Server Documentation Policy

1.0 Overview
This policy is an internal IT policy and defines the requirements for server documentation This policy defines the level of server documentation required such as configuration information and services that are running. It defines who will have access to read server documentation and who will have access to change it. It also defines who will be notified when changes are made to the servers.

2.0 Purpose
This policy is designed to provide for network stability by ensuring that network documentation is complete and current. This policy should complement disaster management and recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to any servers.

3.0 Documentation
For every server on a secure network, there are a list of items that must be documented and reviewed on a regular basis to keep a private network secure. This list of information about every server should be created as servers are added to the network and updated regularly.

  1. Server name
  2. Server location
  3. The function or purpose of the server.
  4. Hardware components of the system including the make and model of each part of the system.
  5. List of software running on the server including operating system, programs, and services running on the server.
  6. Configuration information about how the server is configured including:
    1. Event logging settings
    2. A comprehensive list of services that are running.
    3. Configuration of any security lockdown tool or setting
    4. Account settings
    5. Configuration and settings of software running on the server.
  7. Types of data stored on the server.
  8. The owners of the data stored on the server.
  9. The sensitivity of data stored on the server.
  10. Data on the server that should be backed up along with its location.
  11. Users or groups with access to data stored on the server.
  12. Administrators on the server with a list of rights of each administrator.
  13. The authentication process and protocols used for authentication for users of data on the server.
  14. The authentication process and protocols used for authentication for administrators on the server.
  15. Data encryption requirements.
  16. Authentication encryption requirements.
  17. List of users accessing data from remote locations and type of media they access data through such as internet or private network.
  18. List of administrators administrating the server from remote locations and type of media they access the server through such as internet or private network.
  19. Intrusion detection and prevention method used on the server.
  20. Latest patch to operating system and each service running.
  21. Groups or individuals with physical access to the area the server is in and the type of access, such as key or card access.
  22. Emergency recovery disk and date of last update.
  23. Disaster recovery plan and location of backup data.

Mail Server Documentation

  1. Account size limit where the person receives warnings about mailbox size
  2. Account size limit where the person cannot send mail anymore.
  3. Account size limit where the person cannot receive mail anymore.

4.0 Access
The IT server administration staff and their management shall have full read and change access to server documentation for the server or servers they are tasked with administering. The IT networking staff, enterprise security staff, application development staff, and help desk staff shall have the ability to read all server documentation.

5.0 Change Notification
The help desk staff, network administration staff, application developer staff, and IT management shall be notified when changes are made to servers. Notification shall be through email to designated groups of people.

6.0 Documentation Review
The network or IT manager shall ensure that server documentation is kept current by performing a monthly review of documentation or designating a staff member to perform a review. The remedy or help desk requests within the last month should be reviewed to help determine whether any server changes were made. Also any current or completed projects affecting server settings should be reviewed to determine whether there were any server changes made to support the project.

7.0 Storage Locations
Server documentation shall be kept either in written form or electronic form in a minimum of two places. It should be kept in two facilities at least two miles apart so that if one facility is destroyed, information from the other facility may be used to help construct the IT infrastructure. Information in both facilities should be updated monthly at the time of the documentation review.