Introduction

All information resources (servers, workstations, laptops, etc.) are required to be assessed annually, per Texas Administrative Code 202 (TAC 202) and TAMU Rule 29.01.03.M0.01 Procedure 3.

This survey must be completed by individuals who manage one or more servers (physical, virtual, both - physical and virtual). Depending on configurations, all servers may be included in one survey.

Section 1 is used to gather information about what is being assessed. The survey starts in Section 2 and consists of 25 questions.

Email address:

Use your university email address.

Section 1: General Information

This section is used to gather information about the server(s).

a. Server(s) owner first and last name:

b. Name(s) for the server(s):

All servers on the Texas A&M network have a name.

c. Server(s) identification number(s) used by the unit:

TAMU asset number used for/listed in FAMIS/Canopy, department level identification numbers, etc.
Most departments add a service tag label on information resources before distributing to employees that help track it for general inventory management practices. This tag is often easily visible on the information resource.

d. Server(s) description:

Briefly tell us about the server and what it is used for. For example: "This physical server is used for research." or "This includes the research cluster used to support my teaching and research."

e. Type of server(s):

  • Physical server – you are responsible/maintain the hardware and OS software
  • Virtual server – you are responsible/maintain the virtual server software
  • Both – you are responsible/maintain the hardware and OS software for the physical server(s) you have AND you are responsible/maintain the virtual server software for the virtual server(s) you have

Answer Choices: Physical; Virtual; Both

f. If the server(s) is virtual, who manages the physical host/hypervisor?

  • If you do not manage the physical host/hypervisor, please provide the resource’s point of contact information (name, email address, university department or hosting vendor name).
  • If you do not have virtual servers, please enter N/A as your answer.

g. Operating System (OS) family:

Select all applicable operating system families for the server(s).

Answer Choices: Windows; Mac OS X/macOS; Linux/Unix/Solaris/FreeBSD; Other:

h. Quantity:

Provide the number of servers included in this survey. Enter that number (e.g. 1, 2, 3)

i. Number of people with authorized access to the server(s):

Enter a number (e.g. 1, 2, 3)

j. How is the server(s) funded?

Select all that apply.

Answer Choices: Grant; University; Research; Personal funds; Other:

k. Where is the server(s) located?

Select all that apply. For virtual servers, consider answering for the location of the physical host/hypervisor.

Answer Choices: Office; Lab; Shared workspace behind a lockable door; Unit IT server closet, server room, or data center; University managed data center (West Campus Data Center, Teague, Wehner); Other:

Section 2: Physical Access

This section is the start of the survey and deals with where the server(s) is maintained.

1. Is physical access to the room where the server(s) is kept controlled to prevent unauthorized access?

Answer Choices: Yes; No

Why is this important?

Unauthorized personnel should not have physical access to servers. Controlling who has physical access to a server helps minimize potential risks.

University control(s): Physical and Environment Protection Policies and Procedures (PE-1)

2. Are measures in place to determine who has accessed the room where the server(s) is kept?

This may include AVST, card swipe, logs, biometrics, etc.

Answer Choices: Yes; No

Why is this important?

Knowing when someone has accessed a room is important for audit and investigative purposes, especially when something has gone wrong due to intentional or unintentional changes.

University control(s): Physical and Environment Protection Policies and Procedures (PE-1)

Section 3: Resource Maintenance

This section focuses on how the server(s) is maintained.

3. Is a system use notification message or banner displayed before granting access to the server(s)?

Answer Choices: Yes; No

Why is this important?

The banner ensures users acknowledge and are reminded of the computer usage rules defined by the university.

University control(s): System Use Notification (AC-8)

4. Is anti-virus / anti-malware software installed and run (scans performed periodically) on the server(s)?

Answer Choices: Yes; No

Why is this important?

Malicious code such as viruses, malware, or trojans can:

  • Steal or destroy data such as personal identifiable information, university data, or research
  • Impact computer performance
  • Cause the computer to perform illegal activities

Anti-virus software can deny unwanted entry to the information resource and block attempts to install the malicious code listed above. Regular scanning is also important to ensure that anything which slips through gets detected and then removed. Most anti-virus software allows you to schedule scans.

University control(s): Malicious Code Protection (SI-3)

5. Are patches and/or updates installed within 90 days of vendor release for hardware and software?

Answer Choices: Yes; No; Unknown

Why is this important?

Malware compromises systems by exploiting vulnerabilities of unpatched software and hardware. By not applying patches and/or updates to your operating system, other applications, and hardware, you may be vulnerable for malware attacks. Patching should become a habit, and the timeframe between when an exploit is discovered and when a patch is released is continually getting shorter.

University control(s): Configuration Management Policy and Procedures (CM-1), Malicious Code Protection (SI-3)

6. Are patches reviewed and/or tested prior to installation on the server(s)?

  • "Reviewed" means you read reviews from industry communities and/or review the patch notes/change log before applying.
  • "Tested" means patches are tested in a development environment prior to being installed in production, or your information resource(s) are tested immediately following the installation of patches.

Answer Choices: Patches are installed after both testing and reviewing take place; Patches are installed after being reviewed only; Patches are installed after testing only; Patches are installed, but no testing or review takes place; Patches are not installed; Unknown

Why is this important?

Patches are important to help fix security vulnerabilities, correct bugs from previous versions, and improve the usability or performance of the server. However, new patches could disrupt the functionality of your server. It is best practice to set up a test environment that mimics your production setup to test new patches.

University Control(s): Configuration Management Policy and Procedures (CM-1)

7. Is only authorized and appropriately licensed or open source (e.g. GNU) software installed on the server(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

Unauthorized software can contain malicious code embedded in the software that will infect the information resource. Installing software without the proper license, or not following the licensing agreement, is a breach in federal copyright law.

University Control(s): User Installed Software (CM-11)

8. Do administrator account holders stay up-to-date on best practices for the server(s) type(s) and operating system(s) used?

Answer Choices: Yes; No; Unknown

Why is this important?

Staying up-to-date with server management best practices helps ensure server configurations are properly set, reducing unnecessary network traffic and limiting vulnerabilities that can compromise the servers and impact performance.

University Control(s): Configuration Management Policy and Procedures (CM-1)

Section 4: Data Classification

This section focuses on data classification and Social Security Number (SSN) scanning on the server(s).

9. Is confidential data (e.g. SSNs, Family Educational Rights and Privacy Act (FERPA), Protected Health Information (PHI), Personally Identifiable Information (PII), etc.) stored on the server(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

You should know what data is saved on the servers that you manage. Many units have policies against saving confidential data on certain information resources.

University Control(s): Security Categorization (RA-2)

10. Is data related to federally funded research stored on the server(s)?

Federal requirements for this type of data may include: Federal Information Security Management Act (FISMA), Federal Acquisition Regulation Supplement (FARS), Controlled Unclassified Information (CUI), Defense Federal Acquisition Regulation Supplement (DFARS), etc.

Answer Choices: Yes; No; Unknown

Why is this important?

There are additional federal requirements that must be followed for information resources used when dealing with data that falls under federal requirements.

Federal Requirements: NIST 800-171 for CUI

11. Is the server(s) scanned for SSNs by using a software tool (e.g. Identity Finder) and/or is whole disk encryption used to protect data stored on the server(s)?

Answer Choices: Scan; Whole Disk Encryption; Both – Scan and Whole Disk Encryption; None of the above

Why is this important?

It is important to know if SSNs are stored on servers because there are specific protection (e.g. encryption, access control) and reporting requirements when storing SSNs. If a server is stolen that contains SSNs, this is considered a data breach. Scanning helps determine whether files on a server contain SSNs or not.

University Control(s): Security Categorization (RA-2)

Section 5: User Access

This section focuses on user account access, passwords, authentication systems, etc.

12. Does access to the server(s) require a unique user ID and password for anyone trying to log in to the server(s)?

Answer Choices: Yes; No

Why is this important?

Unique user IDs and passwords help prevent unauthorized users from accessing information resources. Most unauthorized users try to gain access to information resources for illegal or purposes that may include theft or modification of confidential data.

University employees should never share their user account. If the account is assigned to you or created by you, you are accountable if you share it and it is used for inappropriate reasons. Any activity generated by the user account such as accessing files, changing passwords or deleting information, can be traced back to you.

University Control(s): Account Management (AC-2)

13. For standard user accounts, are the password requirements: at least eight characters in length and containing three of the following four groups of characters - lowercase letters, uppercase letters, symbols or numbers?

If your password is at least 16 characters long, you are not required to meet the complexity requirements above.

Answer Choices: Yes; No; N/A - 16 characters or more; Passwords are not used

Why is this important?

The length and complexity of a password makes it harder for someone to crack. Having other security controls in place, such as account lock-out after a number of unsuccessful login attempts, makes it even harder for someone to crack.

University SAP: 29.01.03.M1.14 Information Resources – Password-based Authentication

14. For administrator accounts, are the password requirements: at least 16 characters in length and containing at least one lowercase letter, one uppercase letter, and one non-alphabetic symbol?

Answer Choices: Yes; No; Passwords are not used

Why is this important?

Administrator accounts require a longer password due to the nature of the account. An administrator account is a user account that allows you to: change security settings, install software and hardware, and access all files on the server.

15. How often are passwords required to be changed on the server(s) that you manage?

Answer Choices: Less than 1 year; 1 year; Between 1 and 4 years; 4 years; More than 4 years; Passwords are not required to be changed; Passwords are not used

Why is this important?

Changing passwords periodically helps prevent someone who has managed to steal your password from using it to gain access to your account. If you have any reason to think your account has been compromised or someone has your password, change it immediately.

University SAP(s): 29.01.03.M1.14 Information Resources – Password-based Authentication

16. Are accounts (e.g. standard user, administrator) locked out of the server(s) after a defined number of unsuccessful login attempts in a defined time limit?

Answer Choices: Yes; No; Unknown

Why is this important?

Many hackers will get someone’s user ID and then try to gain access to a resource by repeatedly guessing the user’s password. This is known as brute force attack. Locking an account after a set number of unsuccessful attempts helps slow down and possibly prevent a hacker from gaining access to a resource.

University SAP: 29.01.03.M1.14 Information Resources – Password-based Authentication

17. Is multi-factor authentication used for accessing the server(s)?

Does the server(s) require you to validate via Duo Two-Factor Authentication or a similar product?

Answer Choices: Yes; No

Why is this important?

Multi-factor authentication helps prevent unauthorized users from gaining access to information resources using stolen or compromised login credentials (i.e. user ID, password).

All units are required to use multi-factor authentication when accessing information resources that have access to confidential data. Some units in the university require multi-factor authentication (e.g. Duo) for certain roles, regardless of the type of data the person has access to.

University Control(s): Identification and Authentication (Organizational Users) (IA-2)

TAMUS Policy and Regulation: http://policies.tamus.edu/29-01-03.pdf

18. Have all default account passwords been changed (e.g. blank administrator passwords, user ID/passwords that the supplier provided for the server(s), or that came with the server(s) like admin/admin, root/root, or sudo/sudo)?

Answer Choices: Yes; No

Why is this important?

One of the first things a hacker checks is whether the default accounts and passwords are enabled on an information resource.

University Control(s): Configuration Management Policy and Procedures (CM-1)

19. Are user accounts (e.g. standard and administrator) disabled once a person no longer needs access?

Answer Choices: Yes; No; Unknown

Why is this important?

People who do not need access to an information resource should not have authorization to access it.

University Control(s): Account Management (AC-2), Configuration Management Policy and Procedures (CM-1)

20. Are administrator accounts shared (one account for multiple users)?

Answer Choices: Yes; No; Unknown

Why is this important?

Shared administrator accounts are sometimes required. When used, specific policies must document their use and when passwords need to be changed.

University Control(s): Separation of Duties (AC-5)

21. Does the server(s) require vendor access (physical or remote) for ongoing support?

Answer Choices: Yes; No

Why is this important?

Some hardware and software requires continual vendor support. This support may be done on-site or remotely. It is important to keep track of what a vendor is doing and ensure they only have access to what is required to perform their job. It is best practice to not allow vendors unrestricted access to hardware or software.

Section 6: Logs and Backups

This section focuses on logs and backups for the server(s).

22. Are security-related system logs retained for the server(s)?

A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network.

Logs may include: Web services logs, local firewall logs, application logs, operating system logs, etc.

Answer Choices: Yes; No; Unknown

Why is this important?

When there is a problem, logs are used for investigative purposes and help administrators figure out what happened. Sometimes a problem is not fully identified until months after the fact, so it is important to keep logs for an extended period of time.

Logs are usually required for audit purposes. The type of logs and period of retention depends on university, state, and federal regulations related to what the server is used for and/or the data stored on the server.

University Control(s): Audit Events (AU-2), Information System Monitoring (SI-4)

23. If “Yes” to the previous question, are logs reviewed periodically for suspicious activity?

Answer Choices: Yes; No; N/A - Answered "No" or "Unknown" to previous question

Why is this important?

Reviewing logs manually or with the use of a tool, is a proactive measure administrators can take to help detect possible security threats or issues that impact the performance or security of their servers.

University Control(s): Audit Events (AU-2), Information System Monitoring (SI-4)

24. Are backups performed on the server(s)?

Answer Choices: Yes; No; Unknown

Why is this important?

Backing up important data is vital since data loss can happen unexpectedly due to various reasons (e.g. malware, ransomware, hardware failure, etc.). Backups can help minimize the amount of data lost. The length between backups determines how much data may be lost. It is recommended that multiple backups are kept, and at least one copy is stored offsite.

25. If “Yes” to the previous question, has the restoration of a backup been performed in the last 24 months?

Answer Choices: Yes; No; N/A - Answered "No" or "Unknown" to previous question

Why is this important?

Testing your backups is just as important as performing them, and it is critical to be sure the process for restoring a backup works. Remember, data on the backups can become corrupted and/or the device storing the backup can fail or malfunction.

University Control(s): Contingency Plan Testing (CP-4)