Server and Application ManagementTechnology Services

Purpose

This Server and Application Management Policy is established to ensure the security, reliability, and optimal performance of the servers and systems managed by Gustavus Adolphus College. Proper server, application, and patch management are critical components of maintaining a secure and efficient computing environment.

Scope

This policy applies to all members of Technology Services who are authorized to perform work related to server and application management, which covers all servers and applications under the purview of Technology Services, including those hosted off campus (remote, cloud-based, off-premise, co-located, etc.).

Server Deployment and Management

Server Procurement

Technology Services will follow an approved and consistent procurement process to acquire servers and related hardware. Servers must meet minimum hardware and compatibility requirements as determined by authorized personnel.

Server Installation

All servers will be installed, configured, and maintained by qualified and authorized personnel to ensure consistency, security, and reliability.

Server Documentation

Comprehensive documentation, including hardware and software configurations, will be maintained by Technology Services for all servers and related infrastructure. This documentation will be accessible to authorized personnel.

Access Control 

Access to servers will be strictly controlled through approved role-based access control mechanisms. Only authorized individuals will have access to server consoles and configuration settings.

Monitoring and Logging 

Servers will be monitored routinely to identify and address performance issues and security threats. Logs will be maintained and reviewed regularly on a schedule that conforms with staff availability. At a minimum, a weekly review will be conducted.

Patch Management

Patch Identification

Technology Services will actively monitor for software and firmware updates, patches, and security updates applicable to server operating systems and related software.

Patch Testing

Before deployment, patches will be confirmed, and when possible, tested to ensure compatibility and stability. Critical security patches may be expedited at the discretion of authorized personnel.

Patch Deployment

Regular patch deployment schedules will be established and followed. Non-disruptive patches will be deployed during regular maintenance windows.

Emergency Patching

Critical security vulnerabilities may necessitate immediate patch deployment. In such cases, authorized Technology Services personnel may follow an expedited patching procedure that is commensurate with the perceived urgency. 

Application Management

Application Procurement

All applications and software used by the College will be obtained through official procurement processes managed by Technology Services. Licensing compliance will be maintained by authorized personnel.

Application Deployment

Applications will be deployed and configured by qualified and authorized personnel to ensure stability, compatibility, and security.

Application Documentation

Technology Services will maintain comprehensive documentation, including installation procedures, configuration details, and licensing information for all applications deemed critical for business continuity.

Application Updates

All applications will be kept up to date with the latest patches and updates to address security vulnerabilities and improve functionality. 

Backup and Recovery

Server Backups

Regular backups of server data and configurations will be performed to ensure data integrity and facilitate disaster recovery. More information can be found in the Data Management Policy.

Recovery Testing

Periodic recovery testing will be conducted to verify the effectiveness of backup and restoration processes.

Security and Compliance

Security Measures

Servers will be configured and maintained with robust security measures, including the appropriate firewalls, intrusion detection systems, and access controls deemed necessary by authorized personnel.

Compliance

Technology Services will adhere to relevant laws, regulations, and industry standards related to server management and patching, including data protection and privacy laws. More information can be found in the Information Security Program.

Server Decommissioning

End-of-Life Servers

Servers reaching end-of-life or end-of-support will be retired, and all data will be securely removed or migrated to newer hardware.

Policy Implementation Assistance

Contact the Chief Technology Officer with questions or comments related to this policy.

Policy Authority

The XLT has responsibility for this policy and will obtain necessary approvals for changes.