NETWORK INFRASTRUCTURE USE



Similar documents
Franciscan University of Steubenville Information Security Policy

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Information Resources Security Guidelines

Information Technology Security Procedures

DHHS Information Technology (IT) Access Control Standard

Authorized. User Agreement

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Network Security Policy

Network and Workstation Acceptable Use Policy

Network Security Policy

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Controls for the Credit Card Environment Edit Date: May 17, 2007

State HIPAA Security Policy State of Connecticut

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

Payment Card Industry Self-Assessment Questionnaire

Revision Date: October 16, 2014 Effective Date: March 1, Approved by: BOR Approved on date: October 16, 2014

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

POL Information Systems Access Policy. History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014

Supplier Information Security Addendum for GE Restricted Data

Data Management Policies. Sage ERP Online

Windows Operating Systems. Basic Security

Information Security Policy Manual

AASTMT Acceptable Use Policy

Student Affairs Information Technology Policies. January 2013

Data Stored on a Windows Server Connected to a Network

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

INFORMATION SECURITY OVERVIEW

Network Service Policy

Wellesley College Written Information Security Program

Network and Security Controls

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CITY OF BOULDER *** POLICIES AND PROCEDURES

Consensus Policy Resource Community. Lab Security Policy

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Information Security Policy. Policy and Procedures

APHIS INTERNET USE AND SECURITY POLICY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Policy on Connection to the University Network

SAO Remote Access POLICY

ICT USER ACCOUNT MANAGEMENT POLICY

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

The University of Information Technology Management System

DOT.Comm Oversight Committee Policy

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Introduction. PCI DSS Overview

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

System Security Policy Management: Advanced Audit Tasks

III. RESPONSIBILITIES

Procedure Title: TennDent HIPAA Security Awareness and Training

Microsoft Windows Client Security Policy. Version 2.1 POL 033

Student Halls Network. Connection Guide

Miami University. Payment Card Data Security Policy

Supplier Security Assessment Questionnaire

Central Agency for Information Technology

A Systems Approach to HVAC Contractor Security

University System of Maryland University of Maryland, College Park Division of Information Technology

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

PII Compliance Guidelines

Department of Finance and Administration Telephone and Information Technology Resources Policy and Procedures March 2007

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Data Stored on a Windows Computer Connected to a Network

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

How To Protect Decd Information From Harm

MCOLES Information and Tracking Network. Security Policy. Version 2.0

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Policy Title: HIPAA Access Control

SOFTWARE LICENSING POLICY

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Data Network Security Policy

University of San Francisco

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Dublin City University

Section 12 MUST BE COMPLETED BY: 4/22

NETWORK SECURITY GUIDELINES

Huddersfield New College Further Education Corporation

New River Community College. Information Technology Policy and Procedure Manual

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

DUUS Information Technology (IT) Acceptable Use Policy

NETWORK AND INTERNET SECURITY POLICY STATEMENT

How to Secure Your Environment

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Automation Suite for. 201 CMR Compliance

Guidelines for Distributed Computing Administration and Security

Security Management. Keeping the IT Security Administrator Busy

Transcription:

NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and students with a network infrastructure to facilitate the missions of the university, including instruction, research, service and administration. The purpose of this policy is to confirm the ownership of the USC Network Infrastructure, defined below, and establish the responsibilities of faculty, staff, students and other employees in protecting and securing the network infrastructure. 2.0 Scope This policy applies to all university faculty members (including part time and visiting faculty), staff and other employees (such as postdoctoral scholars) and students (including postdoctoral fellows and graduate students) as well as any other users of the network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to university systems. 3.0 Policy 3.1 Ownership of Network Infrastructure The USC Network Infrastructure is owned by and is the property of USC. The Information Technology Services (ITS) department is primarily responsible for overseeing the operations of the network infrastructure. There is no expectation of a right to privacy when using the network infrastructure, which includes, but is not limited to, the following: USC network connections (wired and wireless) and other network equipment including jacks, wiring, switches, panels, hubs and routers; USC network-based communication services, such as e-mail and instant messaging; computers and electronic devices (such as desktops, laptops, servers, PDAs and other handheld or mobile equipment, wireless technologies, copiers, Page 1 of 9

faxes, pagers, IP phones) that are purchased or leased using university funds; and USC purchased, licensed or developed software. 3.2 User Responsibilities User is defined as anyone who has access to or is otherwise connected to the network infrastructure (see section 2.0, above, and the information security policy at www.usc.edu/policies for additional information about users). Users are expected to comply with information security policies to ensure the security of the network infrastructure, which includes ensuring that the devices they use that are connected to the network infrastructure are in compliance with this policy. A complete list of information security policies is available at www.usc.edu/policies. Users are responsible for utilizing appropriate measures (including passwords, virus protection and current patch management software, and other measures as described below and in the appendices to this document) to protect the security of those components of the network infrastructure that they access and/or use. 3.3 System Administrator Responsibilities System administrator is defined as any faculty, staff, or other employee who has been designated by the USC Information Steward or Owner, as defined in information security policy, as the individual responsible for maintaining the security of the network infrastructure for that particular school, unit, division or department 1. In many cases, the system administrator may be that department or unit s Information Security Liaison, as described in information security policy at www.usc.edu/policies. The system administrator is responsible for overseeing the security of the network infrastructure for his or her school, unit, division or department, which includes monitoring and oversight of user compliance with this policy. 1 Administrative Information Systems (AIS) and ITS are considered departments or units covered under this policy. Page 2 of 9

3.4 Private Networks (a.k.a. Local Area Networks, Sub-Nets, Non-Standard and Specialized Networks) Private networks are defined as any network segment or subnet behind a router, firewall, or Network Address Translation (NAT) device, behind which ITS does not have administrative control of the switches or routers to which the endsystems (PCs, servers, etc.) connect. a) All private networks must have a system administrator assigned to oversee and maintain security, who will liaison with ITS and the Information Security Office (ISO). b) System administrators must promptly register any departmental servers 2 on a private network (as defined in this section) with the Director of ITS Systems Security in accordance with ITS s registration procedures. c) System administrators should document the network infrastructure which includes, but is not limited to, hardware inventory, network diagram, physical location, IP addresses, description and related information about the system. This documentation shall be made available to the ISO and ITS upon request. d) All private networks must comply with all information security policies. 3.5 Access and Authorization Procedures System administrators must establish written procedures to grant, modify, and terminate access to the information systems within the administrator s department, school, or unit. Refer to Appendix A for further information about access and authorization procedures. 3.6 Virus Protection and Patch Management Desktops, laptops, and servers must have up-to-date virus protection and patch management. This is a shared responsibility between the user and system administrator. Refer to Appendix B for further information about computer security maintenance procedures, including how to obtain and maintain current virus protection and patch updates. 2 Departmental server is defined as any server administered or managed within a particular department or unit, including those maintained by ITS and AIS. Page 3 of 9

3.7 Audit Logs System administrators are responsible for implementing and monitoring audit logs on desktops containing information requiring enhanced protections (as defined by the information security policy, available at www.usc.edu/policies) and departmental servers. 3.8 Physical Security System administrators are responsible for establishing procedures to secure the physical environment of departmental servers, including, at minimum: (a) locked or otherwise restricted access to server rooms, and (b) current inventory of all individuals with access to server rooms. 3.9 Unauthorized Access to Network Infrastructure Unauthorized access to, or tampering and interference with, the network infrastructure is prohibited. The responsibility to implement access control mechanisms to prevent unauthorized access or use of the network infrastructure is shared between ITS and the system administrators for private networks. 4.0 System Monitoring and Auditing ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain operation and security. The ISO is authorized to conduct monitoring and auditing of ITS, users, and system administrators to ensure compliance with this and other information security policies, in coordination with Audit Services, as appropriate. The university reserves the right to access any computer or electronic device connecting to the USC Network Infrastructure in order to verify compliance with this and other applicable information security policies. 5.0 Enforcement Compliance with information security policies shall be monitored regularly in conjunction with the university s monitoring of its information security program. Audit Services will conduct periodic internal audits to ensure compliance with federal and state laws and regulations as well as university policy. Individuals who do not comply with these policies shall be subject to remedial action in accordance with the Faculty Handbook, the Staff Employment Policies and Procedures and SCampus, as appropriate. Page 4 of 9

Any disciplinary action under this policy shall take into account the severity of the offense and the individual s intent. Disciplinary action can include revocation of privileges to use or access any or all components of the network infrastructure, up to and including termination or dismissal from USC. Page 5 of 9

Related Policy and/or Additional References Appendix A Access Authorization Procedures 1.0 Purpose This appendix A describes the procedures for establishing, modifying, and terminating access to USC information systems. 2.0 Establishing and Modifying Access a) System administrators shall have documented procedures for establishing and modifying user access to information systems and applications within the department/school/unit. b) The procedure will document the process for obtaining supervisor approval to establish or modify access. c) System administrators will perform an annual review of their access procedures and will update and revise accordingly. d) System administrators shall determine to which systems and applications these procedures apply, and will document the justification for their determinations. 3.0 Terminating Access a) System administrators shall have documented procedures for terminating user access to information systems and applications within the department/school/unit. b) System administrators must promptly delete user access upon notification by Human Resources that access should be terminated. 4.0 Password Guidelines 4.1 User Responsibilities 1) Users shall not give their passwords to other individuals to use on their behalf. 2) Users shall not post or otherwise display their passwords where they can be seen by others. 3) Where applicable, users shall create strong passwords. For example: a) Passwords should consist of a minimum of 6 alphanumeric characters. b) Passwords should contain a combination of alpha-characters, numbers and/or special characters. Page 6 of 9

c) Passwords should be selected with the intention of not allowing other people to guess them easily. d) Passwords must never be the same as or resemble the Logon-ID. Passwords such as password, administrator, user, guest, 123456, etc. should not be used. Repeating passwords such as 111111 or Z1Z1Z1 should not be used. 4.2 System Administrator Responsibilities 1) Where possible, system administrators should enforce user responsibilities as outlined above. 2) Where possible, passwords should use an expiration policy requiring passwords to expire. 3) Where possible, systems should be configured to disallow re-use of passwords for 3 generations. 4) Where possible, systems should be configured to lock-out the account after 5 incorrect password attempts. 5) Where possible, the use of single sign-on (shibboleth) logins and passwords for applications through the Global Directory Services (GDS) should be encouraged. 6) Passwords should be stored in an encrypted format only, not in plain text format. 7) Where possible, system administrators should implement password protected screensaver controls after a specified idle time, to be determined by the system administrator and unit. 8) System administrators have the discretion to implement stricter guidelines; the above are minimum standards. 4.3 Exceptions a) Those systems that operate in an environment that does not allow for the use of passwords (i.e. sub-systems and systems without a user interface), must be appropriately secured by other security means by system administrator. b) Systems that do not currently allow for these requirements to be implemented must be able to comply when that system is replaced or substantially upgraded. Page 7 of 9

Appendix B Virus Protection and Patch Management Procedures 1.0 Purpose This Appendix B describes USC s requirements for anti-virus protection and patch management. 2.0 Anti-Virus Protection 2.1 System Administrator Responsibilities a) System administrators must ensure that all departmental servers and workstations have current and updated anti-virus software installed. b) With the exception of troubleshooting or special installation activities, system administrators shall ensure that anti-virus software is not modified or disabled on servers or workstations. c) Any virus with potential harmful impact on the network infrastructure should be reported to ITS. 2.2 User Responsibilities a) Users must contact their system administrator for assistance if they become aware that they do not have current up to date anti-virus software installed on their workstation or laptop. b) Once the anti-virus software is installed, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS. c) Users should report virus incidents to system administrator or ITS. 3.0 Patch Management 3.1 System Administrator Responsibilities System administrators must ensure that all departmental servers and workstations have automated patch management software or are updated by regularly scheduled update procedures. Page 8 of 9

3.2 User Responsibilities Once the automated patch management is configured on the computer, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS. 4.0 ITS Responsibilities a) ITS is responsible for providing an enterprise anti-virus solution for university computers. b) ITS is responsible for providing guidelines on installing and maintaining the anti-virus software and updates on university computers. 5.0 System Monitoring and Auditing ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain the operation and security of the network infrastructure (refer to section 3.6 of this policy). 6.0 Exceptions Those systems that operate in an isolated environment (i.e. sub-systems, systems without a user interface, systems with no external or internet connectivity), may be exempted from virus protection and patch management procedures (this appendix) if appropriate, but they must be identified and secured with other security means. Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information