Policy #: IT0004
Effective Date: 3/4/09
Last Revision Date: 10/4/11
Vice Chancellor, Information Technology
| Background/Introduction | Definitions | Detailed Policy Statement | Exceptions | Policy Authority | Getting Help | References and Additional Resources | Appendix A: IS-3 Requirements |
I. BACKGROUND / INTRODUCTION
UC Business and Finance Bulletin IS-3, Electronic Information Security, requires all UC campuses to "establish minimum standards for devices connected to their networks." IS-3 also identifies certain standards that all campuses must address, at a minimum. This policy applies to all devices connecting to the campus network. It is intended to comply with IS-3 and to ensure the availability, reliability, and security of UCSC's electronic resources.
A glossary of selected terms used in this document is available at http://its.ucsc.edu/policies/glossary.html
III. DETAILED POLICY STATEMENT
All devices, regardless of location or ownership, must satisfy the following minimum network connectivity requirements, as appropriate, before connecting to the campus network. Additionally, devices known to be vulnerable, to present a security risk, or to be infected with malicious software must not be connected to the campus network or to devices on the campus network. Devices not meeting these requirements are subject to being blocked or disconnected from the campus network according to UCSC's Guidelines and Procedures for Blocking Network Access. Individuals are also subject to the provisions of the Policy for Acceptable Use of UCSC Electronic Information Resources and, for students using UCSC's residential networks, the Resnet Usage Guidelines and Responsible Use Policy.
Please note that these are minimum requirements only. Additional requirements apply to systems that contain or access restricted data. Units, departments or Information Technology Services (ITS) may elect to apply more stringent standards and/or guidelines, where consistent with IS-3 and the UC Electronic Communications Policy.
Minimum Network Connectivity Requirements
A. IS-3 Requirements
UCSC adopts the "Minimum Requirements for Network Connectivity" identified in Section IV of IS-3. These requirements are included in Appendix A, which is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.
B. Additional UCSC Requirements
These minimum network connectivity requirements are not intended to restrict University research, instructional, or administrative activities. Situations may also exist where implementing one or more of these requirements as written would compromise the usability of a critical system or application, or is prohibited by regulation.
Requests for exceptions for these purposes may be appropriate. Such requests must be approved by the Vice Chancellor, Information Technology, or designee. For new systems or applications, such requests must be approved in advance of deployment. Exceptions, including any relevant conditions and review date, must be documented. Implementation of additional measures may be required when exceptions are granted.
V. POLICY AUTHORITY
The campus Vice Chancellor, Information Technology, on behalf of the Office of the Chancellor and the Office of the Campus Provost and Executive Vice Chancellor (CP/EVC) is the campus authority for UCSC's Minimum Network Connectivity Requirements Policy. This policy was initially reviewed and approved by the CP/EVC on 3/4/2009. Next review date is October 2013.
VI. GETTING HELP
Guidance regarding the implementation of these requirements is available online at http://its.ucsc.edu/security/stay-secure/minreq/index.html
For questions about these requirements, contact the ITS Support Center at itrequest.ucsc.edu, email@example.com, 459-HELP, or in person M-F 8AM-5PM, 54 Kerr Hall, or your ITS Divisional Liaison (DL).
VII. REFERENCES AND ADDITIONAL RESOURCES
University of California
University of California, Santa Cruz
Minimum Requirements for Network Connectivity
from UC Business and Finance Bulletin IS-3, Information Security
Note: Appendix A is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.
IS-3 Section IV: Minimum Requirements for Network Connectivity
A. Access Control Measures
to allow only authorized individuals access to networked devices.
Typical current access controls measures are passwords (see section III.C.2, Technical Controls, above). Shared-access systems must enforce password or other authorization/authentication standards whenever possible and appropriate. In situations where systems ship with default passwords for network accessible devices, those passwords should be changed upon first use.
B. Encrypted Authentication
to protect against surreptitious monitoring of passwords.
Suitably strong encryption shall be employed when passwords are transmitted over a network. Network traffic may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Encryption-capable services, such as SSH, SFTP, SCP, SSL, HTTPS, POPS, and IMAPS, may be used to meet this requirement.
C. Patch Management Practices
to ensure timely update of security patches.
Networked devices shall run versions of operating system and application software for which security patches are made available, and these should be installed in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications following campus exception procedures. Implementation of additional measures may be required when exceptions are granted.
D. Malicious Software Protection
to protect networked devices from malicious software, such as viruses, spyware, and other types of malware.
When readily available and as appropriate for specific operating systems, software to detect viruses and other malware shall be running, up-to-date, and have current virus definition files installed on all network devices as appropriate.
E. Removal of Unnecessary Services
to prevent surreptitious use of services not needed for the intended purpose or operation of the device.
If a service is not necessary for the intended purpose or operation of a device, it shall not be running on that device; such services should be disabled, turned off, or removed.
F. Host-based Firewall Software
to limit network communications to only those services that require access to the network.
When readily available for specific operating systems, host-based firewall software shall be running and configured to limit network communications to only those services requiring to access to network devices.
G. Authenticated Email Relay
to prevent unauthorized third parties from relaying email messages.
Devices shall not provide an active SMTP service that allows unauthorized individuals to send or relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.
H. Authenticated Network Proxy Servers
to prevent unauthorized access to Internet-based Resources.
Network proxy servers should employ authentication to protect devices that allow unauthenticated access from UC locations. Although properly configured unauthenticated proxy servers may be used for valid purposes, unauthenticated proxy servers may enable an attacker to execute malicious programs from the server in the context of an anonymous user account or allow unauthorized access to licensed Resources.
I. Session Timeout
to prevent unauthorized access to restricted or essential services or devices left unattended for an extended period of time.
Devices that access restricted and/or essential services that are left unattended for an extended period of time shall employ measures, such as session timeout or lockout mechanisms, that require re-authentication before users return to interactive use. Devices that host confidential or critical information may be subject to additional requirements.