand their roles and responsibilities, and complete assigned security training requirements

The Linux Manged servers team is informed, trained, and understand their roles and responsibilities through constant peer and managerial review.

The Linux Managed servers team completes all required training in Yale's Training Management System.

YALE-MSS-11.2: Ensure all third parties complete required training 


MSS GuidelinesITS Linux Implementation
YALE-MSS-11.2.1: Require vendor(s) to ensure that anyone who performs work under their agreement receives annual instruction and/or training to comply with the provisions of their contract(s) with Yale
Panel

The Linux Managed servers team defers to the procurement team to ensure that third parties are compliant.

It is not the responsibility of the Linux Managed servers team to ensure third parties are compliant, however, we will liaise with the procurement team and the third party to ensure the requirements are met.



...


Panel
titleColorwhite
titleBGColor#0F4D92
titleYALE-MSS-12

YALE-MSS-12: Intrusion Detection

YALE-MSS-12.1: Capture inbound and outbound network flow data 

Inbound/Outbound traffic flow is captured by appliances managed by the security team.

YALE-MSS-12.2: Utilize a network firewall to allow the least amount of access possible

All the systems are behind firewall.

MSS GuidelinesITS Linux Implementation
12.2.1: Control inbound and outbound traffic
12.2.2: Log and filter traffic to identify and protect against potential threats

Inbound traffic is controlled first by firewalls managed by the network team, then VPN, then user accounts and local firewall.

VMs are also assigned their subnet VLAN according to the access required by applications and users.

There are no specific rules on the linux servers that control outbound access. Outbound access is logged on the network team controlled firewall and inspected for threats.

12.2.2: Log and filter traffic to identify and protect against potential threatsTraffic is logged at the firewalls managed by the network team. Access to the system directly is logged in /var/log/messages & /var/log/secure. Crowdstrike is installed to further identify threats.
12.2.3: Document your required firewall rulesAll firewall rules are requested via ServiceNow, which serves as documentation. Additionally, the network team is responsible for backing up firewall rules.

YALE-MSS-12.3: Implement an Intrusion Detection and Prevention System 

The ISO team manages the Intrusion Protection System.


...


Panel
titleColorwhite
titleBGColor#0F4D92
titleYALE-MSS-13

YALE-MSS-13: Logging

YALE-MSS-13.1: Ensure logging contains information required for incident response response 

Security incidents will be reported to the Information Security Team via a ServiceNow incident with all available information.

MSS GuidelinesITS Linux Implementation
13.1.1: Use multiple time serversThe Linux Manged servers team uses clock1.net.yale.edu, clock2. net.yale.edu and clock3.net.yale.edu as time sources.
13.1.2: Ensure client IP addresses are not obscured by load balancers and reverse proxiesclient IP addresses are not obscured by load balancers and reverse proxies

Direct access to linux systems will be recorded with the source address.

By default, all VIPs in the load balancer have X-Forwaded-For (XFF) enabled so that source ip addresses can be identified.

A project is ongoing to remediate all outstanding VIPs that do not have XFF enabled.

13.1.3: Ensure adequate space to log data. Logs should be kept for a minimum of 90 days.

Logging space is monitored and additional space is added when necessary before space is exhausted.

Logs are only kept for 30 days in Graylog.

YALE-MSS-13.2: Log all authentication events 

Users logging to systems are tracked in audit.log file

MSS GuidelinesITS Linux Implementation
13.2.1: Collect logs that include all authentication and privileged escalation eventsprivileged escalation events

Users logging to systems are tracked in /var/log/secure file

YALE-MSS-13.3: Ensure logs are forwarded to a log server in addition to the in-scope system 

All the logs are forwarded to Graylog. Adequate permissions are set for users through Grouper in order to access the logs where they can access the required information.

YALE-MSS-13.4: Collect and review all source system activity logs 

Users logging to systems are tracked in audit.log file

MSS GuidelinesITS Linux Implementation
13.4.1: Identify, track, and periodically audit source systems for compliance with all applicable laws, regulations, and University policies, standards, and procedurespolicies, standards, and procedures

The Linux Manged servers team does not currently have a process to audit all Linux servers.

Specific servers (i.e. Banner) are audited by a third party annually.

13.4.2: Collect log data needed for Information System Activity ReviewData is collected in /var/log/secure and in a central logging system. It includes all necessary information for a Security Activity Review and is available on-demand.



...


Panel
titleColorwhite
titleBGColor#0F4D92
titleYALE-MSS-14

YALE-MSS-14: Security Incident Reporting


YALE-MSS-14.1: Report any suspected security incidents to the Information Security Team in a timely manner security incidents to the Information Security Team in a timely manner 

Security incidents will be reported to the Information Security Team via a ServiceNow incident with all available information.

Depending on the severity of the security incident, the team may reach out directly to the security team via phone, Teams, etc.


MSS GuidelinesITS Linux Implementation

14.1.1: Require vendors (third-party service providers) to notify Yale of a security incident within a 72 hours of a discovery of a confirmed incident

It is not the responsibility of the Linux Manged servers team to ensure that vendors notify Yale of a security incident within 72 hours.


YALE-MSS-14.2: YALE-MSS-14.2: Identify the system's primary security contact 

Based on the tagging information available on the respective node in VMWare, we will be contacting the client accordingly. 

Information for physical systems is identified in the CMDB.