Q. Why am I required to register and scan my servers?
A. As a result of the recent data breaches, the University of Hawaii is implementing a new, systemwide Information Security Program to better protect the university's sensitive information. Many servers are not regularly monitored, managed, patched or otherwise protected. This places the information stored on them at a high risk of being compromised. In addition, the users of servers may put information online without realizing that they are improperly making sensitive information available, in violation of UH policies. Registration of servers is common practice in universities today, including with highly distributed IT environments such as UH.
Q. What will happen if I don't register and/or scan my servers?
A. If you do not register a server after being requested to do so, your server may be blocked from being accessed over the University of Hawaii network and your Chancellor/VP (or designee) notified of the existence and risk of the unregistered and unscanned server. ITS will proactively seek out active servers throughout the UH network and provide warning before blocking unregistered active servers that are found.
Q. What is the deadline to comply with this new requirement?
A. All existing servers are required to be initially registered by July 30, 2011. All servers are required to be initially scanned and remediated for vulnerabilities and sensitive information by September 30, 2011. If sensitive information (as defined in UH Executive Policy E2.214) is stored on a server, the information on the server must be immediately protected in compliance with E2.214.
Any new servers that are brought up after July 30, 2011 are required to be registered immediately upon server implementation and deployment. If the server contains Social Security Numbers, Driver's License Numbers and/or credit card or bank account information, the repository of sensitive information must be reported in the UH Annual Personal Information Survey as required by Hawaii Revised Statutes 487N-7.
Q. Are all servers required to be scanned?
A. Yes. The most common file server types are: web servers, FTP servers, email servers and file servers.
Q. What types of scans do I need to do?
A. You need to scan for personally identifiable information. The University of Hawaii has licensed Identity Finder to scan Windows and Mac operating systems: http://www.hawaii.edu/askus/1297. You can use Find_SSN to scan linux/unix systems: http://www.hawaii.edu/askus/1323
You also need to scan the servers for vulnerabilities. To scan your computer for vulnerabilities, please use the OpenVAS web interface: http://openvas.hawaii.edu/cgi-bin/myopenvas
Q. Who can I contact if I have questions or need more information?
A. Please contact the UH Information Security Team by email: firstname.lastname@example.org or Jodi Ito by phone: (808) 956-2400.