Computer and Network Security Policy

Size: px

Start display at page:

Download "Computer and Network Security Policy"

Marlene Page
9 years ago
Views:

1 Coffeyville Community College Computer and Network Security Policy Created By: Jeremy Robertson Network Administrator Created on: 6/15/2012 Computer and Network Security Page 1

2 Introduction: The Coffeyville Community College Network Security Policy provides the operational detail required for the successful implementation of a safe and efficient computer network environment for the College. These security policies were developed based on the understanding of the educational and Administrative needs of the College and an evaluation of the existing technical configuration and requirements. These policies are meant to complement existing computer and network policies relating to computer data network security. Policies: Computer Registration: All Computers not provided by the College that access the network must be registered. Personal computers used by Faculty, Staff, and Students will be registered with the following information: Media Access Control (MAC) Address of all network interface adapters in the computer. Full name of primary user of the computer. In the case of multiple users the name of the owner of the machine who will be held directly responsible for the use of the machine. Domain Computer Authentication: The College will maintain a centralized computer authentication system for computers of the College. All College owned networked computers which are capable of utilizing this authentication system will be configured to verify login credentials with the system. Departments will notify Technical and Network Services of changes to employment status of an employee so that user accounts can be hanged or revoked as necessary. Technical and Network Services will maintain documented procedures for departments to notify them of personnel changes. All College owned computers must be registered on the domain, to ensure that they are kept up-to-date, as well as maintain backups of user s data, and enforce policies. Computer and Network Security Page 2

These security policies were developed based on the understanding of the educational and Administrative needs of the College and an evaluation of the existing technical configuration and requirements.

3 Preset Configuration: All College owned networked computers will a standard preset configuration. This configuration will vary depending on the department and or purpose of the machines intended use. This preset configuration will include the following All Machines: 1) The Operating System a) Windows 7 b) Most current Service pack c) All current updates including security updates d) Will be registered to the proper domain e) Local Administrator account enabled with IT s local admin credentials f) Computer shall be named by building abbreviation and room number unless computer is designated to a lab then it will be the Lab room number and the computer number in the lab. 2) Latest Microsoft Office and all security packs 3) Flash, Java, adobe Reader Student Accessed Machines: 1.) Compass where needed. 2.) Adobe CS (Lab 102) Lab administrator may add software needed by instructors to these machines at their discretion. Faculty Accessed Machines: 1.) Jenzabar 2.) DVD Software 3.) Smart Software Administrative Access to All College Owned Computers: Faculty and staff will be made local administrators of their primary machines. IT, will have exclusive administrative access to the domain level administrator accounts and local administrator accounts. Computer and Network Security Page 3

registered to the proper domain e) Local Administrator account enabled with IT s local admin credentials f) Computer shall be named by building abbreviation and room number unless computer is

4 Account Login Sharing is strictly prohibited. Accounts that give users access to information resources are to be used only by the persons to whom the accounts are assigned. Log-on Ids, passwords, and other means of access must not be shared with anyone. Holders of the means of access are responsible for unauthorized access to their accounts that results from their negligence in maintaining the confidentiality of their means of access. Privately Owned Computers: Computers not owned by the College that connect to the data network must be configured to ensure reasonable network security and integrity. The computer must be configured but not limited to the following 1.) The computer Operating System must be updated and patched to eliminate security vulnerabilities that exist for that computers configuration. 2.) An actively running, up-to-date anti-virus. Privately-owned computers which do not adhere to the minimum standards will not be allowed to connect to the computer data network reserved for faculty, staff, students, and computer labs. Privately-owned computers which are found to be performing activities which cause network degradation, violate College policies, or violate local, state, or federal laws, will not be allowed to connect to the computer data network reserved for faculty, staff, students, and computer labs. Network Security: The security of the network is the responsibility of the Network administrator, He will ensure the following. 1.) Routers are configured properly 2.) Where possible firewalls will block malware and viruses 3.) Enforce security policies 4.) Servers can be accessed without risk to network security. Proper router configuration will include blocking all incoming and outbound traffic destined for unsafe ports. Any user that tries to access the router with the wrong credentials more than five times in a minute will be considered a brute force attack and their address will be blacklisted. Computer and Network Security Page 4

Holders of the means of access are responsible for unauthorized access to their accounts that results from their negligence in maintaining the confidentiality of their means of access.

5 Exception Process: The College Network Security Policies are likely to be impacted by changing technology, legislation, educational and administrative requirements. The steps for permitting and documenting an exception are: 1.) A request for an exception is received by the Director of Technology and the Network Administrator along with a rationale for justifying the exception. 2.) The Director of Technology and the Network Administrator analyzes the request and the rationale and determines if the exception should be accepted, denied, or if it requires more investigation 3.) If more investigation is required the Director of Technology and the Network Administrator determine if there is a cost effective solution to the problem that does not require an exception. 4.) If there is not an alternate cost effective solution, and the risk is minimal, the exception may be granted 5.) Each exception must be re-examined according to its assigned schedule. 6.) The schedule can vary from 3 months to 12 months depending on the nature of the exception. 7.) Any exception request that is rejected may be appealed to the Chairs. Change Drivers: A number of factors could result in the need or desire to change the Network Security Polices. These factors include, but are not limited to: 1.) Review schedule 2.) New legislation 3.) Newly discovered security vulnerability 4.) New technology 5.) Audit report 6.) Cost/benefit analysis 7.) Change in the educational and administrative needs of the College Computer and Network Security Page 5

) A request for an exception is received by the Director of Technology and the Network Administrator along with a rationale for justifying the exception. 2.

6 Change Process: Updates to the Network Security Policies, which include establishing new policies, modifying existing policies, or removing policies, can result from three different processes: 1.) At least annually, the Director of Technology and the Network Administrator will review the Policies for possible addition, revision, or deletion. An addition, revision, or deletion is proposed to the College Chairs for approval. If approved by the Chairs, the addition, revision, or deletion will be put into effect. 2.) Every time new computer network technology is introduced into the College a security assessment must be completed. The result of the security assessment could necessitate changes to the Network Security Policies before the new technology is placed into use in the College of Education computer network. 3.) Any user may propose the establishment, revision, or deletion of any policy at any time. These proposals should be directed to the Director of Technology and the Network Administrator who will evaluate the proposal and make recommendations to the Chairs if the proposal is deemed valid and reasonable in accordance with the goals of the Network Security Policy. Computer and Network Security Page 6

An addition, revision, or deletion is proposed to the College Chairs for approval. If approved by the Chairs, the addition, revision, or deletion will be put into effect. 2.

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption