XIX. Network Security Policy

I. Purpose

To establish policies, procedures and guidelines for securing Metro State College’s computing network (both wired and wireless).

II. Scope

These policies affect all users who use Metro’s networking (wired or wireless) resources.

III. Introduction

Metro’s computer network (both wired and wireless) exists to support the college’s educational mission and related administrative functions. The network provides access to information and other resources that are important to all of the college’s educational and administrative units. Some of these resources are available to the public, while others are available only to members of the Metro State community. Access to information resources containing confidential information about members of the college community is restricted to authorized personnel only. The college has both legal and ethical obligations to safeguard these resources.

The Department of Information Technology (IT) is responsible for developing, implementing, and monitoring the administrative, technical and physical controls necessary to protect the integrity and availability of the college's networking resources, and to protect the confidentiality of the data transmitted over the network or stored on network connected devices. The Network Security Policy is an essential element of a larger administrative framework that guides and governs the development and implementation of these security controls.

IV. Policy Statements

1. The college network is divided into multiple security zones.
   1. Networked devices, including workstations and servers, which can be accessed directly from the Internet are placed into a separate security zone specifically for internet facing services. The college's ERP database and other services requiring higher security standards are placed into a high security zone. All other workstations, servers, services, and other network devices are placed into intermediate security zones.
   2. Connectivity between security zones is carefully controlled and monitored [see #7 below].
   3. Connectivity from a lower security zone to a higher (or equally rated) security zone is "That which is not explicitly permitted is implicitly denied." (default deny).
   4. Generally, connectivity from a higher security zone to a lower security zone is "That which is not explicitly denied is implicitly permitted." (default permit).
   5. IT is responsible for managing the connectivity between security zones.
2. IT is responsible for building and maintaining Metro State's computing network (both wired and wireless). Information Technology will work with departments, faculty, students and staff to develop secure, reliable and cost effective solutions for their networking needs.
3. People using the college’s network, or any of the college’s other computing resources, must comply with the Responsible Use of Information Technology Resources policy and all other related policies. See: http://www.mscd.edu/~infotech/policies
4. Devices connecting to the college's network must comply with IT networking standards and architecture. Persons desiring to connect devices, other than generic computers and printers, to the network must consult with the IT Network Operations Center before connecting the device. (Call: 1-877-35AskIT (1-877-352-7548)
5. The Metro State network provides Dynamic Host Configuration Protocol (DHCP) services to dynamically assign IP addresses; devices connecting to the network should use the DHCP protocol to obtain a dynamically assigned IP address. Persons with special equipment or software, which supports the college’s educational mission, that requires a static IP address may request one from the IT Network Operations Center. (Call: 1-877-35AskIT (1-877-352-7548).
6. IT uses both proactive and reactive techniques to defend the network from potential security threats and active security exploits.
   1. Proactive techniques include: Devices connected to the network are subject to automatic device discovery, and may be periodically tested (over the network) for problems which may pose a security threat to the network or the individuals using the device. These tests will not cause harm to either the device or the user. If a potential security problem is discovered, it will be reported to the personnel (when known) who are responsible for the maintenance of the device.
   2. Reactive techniques include: IT will isolate or disconnect, without prior notice, any device that is threatening the availability or integrity of the network, or threatening the confidentiality of the data transmitted across the network, or is being used to violate the Responsible Use of Information Technology Resources policy or other related policies. When known, IT will make every effort to notify the personnel responsible for the operation and maintenance of the device as soon as possible of the disconnect.
7. IT will maintain a variety of network monitoring equipment to monitor the health and performance of the network. Other monitoring equipment will include network intrusion and prevention systems placed in strategic locations throughout the network. IT does not routinely monitor the web sites a user visits or record other network traffic; however, when diagnosing network problems or investigating network anomalies, IT may use diagnostic equipment that does record and analyze all data passing across the network. Data gathered in this manner is rarely retained. IT personnel are obligated to protect the confidentiality of the data they have access to. However, extenuating circumstances, such as the discovery of criminal activity, may require IT personnel to disclose their finding to the college’s legal counsel and law enforcement personnel.
8. Access to the college’s primary networking equipment is restricted to authorized personnel.

V. Reporting Violations

Any suspected violations of these policies, or unauthorized access to computing resources, or any other condition which could compromise the security of the college’s computing resources must be reported to the Department of Information Technology Security and Disaster Recovery Coordinator, http://www.mscd.edu/~infotech/security/, 1-877-35AskIT (1-877-352-7548)

VI. Remedies for Non-Compliance

Failure to comply with these policies may result in one or more of the following actions: a) suspension of access to the network for the individual, or educational or administrative unit violating the policy, b) when appropriate, disciplinary action ranging from warning to termination and (for students) expulsion from the College, depending on circumstances, in accordance with applicable policies and procedures, c) when appropriate, initiation of civil or criminal proceedings.

VII. Authority

The Office of the President grants authority to the Vice President of Information Technology to oversee compliance with this policy.

Questions regarding this policy, or requests for variances from the policy, should be directed to the Vice President of Information Technology at (303) 556-2441.

Approved February 13, 2006