NETWORK SECURITY GUIDELINES

Transcription

1 NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus DAT files are updated automatically on configured machines; plus the current DAT files are placed on the GST BOCES Helpdesk menu for the end users to update their software manually. It is the shared responsibility of the end users, GST BOCES LAN staff, and the school district IT staff to make sure the anti-virus on the PC s is current. All (incoming and outgoing) is scanned for viruses. All file servers are scanned for viruses. INCIDENT HANDLING OF VIRUSES It is the shared responsibility of the end-users, GST BOCES LAN staff, and the school district IT staff to ensure that all computers are free of viruses and also to keep the anti-virus DAT files updated on computers. GST BOCES Computer Services staff will have information about anti-virus software and procedures available at Viruses infected s will be deleted automatically by the Anti-Virus programs. Virus files found on any file server will be immediately investigated and eradicated by GST BOCES LAN and/or school district IT staff. SECURITY OFFICER The CSC security team functions as the security officer for the GST BOCES regional network. The security team sets procedures and guidelines for all matters involving network security. The CSC security contact person, as appointed by the manager of CSC, will be responsible for keeping current and knowledgeable on CERT advisories and keep abreast of security exploits. The security contact person is responsible for handling and addressing any reported security incidents. BANNER/WARNINGS All network connected computer workstations should display a warning banner with an authorized user, appropriate use message prior to network login. NETWORK ADDRESSING AND NETWORK DEVICE CONNECTIONS Computer network addressing will be implemented and maintained only by the appropriately authorized school district technology staff and the GST BOCES Computer Services staff. Any and all connections of computer network equipment to the school district and GST BOCES regional WAN (Wide Area Network) will be coordinated with authorized school district technology staff, implemented and executed by GST BOCES Computer Services staff, or by authorized school district technology staff under the guidance/direction/approval of GST BOCES Computer Services staff and/or school district IT staff.

2 There will be an agreement and assigned responsibility between the contracting school district, a vendor or individual requesting network access, and the GST BOCES Computer Services staff for updating any server operating systems applying (OS) service packs and patches, anti-virus patches, and security patches. This includes any remotely attached devices R ACCEPTABLE USE POLICY It is the recommendation of the GST BOCES security team that each school district have a Board approved Acceptable Use Policy including Internet Safety Policy language complying with CIPA legislation. The GST BOCES security team is available as a resource for school districts when composing these Acceptable Use Policies. Appropriate disciplinary action for users that violate the policy will be reviewed and handled on a case-by-case basis by the school district Superintendent, Supervisor, CSC Manager, school district Technology Director, and/or designee. DATA BACKUP AND RECOVERY The GST BOCES Computer Services center will be responsible to implement and support a data backup solution for all network data on the GST BOCES regional wide area network. The GST BOCES Computer Services staff will make every effort to backup all network data on a daily basis. Any and all data located on local drives is the responsibility of the end user. In situations where school district staff are responsible for the execution and maintenance of the daily data backups locally, GST BOCES Computer Services staff cannot be held responsible for the integrity of the backups. It is the responsibility of all systems administrators and school district Technology Directors to notify the GST BOCES backup administrator of any new network file areas and data requiring backup. The GST BOCES Computer Services staff can retrieve network data from these backups up to 30 working days old. Requests are taken by the GST BOCES Helpdesk, and are handled on a case by case basis. It is the recommendation of the GST BOCES Computer Services staff that backup media going back for one week be stored off site for disaster recovery purposes. OUTSIDE REQUESTS FOR NETWORK INFORMATION Details concerning the GST BOCES regional wide area network configuration are considered confidential; therefore, it is the recommendation of the GST BOCES security team that network information be given out over the phone or via only when appropriate. PROCEDURE FOR ADDING, CHANGING, OR DELETING NETWORK ACCOUNT ACCESS It is the school district s responsibility to collect a completed User Authorization form for any network account created. Network accounts will not be created without a signed GST BOCES Staff User Authorization Form. All requests to modify or delete accounts and/or change access must be authorized by the district Technology Director or their district designee. Requests for transfer of data must be authorized by the district of data ownership. Any forms received by GST BOCES will be kept on file.

3 GUIDELINES FOR NETWORK ACCOUNT PASSWORDS Network passwords should be required to be changed periodically. Passwords should be at least 5 characters. Passwords should be memorized and never be written down. Passwords should never be shared. Passwords should be a mix of alphanumeric characters and not form any real word. Passwords should not be names or dates easily identified with the end user. Passwords should not be same as username. Password standards do not apply to generic accounts. Staff who actively sync the district system with a personal device (i.e. smartphone, tablet, etc.) must create and employ a manually entered PIN (numeric, non-swipe, personal identification number). PASSWORD ADMINISTRATION System administrators can periodically scan the password files for weak passwords. Any weak password information (name, initials, children s names, etc.) found will be passed on to the Administrator of Computer Services or to the district Technology Director who will work with other technical and district staff for appropriate action. When the end user forgets their network/ password, the procedure is for them to call the GST BOCES Help Desk, school district s Technology Director, or appropriate district staff to request the change. For all other systems, they should call the application support person (MUNIS, SASI, Mandarin, etc.). Anyone requesting temporary, substitute, or special access staff members are required to follow a GST BOCES or district-approved procedure for obtaining access. SUSPECTED STAFF MISCONDUCT/SECURITY BREACH By specific request of a school district s Technology Director or a school district Superintendent made by phone or to the CSC Computer Center Manager or the Administrator of Computer Services, a user s account will be disabled. By specific request of a school district s Technology Director or a school district Superintendent made by phone or to the CSC Computer Center Manager or the Administrator of Computer Services, access will be given to a user s network drive area and/or their account for review by specified district personnel. Network information, accounts, and data are not considered private and can be monitored, when requested, by authorized school district personnel. Network data is considered the property of the corresponding school district and access to that data will be given only when authorized by appropriate school district personnel.

4 WIRELESS ACCESS Any wireless access point that is installed on the school district and GST BOCES Regional Network must be secured. Recommendations include: MAC address filtering enabled (whenever feasible) Turn off the Broadcast SSID Turn on Encryption Use secure authentication method for clients (802.1X) SECURITY BREACH All users should report any suspected security breach to their immediate supervisor or teacher. Supervisors will contact the Computer Services Center Manager or their school district Technology Director in the event of a suspected breach. On a case by case basis, CSC Manager, school district Technology Director, Supervisor, and/or other involved parties will discuss appropriate consequences. Security personnel will monitor the system for security breaches; will record and track suspected breach incidents; and will notify school district personnel of any suspected breach. REMOTE ACCESS Any remote access to the school district and GST BOCES Regional Wide Area Network will be allowed based on approval from both school district Technology Director and the GST BOCES Computer Services Manager or Administrator of Computer Services. VENDOR REMOTE ACCESS Vendor remote access is defined as allowing vendor access via a network connection into the school district and GST BOCES Regional Wide Area Network in order to maintain and monitor various vendor applications and servers. Remote access for vendors will be based on approval from both appropriate district supervisory staff and the GST BOCES Computer Services Manager or designee, according to the following suggested criteria. Requested access will be used for monitoring of vendor hardware only; any misuse of the equipment, or determination by GST BOCES Computer Services staff or school district IT staff of a security risk will result in termination of the agreement. Options for vendor remote access: 1. GST BOCES Computer Services staff will provide a VPN solution to the vendor; 2. Vendor can provide a static IP (permanent) address; and GST BOCES Computer Services staff/ authorized school district staff will open a specified port for access by the vendor; unless GST BOCES Computer Services staff determines that this method would pose a security risk to the network; and

5 3. For a specified time, GST BOCES Computer Services staff/authorized school district staff will open a specified port for access by the vendor and close that access when no longer needed; unless GST BOCES Computer Services staff determines that this method would pose a security risk to the network. Whenever appropriate the vendor s application will be housed in the DMZ (demilitarized zone). There will be an agreement and assigned responsibility between the contracting school district, the vendor, and the GST BOCES Computer Services staff for updating any server operating systems applying (OS) service packs and patches, anti-virus patches, and IIS security patches, this includes any remotely attached devices. PHYSICAL SECURITY It is the recommendation of the GST BOCES Computer Services staff that the transferring of any school district student, financial, or personnel data from the GST BOCES Wide Area Network, to any other removable media, should be approved in writing by a Building administrator, immediate supervisor, or Technology Director of the school district. It is also the recommendation of the GST BOCES Computer Services staff that any requests for transfers of school district data from any outside source or vendor should be approved in writing by a building administrator, immediate supervisor, or Technology Director of the school district. Requests from law enforcement will be communicated to GST BOCES District Superintendent and appropriate component school district Superintendent. Approved: December 1, 2003 Revised and Approved: February 9, 2004; October 4, 2004; December 13, 2007; Sept. 11, 2014 Nov. 13, 2014