Network Security Policy

XIX. Network Security Policy

I. Purpose

To establish policies, procedures and guidelines for securing
Metro State College’s computing network (both wired and wireless).

II. Scope

These policies affect all users who use Metro’s networking (wired or
wireless) resources.

III. Introduction

Metro’s computer network (both wired and wireless) exists to support the
college’s educational mission and related administrative functions. The network
provides access to information and other resources that are important to all of
the college’s educational and administrative units. Some of these resources are
available to the public, while others are available only to members of the Metro
State community. Access to information resources containing confidential
information about members of the college community is restricted to authorized
personnel only. The college has both legal and ethical obligations to safeguard
these resources.

The Division of Information Technology (IT) is responsible for developing,
implementing, and monitoring the administrative, technical and physical controls
necessary to protect the integrity and availability of the college's networking
resources, and to protect the confidentiality of the data transmitted over the
network or stored on network connected devices. The Network Security Policy is
an essential element of a larger administrative framework that guides and
governs the development and implementation of these security controls.

IV. Policy Statements

1. The college network is divided into multiple security zones.
   1. Networked devices, including workstations and servers, which can be accessed
      directly from the Internet are placed into a separate security zone specifically
      for internet facing services. The college's ERP database and other services
      requiring higher security standards are placed into a high security zone. All
      other workstations, servers, services, and other network devices are placed into
      intermediate security zones.
   2. Connectivity between security zones is carefully controlled and monitored
      [see #7 below].
   3. Connectivity from a lower security zone to a higher (or equally rated)
      security zone is "That which is not explicitly permitted is implicitly denied."
      (default deny).
   4. Generally, connectivity from a higher security zone to a lower security zone
      is "That which is not explicitly denied is implicitly permitted." (default
      permit).
   5. IT is responsible for managing the connectivity between security zones.
2. IT is responsible for building and maintaining Metro State's computing
   network (both wired and wireless). Information Technology will work with
   departments, faculty, students and staff to develop secure, reliable and cost
   effective solutions for their networking needs.
3. People using the college’s network, or any of the college’s other computing
   resources, must comply with the Responsible Use of Information Technology
   Resources policy and all other related policies. See: http://www.mscd.edu/infotech/policy.shtml
4. Devices connecting to the college's network must comply with IT networking
   standards and architecture. Persons desiring to connect devices, other than
   generic computers and printers, to the network must consult with the IT Network
   Operations Center before connecting the device. (Call: 1-877-35AskIT
   (1-877-352-7548)
5. The Metro State network provides Dynamic Host Configuration Protocol (DHCP)
   services to dynamically assign IP addresses; devices connecting to the network
   should use the DHCP protocol to obtain a dynamically assigned IP address.
   Persons with special equipment or software, which supports the college’s
   educational mission, that requires a static IP address may request one from the
   IT Network Operations Center. (Call: 1-877-35AskIT (1-877-352-7548).
6. IT uses both proactive and reactive techniques to defend the network from
   potential security threats and active security exploits.
   1. Proactive techniques include: Devices connected to the network are
      subject to automatic device discovery, and may be periodically tested (over the
      network) for problems which may pose a security threat to the network or the
      individuals using the device. These tests will not cause harm to either the
      device or the user. If a potential security problem is discovered, it will be
      reported to the personnel (when known) who are responsible for the maintenance
      of the device.
   2. Reactive techniques include: IT will isolate or disconnect, without
      prior notice, any device that is threatening the availability or integrity of
      the network, or threatening the confidentiality of the data transmitted across
      the network, or is being used to violate the Responsible Use of Information
      Technology Resources policy or other related policies. When known, IT will make
      every effort to notify the personnel responsible for the operation and
      maintenance of the device as soon as possible of the disconnect.
7. IT will maintain a variety of network monitoring equipment to monitor the
   health and performance of the network. Other monitoring equipment will include
   network intrusion and prevention systems placed in strategic locations
   throughout the network. IT does not routinely monitor the web sites a user
   visits or record other network traffic; however, when diagnosing network
   problems or investigating network anomalies, IT may use diagnostic equipment
   that does record and analyze all data passing across the network. Data gathered
   in this manner is rarely retained. IT personnel are obligated to protect the
   confidentiality of the data they have access to. However, extenuating
   circumstances, such as the discovery of criminal activity, may require IT
   personnel to disclose their finding to the college’s legal counsel and law
   enforcement personnel.
8. Access to the college’s primary networking equipment is restricted to
   authorized personnel.

V. Reporting Violations

Any suspected violations of these policies, or unauthorized access to
computing resources, or any other condition which could compromise the security
of the college’s computing resources must be reported to the Division of
Information Technology Security and Disaster Recovery Coordinator, http://www.mscd.edu/infotech/security/,
1-877-35AskIT (1-877-352-7548)

VI. Remedies for Non-Compliance

Failure to comply with these policies may result in one or more of the
following actions: a) suspension of access to the network for the individual, or
educational or administrative unit violating the policy, b) when appropriate,
disciplinary action ranging from warning to termination and (for students)
expulsion from the College, depending on circumstances, in accordance with
applicable policies and procedures, c) when appropriate, initiation of civil or
criminal proceedings.

VII. Authority

The Office of the President grants authority to the Vice President of
Information Technology to oversee compliance with this policy.

Questions regarding this policy, or requests for variances from the policy,
should be directed to the Vice President of Information Technology at (303)
556-2441.

Approved February 13, 2006