About this policy
Policy contact:
Date of last update:
January 11, 2022
Policy statement
The Cyber Risk Mitigation Responsibilities Policy (IT-28) requires the use central UITS facilities (eg. the Intelligent Infrastructure, web hosting facilities like Webserve, UITS Research Technologies systems) "to the greatest extent practicable". To remain in compliance with this policy, the School of Informatics, Computing, and Engineering is committed to fully utilizing these facilities. Central Luddy servers that are serving a broad user base, are hosting any sensitive institutional data, are critical to the operations of the unit, or are hosting public-facing services will be hosted on central UITS servers, if possible.
In many cases, these UITS facilities are available at no cost to the users so there are few impediments to adoption. In the case of virtual machines (VMs) hosted in the Intelligent Infrastructure (II), the cost is a significant factor. Funding for VMs providing school-wide services will come from the general Luddy IT budget. In many cases the cost for research project VMs in II will be paid from the researcher funding (eg. grants and startup funds). However, the school recognizes the need to augment grant funds for research projects that may not have direct grant funding. To that end, the school has developed a Virtual Machine Policy that provides funding from the Luddy IT budget to cover the cost of II VMs for all Luddy faculty. When outside that funding, Cyber Risk Mitigation Responsibilities Policy (IT-28) Policy Statement, Section 2b, allows for secondary means at the group-level or unit-level.
Exceptions to policy
Due to the unique computing requirements within the School of Informatics, Computing, and Engineering, there are a number of use cases where the Intelligent Infrastructure (II) or other central UITS services are not well suited. Examples of such cases include:
- Projects with specific hardware requirements (eg.specific CPU instruction set support)
- Resource needs exceeding the capacity of II (large memory, high CPU core counts, large storage needs)
- Grants specifically requiring the purchase of physical hardware
In such cases, services may be hosted on physical servers or on Luddy-managed virtual machine services can be established per Cyber Risk Mitigation Responsibilities Policy (IT-28) Policy Statement, Section 2b, with the approval of the Luddy IT Director.
Procedures
- In cases where physical servers are required, these servers will be located either at the UITS Data Center or in the secure Luddy server room facility. The Luddy facility has restricted access, UPS power backup, and temperature monitoring. However, all servers hosting any sensitive institutional data will be housed either in II or the UITS Data Center and not in the secure Luddy facility or any insecure Luddy location.
- Physical servers will be purchased with a 5 year manufacturer warranty with a response time of either 4 hours for critical path systems or Next Business Day (NBD) for less critical research systems. At the end of the original 5 year warranty, the option to extend the warranty will be offered to the system owner. Systems that go out of warranty will be serviced either by Luddy staff or 3rd party vendors with parts and service costs to be paid by the system owner.
- The setup and configuration of new VMs or physical servers will be tracked via the Server Setup Procedure and Checklists.
- Requests for access to the secure Luddy server rooms will be handled via a Service Now ticket and require approval of both the Luddy IT Director and the Chief Information Privacy and Security Officer.