No. 815.1 SECTION: OPERATIONS ALTOONA AREA SCHOOL DISTRICT TITLE: THIRD PARTY NETWORK ACCESS ADOPTED: August 17, 2009 REVISED: 815.1. THIRD PARTY NETWORK ACCESS 1. Purpose The purpose of this policy is to ensure that a secure method of network connectivity between Altoona Area School District and all third parties and to provide a formalized method for the request, approval and tracking of such connections. 2. Authority External vendor data network connections to Altoona Area School District can create potential security exposures if not administered and managed correctly and consistently. These exposures may include nonapproved methods of connection to the district network, the inability to shut down access in the event of a security breach, and exposure to hacking attempts. All external vendor data network connections therefore, must be approved by the district s Technology Department. This policy applies to all new third party network connection requests and any existing third party network connections. When existing third party network connections do not meet all of the guidelines and requirements outlined in this policy, they will be re-engineered as needed. 3. Guidelines Third-Party Connection Requests And Approvals 1. All requests for third party connections must be made using the appropriate method based on the support organization. 2. The required information is outlined in the Third Party Network Access Request Questionnaire Information Requirements Document. It is the Technology Department s responsibility to ensure that the third party has provided all of the necessary information and that such information is correct. 3. All third party connection requests must have a district administrative level signature for approval. In some cases approval may be given at a lower level with pre-authorization from the appropriate district administrator. Also, all third parties requesting a network connection must complete and sign the district s Third Party Network Access Agreement. Page 1 of 5
815.1. THIRD PARTY NETWORK ACCESS - Pg. 2 4. As a part of the request and approval process, the technical and administrative contact within the third party s organization or someone at a higher level within third party s organization shall be required to read and sign the Third Party Network Access Agreement and any additional documents as required. Connectivity Options 1. The following five (5) connectivity options are the standard methods of providing a third party network connection. Anything that deviates from these standard methods must have a waiver sign-off at the administration level: a. Leased line (e.g., T1) - Leased lines for third parties shall be terminated on the third party and/or the district s network. b. ISDN/FR - Dial leased lines will terminate on a third party and/or the district s router. Authentication for these connections must be as stated in this policy. c. Encrypted Tunnel - Encrypted tunnels must be terminated on the third party s and/or district s network whenever possible. In certain circumstances, it may be required to terminate an encrypted tunnel on the dirty subnet, in which case the normal district s perimeter security measures will control access to internal devices. d. Telnet access from Internet - Telnet access from the Internet will be provided by first telneting to the third party s gateway machine, when the connection will be authenticated as stated below. Once the connection is authenticated, telnet sessions to internal hosts shall be limited to those services needed by using the authorization capabilities of the district s network security. e. Remote Dial-up via PPP/SLIP - Remote dial-up via PPP/SLIP shall be provided by a separate third party modem pool. The connection will be authenticated as stated below. Third Party Access Points When possible, third party access points (PAP s) may be established in locations such that the cost of the access is minimized. Each PAP should consist of at least one (1) router. Page 2 of 5
815.1. THIRD PARTY NETWORK ACCESS - Pg. 3 Services Provided 1. In general, services provided over third party connections should be limited only to those services needed, and only to those devices (hosts, routers, etc.) needed. Blanket access shall not be provided for anyone. The default policy position is to deny all access and then only allow those specific services that are needed and approved by the district pursuant to the established procedure. 2. In no case shall a third party network connection to the district be used as the Internet connection for the third party. The standard set of allowable services are listed below: a. File Exchange via ftp - where possible, file exchange via ftp should take place on the existing Altoona Area School District s ftp servers. b. Electronic Mail Exchange - business-related e-mail exchange between the district and third parties may be conducted over the network connection as needed. Mail from third party sites to nondistrict addresses will not be allowed over the network connection. c. Telnet Access - telnet access shall be provided to specific district hosts, as needed. Employees from third parties shall only be given accounts on the specific district host servers that are needed. Where possible, router ACL s and static routes will be used to limit the paths of access to other internal district hosts and devices. d. Web Resource Access - access to Altoona Area School District s public web resources shall be accomplished via the normal Internet access for the third party. e. Access To Source Code Repositories - this access will be decided on a caseby-case basis. f. SQL *Net Access - this will be decided on a case-by-case basis. Authentication For Third Party Network Connections Third party network connections made via remote dial-up using PPP/SLIP or standard telnet over the Internet will be authenticated using the district s firewalls and server security. Third parties must notify the district when access to the district s network is required. The district will then activate the appropriate network connection. Page 3 of 5
815.1. THIRD PARTY NETWORK ACCESS - Pg. 4 Protection Of Company Information And Resources The Altoona Area School District network support group is responsible for the installation and configuration of a specific third party connection and must ensure that all possible measures have been taken to protect the integrity and privacy of all the district s confidential information. At no time should the district rely on access/authorization control mechanisms at the third party s site to protect or prohibit access to the district s confidential information. The district shall not have any responsibility for ensuring the protection of third party information. The third party shall be entirely responsible for providing the appropriate security measures to ensure protection of their private internal network and information. Audit And Review Of Third Party Network Connections All aspects of third party network connections up to, but not including the company s firewall, may be monitored by the appropriate district s network support group. Where possible, automated tools shall be used to accomplish the auditing tasks. Audits may be performed on all district-owned/maintained third party router/network device configurations and the output shall be provided to the appropriate district network support group. Any unauthorized changes shall be investigated immediately. All third party network connections may be reviewed at anytime and information regarding specific third party network connection shall be updated as necessary. Obsolete third party network connections will be terminated. Altoona Area School District s Technology Department The district s Technology Department has the responsibility for maintaining related policies and standards. The Technology Department shall also provide advice and assistance regarding judgment calls, and will facilitate information gathering in order to make a correct decision. Global coordination of confidentiality and nondisclosure agreements with all third parties is also the responsibility of the district s Technology Department. The Technology Department is also responsible for all global firewall design, configuration and engineering required for support of all approved third party network connections. Page 4 of 5
815.1. THIRD PARTY NETWORK ACCESS - Pg. 5 References: TEC-F003 Third Party Network Access Agreement TEC-P002 Third Party Network Access Agreement Terms and Conditions TEC-F004 Third Party Connection Request Questionnaire Information Requirements Document Page 5 of 5