University of Baltimore
July 20, 2006
This document establishes the network security policy for the University of Baltimore.
The network security policy is intended to protect the integrity of the campus network and to mitigate the risks and losses associated with security threats to the campus network and network resources. The goals of this policy are to:
- Safeguard the integrity and availability of the campus voice and data network.
- Reduce threats to integrity and availability of computer systems connected to the network.
- Reduce the likelihood that computers on campus are used to attack other organizations.
This policy will be posted on the University’s web site. All revisions will be posted as they become approved.
The Chief Information Officer (CIO) will be responsible for actions pursuant to this policy.
I. General Policy
The following general policies apply to all computers connected to the campus network:
- Access to any network-connected computer must be via a logon process that identifies and authenticates the user, except where read-only access is given to certain systems (library catalog for example), or unprivileged access is normal and appropriate safeguards are in place (such as Web browsers in kiosk mode, or access to a contained web site).
- No shared accounts will be created, except where absolutely necessary, and under the condition that a list is kept of the users of the account, and that they are jointly responsible for any action taken using the account.
- Computers configured with the intent of accepting connections from other computers are considered to be servers, and must be physically secured in a location that meets the University’s standards and guidelines for servers.
- Only an authorized system administrator may alter a computer’s network settings and parameters, and user access controls lists.
- Personal equipment may not be connected to the University network without the written authorization from the office of the Chief Information Officer.
- All software must be properly licensed. Licensing information must be readily available for audit. Licensing audits will be performed yearly, and on an as needed basis.
- Adequate backup procedures must be in place.
- Adequate virus protection software must be installed and frequently updated.
- Critical updates and patches must be routinely applied to computer operating systems and applications.
II. Office and Lab Computers
In addition to the General Policy, the following policy applies specifically to computers that are connected to the University Network and physically located in an office or computer lab environment or designated for use as an office computer or workstation:
- Users of an office or lab computer are responsible for all activity that originates from that computer while they are logged into it.
- Users are responsible for all data they store on an office or lab computer. This includes the confidentiality of the data if it is sensitive, and the appropriate archival (backup) of the data if it has value.
- Users are responsible for completing the logout process when finished using an office or lab computer. The logout process is often required to ensure that some data is properly saved back to a central computer server.
- Users should never leave an office or lab computer unattended unless, they have either logged out, or the screen and keyboard have been locked using a password protected locking mechanism.
- Office and lab computers may not be configured to accept connections from other computers, including, but not limited to, providing Internet services such as web and ftp servers, or to provide remote control of the computer.
- Modems attached to an office or lab computer should either be disabled, or configured to allow only outbound connections. In no case, should a computer modem be configured to answer an incoming phone call.
- Office and lab computers must be connected directly to an OTS managed and designated network jack via a suitable network cable. Each computer device must have its own dedicated network jack, which may not be used to switch among two or more computer devices. Computer devices must be configured in a one device to one jack ratio.
- Network hubs and switches may not be connected to office and lab network jacks. When these devices are detected attached to a network jack, the jack will be deactivated remotely without warning.
III. Computer Servers
Computers configured with the whole or partial purpose of accepting connections from, and exchanging information between, other computers is defined by this policy as a server. In addition to the General Policy, the following policies also apply to computer servers:
- Servers must be physically secure. Physical access must be restricted to authorized system administrators only. Unauthorized users who require physical access to, or in the vicinity of a network server must be escorted by an authorized system administrator.
- Servers must be located in a area that provides appropriate environmental controls, including air handling & conditioning, uninterruptible power protection (UPS) & conditioning, and fire suppression.
- Servers must be appropriately managed and monitored on a daily basis by an authorized system administrator.
- Reasonable attempts must be made to secure servers against published security vulnerabilities. This includes the timely application of patches, service packs, and hot fixes to vulnerable operating systems and applications, so long as the corrective action itself will not adversely affect the proper operation of the server.
IV. Campus Network Backbone and Associated Infrastructure
The Campus Network Backbone consists of the central network infrastructure, which connects and provides voice and data transport to all network connected computers and devices. The Campus Network Backbone also interconnects the University’s independent network facilities, and provides access to Internet and intra-campus connectivity. The term “network devices” described below includes network hubs, switches, routers, PBX’s, and all cabling, and termination hardware.
- Appropriate access control will be configured and in place on all network devices with remote login capability.
- Network devices will be located, wherever possible, within a suitable network or telecommunication closet, or in a designated server room.
- Physical access to network and telecommunications closets must be restricted to authorized network and telecommunications personnel.
- Network devices should be located in an area that provides appropriate environmental controls, including air handling & conditioning, uninterruptible power protection (UPS) & conditioning, and fire suppression.
V. University Independent Networks
Independent Networks are those networks connected to the campus network backbone and which OTS does not manage on a daily basis [LINK http://pvtlan]. Such networks are generally specific purpose computing facilities, for which OTS allocates network resources, supplies a connection to the campus network backbone, and allows a university organization or entity to manage the network resources within that environment independent of OTS’s daily operations. In addition to the General Policy, the following policies also apply to Independent Networks.
- University organizations or entities hosting an independent network must designate a suitably qualified individual as the “Network Administrator” with responsibility for all network-connected devices within that network, and for compliance with the policies below as well as all other applicable State and University IT polices and standards.
- OTS will utilize firewalls and router Access Control Lists (ACLs) to limit the types of traffic that may enter and leave the Campus Network Backbone.
- Dialup, wireless, and VPN technologies typically bypass university firewalls and access control lists. Such systems must be approved and registered with OTS before being attached to an independent network.
- All network-connected devices must be monitored in order to detect breaches in security, in accordance with established University standards and guidelines. In the event of any breach, the University Information Security Officer will be immediately alerted.
- If OTS detects or is informed of a security threat or breach coming from within an Independent Network, and is unable to immediately reach the designated Network Administrator or a backup individual if supplied, OTS will disconnect that network from the University’s Network Backbone.
- Each University organization or entity hosting an independent network should have the University of Baltimore’s Network Security Policy prominently displayed, or referenced (via hyperlink for example), in addition to any local network policies, as necessary. Local network security policies may not supersede the University of Baltimore’s Network Security Policy.
VI. University Airwaves
The airwaves local to the University campus are considered a transmission medium and therefore a voice/data network resource. Since the airwaves are a shared resource, OTS is responsible for the management and allocation of bandwidth on this medium. In addition to the General Policy, the following policies also apply to the use of the University airwaves for voice & data transport. Wireless access points are defined for the policy below as being devices which serve as connection points between wireless technology and wired technology; this includes all forms of wireless networking hardware/software, wireless telephones, both Radio Frequency (RF) devices, and Infra-Red (IR) devices.
- All wireless access points must be registered and pre-approved by OTS before being placed into service.
- All wireless access points must be secured from unauthorized use. Appropriate forms of authentication and authorization will vary depending on the wireless medium.
VII. Disaster Recovery
To mitigate the impact of a local or total loss of network connectivity, and facilitate the quick recovery of network services in the event of a disaster, the University requires the following of all computing facilities:
- All data considered “critical” to the operation of the University as a whole or to the services provided by a department, must be routinely backed up by the party responsible for that data, with archives being stored off-site at regular intervals.
- Backed up data must be tested periodically to ensure that the media and restoration procedures are in working order, and that the data is in fact retrievable.
In addition, OTS specifically provides the following:
- All servers managed by OTS are routinely backed up to tape, and the tapes stored in a building other than that where the servers are located. User data that is stored on any of the University Network drives (H:, M:, or R:) is backed-up automatically during this process.
- All network devices necessary to the continued operation of campus network services are maintained on a hardware support plan. This provides recovery from any hardware failure within 4 to 24 hours.
- All network devices critical to the continued operation of campus network services are configured in fault-tolerant designs or utilizing on-site spares whereever possible.