As directed by the Executive Committee, all University servers are to be located in one of the UT Health San Antonio’s data centers. Centralized servers have the benefit of a managed environment, including:
- Power management
- Power filtering
- Backup power generators
- Uninterruptible power supplies (UPSs)
- Physical security
- Card-restricted access
- Video monitoring
- Environmental stability
- Heating and cooling
- Humidity monitoring
- Data backup
Some server owners like to directly manage their servers, others do so remotely. Some servers are physical and some are virtual, and some departments have both. Server maintenance agreements give server owners control over how much direct access they may have, backup schedules, maintenance schedules, and the amount of support provided by Information Management and Services.
If a situation arises where central management is not possible, an exemption request must be submitted and must be approved by the Chief Information Security Officer (CISO). Exemptions are granted based on a justifiable, verifiable business case, including appropriate documentation. Any exemptions that are granted will be for a maximum of one year and must be reviewed for changing circumstances and must be renewed. Additionally, exemptions are considered on an individual basis, with one request per port; bulk exemption requests will not be considered.
The overall exemption process is as follows:
- Requester gathers and provides documentation justifying the exemption (see list below)
- Requester submits request for exemption using the online exemption request form.
- The Chief Information Security Officer (CISO) makes the decision
- The CISO communicates the decision
- Denial – notify the requester with an explanation for denial
- Approval – notify requester, assign expiration date
Supporting documentation for the exemption request includes, but isn’t limited to:
- Individual identifier for the device
- Owning department, along with responsible personnel (dean/director/chair, requester, etc.)
- How the server is currently being used
- Descriptions of the server’s current operating environment (backup, power, security, etc.)
- The reason(s) the server cannot be maintained in an approved data center
- A business case based on the above reasons
- Any compensating controls put in place to mitigate risks associated with being outside an approved data center
- Any supplemental documentation supporting the request
- Manufacturer’s documentation
- Regulatory requirements
- Peer-supplied/reviewed examples of similar situations
Note: If you are not able to access the online form, download the form to your computer by right-clicking on this link: Exemption Request Form
- Internet Explorer – “Save Target As …”
- Firefox – “Save Link As …”
- Chrome – “Save link as …”
1. Download the form to your computer (requires Microsoft Excel 2007 or later)
2. Read tab “1-Instructions Page”
3. Fill out tab “2-General Form”
4. Fill out tab “Centralized Server”
5. Begin collecting the necessary signatures
For more information regarding the exemption process, please contact Information Security at grc@uthscsa.edu or the Information Security Hotline at 210-567-0707.