Policy #: IT0004
Effective Date: 3/4/09
Last Revision Date: 5/22/15

UCSC Minimum Network Connectivity Requirements Policy

Vice Chancellor, Information Technology
(Policy IT-0004)

I. Background/Introduction | II. Definitions | III. Detailed Policy Statement | IV. Exceptions | V. Policy Authority | VI. Getting Help | VII. Related Policies and References | Appendix A: IS-3 Requirements |


UC Business and Finance Bulletin IS-3, Electronic Information Security, requires all UC campuses to "establish minimum standards for devices connected to their networks." IS-3 also identifies certain standards that all campuses must address, at a minimum. This policy applies to all devices connecting to the campus network. It is intended to comply with IS-3 and to ensure the availability, reliability, and security of UCSC's electronic resources.


A glossary of selected terms used in this document is available at http://its.ucsc.edu/policies/glossary.html


All devices, regardless of location or ownership, must satisfy the following minimum network connectivity requirements, as appropriate, before connecting to the campus network. Devices known to be vulnerable, to present a security risk, or to be infected with malicious software must not be connected to the campus network or to devices on the campus network. Devices not meeting these requirements, as well as devices found to be disruptive to the operation of the campus network, are subject to being blocked or disconnected from the campus network according to UCSC's Procedures for Blocking Network Access. Individuals are also subject to the provisions of the Policy for Acceptable Use of UCSC Electronic Information Resources and, for students using UCSC's residential networks, the Resnet Responsible Use Policy.

Please note that these are minimum requirements only. Additional requirements apply to systems that contain or access restricted data. Units, departments or Information Technology Services (ITS) may elect to apply more stringent standards and/or guidelines, where consistent with IS-3 and the UC Electronic Communications Policy.

Minimum Network Connectivity Requirements

A. UC Requirements

The "Minimum Requirements for Network Connectivity" in Section IV of IS-3 are required at UCSC. These requirements are included below in Appendix A, which is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.

B. UCSC Requirements

1.Access Control Measures: When passwords are used, they must comply with the campus Password Strength and Security Standards as outlined in the UCSC Password Policy.

2. Security Audit Agents: Service Providers may require that computers run a security audit agent as a condition for attaching to the campus network.


Exceptions to this policy must be approved by the Vice Chancellor, Information Technology, or designee. For new systems or applications, exceptions must be approved in advance of deployment. Exceptions, including any relevant conditions and review date, must be documented. Implementation of compensating controls may be required when exceptions are granted.


The campus Vice Chancellor, Information Technology, on behalf of the Office of the Chancellor and the Office of the Campus Provost and Executive Vice Chancellor (CP/EVC) is the campus authority for UCSC's Minimum Network Connectivity Requirements Policy. This policy was initially reviewed and approved by the CP/EVC on 3/4/2009. Last update was May 2015. Next review date is May 2020.


Guidance regarding the implementation of these requirements is available online at http://its.ucsc.edu/security/stay-secure.html

For questions about these requirements, contact the ITS Support Center at itrequest.ucsc.eduhelp@ucsc.edu, 459-HELP, or in person M-F 8AM-5PM, 54 Kerr Hall; or your ITS Divisional Liaison (DL).


University of California

University of California, Santa Cruz

Minimum Requirements for Network Connectivity 
from UC Business and Finance Bulletin IS-3, Information Security, Section IV

Note: Appendix A is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.

IS-3 Section IV: Minimum Requirements for Network Connectivity

A. Access Control Measures
to allow only authorized individuals access to networked devices.

Typical current access controls measures are passwords (see section III.C.2, Technical Controls, above). Shared-access systems must enforce password or other authorization/authentication standards whenever possible and appropriate. In situations where systems ship with default passwords for network accessible devices, those passwords should be changed upon first use.

B. Encrypted Authentication 
to protect against surreptitious monitoring of passwords.

Suitably strong encryption shall be employed when passwords are transmitted over a network. Network traffic may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Encryption-capable services, such as SSH, SFTP, SCP, SSL, HTTPS, POPS, and IMAPS, may be used to meet this requirement.

C. Patch Management Practices 
to ensure timely update of security patches.

Networked devices shall run versions of operating system and application software for which security patches are made available, and these should be installed in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications following campus exception procedures. Implementation of additional measures may be required when exceptions are granted.

D. Malicious Software Protection
to protect networked devices from malicious software, such as viruses, spyware, and other types of malware.

When readily available and as appropriate for specific operating systems, software to detect viruses and other malware shall be running, up-to-date, and have current virus definition files installed on all network devices as appropriate.

E. Removal of Unnecessary Services 
to prevent surreptitious use of services not needed for the intended purpose or operation of the device.

If a service is not necessary for the intended purpose or operation of a device, it shall not be running on that device; such services should be disabled, turned off, or removed.

F. Host-based Firewall Software
to limit network communications to only those services that require access to the network.

When readily available for specific operating systems, host-based firewall software shall be running and configured to limit network communications to only those services requiring to access to network devices.

G. Authenticated Email Relay
to prevent unauthorized third parties from relaying email messages.

Devices shall not provide an active SMTP service that allows unauthorized individuals to send or relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.

H. Authenticated Network Proxy Servers 
to prevent unauthorized access to Internet-based Resources.

Network proxy servers should employ authentication to protect devices that allow unauthenticated access from UC locations. Although properly configured unauthenticated proxy servers may be used for valid purposes, unauthenticated proxy servers may enable an attacker to execute malicious programs from the server in the context of an anonymous user account or allow unauthorized access to licensed Resources.

I. Session Timeout
to prevent unauthorized access to restricted or essential services or devices left unattended for an extended period of time.

Devices that access restricted and/or essential services that are left unattended for an extended period of time shall employ measures, such as session timeout or lockout mechanisms, that require re-authentication before users return to interactive use. Devices that host confidential or critical information may be subject to additional requirements.

Rev. 5/22/15