About SUSI

Stanford University System Inventory (SUSI)

About SUSI

SUSI (Stanford University System Inventory) is being developed to report on information security compliance for your servers (and eventually applications). Currently the Dashboard is your home page for SUSI. From there, you can access information about the servers at Stanford known to be associated with your SUNet ID. SUSI automatically verifies many of the University's minimum security standards and highlights potential non-compliance issues. SUSI summarizes risk priority for the System Administator to resolve outstanding issues in a timely manner. In the future, we hope to add information about applications as well, making SUSI the one source for a complete system inventory compliance status.

To add a server to the database, visit the Server Inventory Form (link in sidebar to the right). You must provide the name of the system, the server's owner, any system administrators, the IP address, what type of data is on the system (High Risk, Moderate Risk, or Low Risk data), its current physical location, and other important details.

If you have not provided a Server Inventory Form for a server, SUSI may import a server from NetDB that is associated with your SUNet ID. That server will then show up as having an inventory issue because it is missing a Server Inventory Form.

If you have any problems using SUSI, please submit a ticket to the IRT Help Desk.

FAQs

How are servers entered into SUSI?

1) They are extracted from NetDB, for specific networks that are defined as Server Networks.
2) They are manually added to the SUSI inventory using the Server Inventory Form. 
3) They are identified and imported from BigFix for Servers.

Current Server Networks:

srcf-med*
med-dcs*
frcf-med*
med-forsythe*
Med-SoM-Server-Net
Med-srvr*
foa-bmir*

....................................

How do I know that SUSI has all of my servers?

The "My Servers" tab will list all the servers in SUSI for which you are listed as the administrator or business owner.

....................................

Why can't I see a list of servers?

You may not be able to see a list of servers because there are no servers in the system that are currently associated with your SUnet ID. Add a server in SUSI to begin your official server inventory. Or, if you know there are already server entries in SUSI but you just can’t see them, it could be a permissions issue. Only those listed as Business Owners, System Administrators, or Application Owners currently have access to see their servers in SUSI. System Administrator information is pulled from NetDB for servers with NetDB records.

....................................

How do I view my Department's servers?

Currently, SUSI is workgroup/permission-based and we have not automated department access. To gain access to a list of your department’s servers, submit a ticket to the IRT Help Desk.

....................................

How can I tell if my server is compliant?

You can tell if your server is compliant by looking at the Test Results tab for an individual server to see which checks have been passed.  Any potential issues will be flagged here.  You can get a better overview from the "My Servers"  tab which summarizes which of your servers may have Critical, Major, or Minor issues.

....................................

Why are some issues marked "minor" and some "major?"

If server security issues go unsolved, after a certain period of time the seriousness of the risk will escalate. For example, in the case of a need for physical protection, at first it qualifies as a Minor problem, but after six months it becomes classified as Major.

....................................

What if the information in SUSI seems to be wrong?

The network and system admininstrator comes from NetDB; to make those changes, update NetDB and SUSI will refresh its data within an hour. The other data about your server can be edited within SUSI by going to the Server Inventory (My Servers) and pressing the Edit button next to the server's name.

....................................

How does SUSI gather the information about minimum security standards?

With BigFix for Servers installed, SUSI can verify many of the Minimum Security Standards. If your server is not using BigFix for Servers, go to https://uit.stanford.edu/service/bigfixforservers. Additional sources for data in SUSI include Workgroups, NetDB, SISA, Qualys and Networking reports.

....................................

How do I make my server compliant with MinSec (minimum security standards)?

UIT ISO has cookbooks to help with meeting MinSec standards:  https://uit.stanford.edu/guide/securitystandards/cookbooks

....................................

What if a device is in SUSI, but it's not a server?

1) If the device is on a Server Network, you can mark it as "Not a Server."  (Feature coming soon)
2) You can delete the device from SUSI.  (Feature coming soon)

The Stanford University System Inventory (SUSI) can assist you to track your compliance with Stanford security policies. SUSI provides you with information on servers and other systems you are associated with as an owner or administrator.

To appropriately assess information security risk in the School of Medicine, it is critical to capture accurate information about all devices that store Stanford data. Therefore, please complete an inventory form for each individual server.

Future releases will provide increased functionality to help you manage your server compliance.

Functions Coming Soon:

SUSI is still under development. Functionality in the pipeline:

  • The ability to mark a device that is pulled into SUSI from a Server Network  as not a server
  • The ability to delete a device from SUSI if it's in NetDB and not on a Server Network.
  • CSV download of server data.