Server Setup and Configuration Policy

Version: 1.00Issue Date: 1/13/2015

This Server Setup and Configuration Policy is required to help ensure that servers are appropriately sized and configured to operate securely and support the business requirements.

1.0 Overview

This Server Setup and Configuration Policy will help ensure that servers can handle the current and projected demands of users and the business function.

2.0 Purpose

This Server Setup and Configuration Policy is intended to ensure servers are purchased that have the capacity to handle the demands placed on them and that their configuration properly supports the business processes in a secure manner.

3.0 Scope

This Server Setup and Configuration Policy applies to all servers operated by the organization or that are used to support any business functions for the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Server Setup

The following items define:

  • Prior to server purchase, requirements for capacity of permanent storage, memory, and processing shall be determined. The initial and future capacity needs shall be determined and estimated based on available modeling tools. Future projections shall be based on baselines of current systems and shall consider:
    • Current needs and possible future need based on past trends of similar applications and associated growth rates.
    • Potential additional applications that may be placed on the server in the future.
    • Expected and potential rate of growth of the user community that will be using services provided by the server in question.
    • Past baselines and growth rates of other similar applications.
    • Past server performance relative to demand.
  • All server purchases should consider available and current cost of hardware and software and consider all technologies that may apply to the business need.
  • Server setup shall be in accordance with the Server Security Policy and include anti-virus, configuration for updates, and hardening.
  • When the server is setup and first put into operation, a baseline test shall be run to determine performance considerations of amount of memory used, hard drive space used, and amount of processing power used. Once the server is placed in service and all applications are operating, a baseline shall be taken at full load. The baseline test results shall be kept and additional tests shall be conducted every two months. These tests should help determine the growth rate of demand on the server and allow an accurate prediction of when the server may need an upgrade. The baseline test should be able to help predict server performance changes if a hardware component changes.
  • Information Technology (IT) management will help evaluate modeling tools that predict workload on the servers and inplement tools as required.
  • IT management wil ensure that technical staff have the skills required to setup and use modeling tools through both hiring practices and training.

5.0 Server Configuration

Server configuration shall support the business function by both optimizing the server to perform securely and efficiently under the business demands.

  • Thresholds of capacity, performance, reliability, and availability shall be established that when the threshold is crossed will require action to be taken. The thresholds will be established so there is enough time to take action to prevent loss of service to the business function.
  • Servers should be checked often enough to determine when capacity, performance, reliability, or availability thresholds are being crossed and management should be informed in a timely manner.

6.0 Enforcement

Since determining and forcasting server capacity and server configuration is important to the support of the business function in the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

7.0 Other Requirements

  • Determine the management that should be involved when it is determined that capacity, performance, reliability, or availability thresholds are being exceeded and action is required. This may be linked to the business owners.


Approved by:__________________________ Signature:_____________________ Date:_______________