Policy #: IT0004
Effective Date: 3/4/09
Last Revision Date: 5/22/15
UCSC Minimum Network Connectivity Requirements Policy
Vice Chancellor, Information Technology
| I. Background/Introduction | II. Definitions | III. Detailed Policy Statement | IV. Exceptions | V. Policy Authority | VI. Getting Help | VII. Related Policies and References | Appendix A: IS-3 Requirements |
UC Business and Finance Bulletin IS-3, Electronic Information Security, requires all UC campuses to "establish minimum standards for devices connected to their networks." IS-3 also identifies certain standards that all campuses must address, at a minimum. This policy applies to all devices connecting to the campus network. It is intended to comply with IS-3 and to ensure the availability, reliability, and security of UCSC's electronic resources.
A glossary of selected terms used in this document is available at http://its.ucsc.edu/policies/glossary.html
All devices, regardless of location or ownership, must satisfy the following minimum network connectivity requirements, as appropriate, before connecting to the campus network. Devices known to be vulnerable, to present a security risk, or to be infected with malicious software must not be connected to the campus network or to devices on the campus network. Devices not meeting these requirements, as well as devices found to be disruptive to the operation of the campus network, are subject to being blocked or disconnected from the campus network according to UCSC's Procedures for Blocking Network Access. Individuals are also subject to the provisions of the Policy for Acceptable Use of UCSC Electronic Information Resources and, for students using UCSC's residential networks, the Resnet Responsible Use Policy.
Please note that these are minimum requirements only. Additional requirements apply to systems that contain or access restricted data. Units, departments or Information Technology Services (ITS) may elect to apply more stringent standards and/or guidelines, where consistent with IS-3 and the UC Electronic Communications Policy.
Minimum Network Connectivity Requirements
A. UC Requirements
The "Minimum Requirements for Network Connectivity" in Section IV of IS-3 are required at UCSC. These requirements are included below in Appendix A, which is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.
B. UCSC Requirements
2. Security Audit Agents: Service Providers may require that computers run a security audit agent as a condition for attaching to the campus network.
The campus Vice Chancellor, Information Technology, on behalf of the Office of the Chancellor and the Office of the Campus Provost and Executive Vice Chancellor (CP/EVC) is the campus authority for UCSC's Minimum Network Connectivity Requirements Policy. This policy was initially reviewed and approved by the CP/EVC on 3/4/2009. Last update was May 2015. Next review date is May 2020.
Guidance regarding the implementation of these requirements is available online at http://its.ucsc.edu/security/stay-secure.html
University of California
- UC Business and Finance Bulletin IS-3, Electronic Information Security
- UC Electronic Communications Policy
University of California, Santa Cruz
- Procedures for Blocking Network Access
- Policy for Acceptable Use of UCSC Electronic Information Resources ("Acceptable Use Policy")
- Resnet Responsible Use Policy
- ITS' Restricted Data Resources Web Page (for definitions, tools and data protection information)
- UCSC Password Policy
- UCSC Password Strength and Security Standards
Minimum Requirements for Network Connectivity
from UC Business and Finance Bulletin IS-3, Information Security, Section IV
Note: Appendix A is subject to revision in response to updates to IS-3. In the event that Appendix A and IS-3 do not agree, IS-3 is controlling.
IS-3 Section IV: Minimum Requirements for Network Connectivity
A. Access Control Measures
to allow only authorized individuals access to networked devices.
Typical current access controls measures are passwords (see section III.C.2, Technical Controls, above). Shared-access systems must enforce password or other authorization/authentication standards whenever possible and appropriate. In situations where systems ship with default passwords for network accessible devices, those passwords should be changed upon first use.
B. Encrypted Authentication
to protect against surreptitious monitoring of passwords.
Suitably strong encryption shall be employed when passwords are transmitted over a network. Network traffic may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Encryption-capable services, such as SSH, SFTP, SCP, SSL, HTTPS, POPS, and IMAPS, may be used to meet this requirement.
C. Patch Management Practices
to ensure timely update of security patches.
Networked devices shall run versions of operating system and application software for which security patches are made available, and these should be installed in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications following campus exception procedures. Implementation of additional measures may be required when exceptions are granted.
D. Malicious Software Protection
to protect networked devices from malicious software, such as viruses, spyware, and other types of malware.
When readily available and as appropriate for specific operating systems, software to detect viruses and other malware shall be running, up-to-date, and have current virus definition files installed on all network devices as appropriate.
E. Removal of Unnecessary Services
to prevent surreptitious use of services not needed for the intended purpose or operation of the device.
If a service is not necessary for the intended purpose or operation of a device, it shall not be running on that device; such services should be disabled, turned off, or removed.
F. Host-based Firewall Software
to limit network communications to only those services that require access to the network.
When readily available for specific operating systems, host-based firewall software shall be running and configured to limit network communications to only those services requiring to access to network devices.
G. Authenticated Email Relay
to prevent unauthorized third parties from relaying email messages.
Devices shall not provide an active SMTP service that allows unauthorized individuals to send or relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.
H. Authenticated Network Proxy Servers
to prevent unauthorized access to Internet-based Resources.
Network proxy servers should employ authentication to protect devices that allow unauthenticated access from UC locations. Although properly configured unauthenticated proxy servers may be used for valid purposes, unauthenticated proxy servers may enable an attacker to execute malicious programs from the server in the context of an anonymous user account or allow unauthorized access to licensed Resources.
I. Session Timeout
to prevent unauthorized access to restricted or essential services or devices left unattended for an extended period of time.
Devices that access restricted and/or essential services that are left unattended for an extended period of time shall employ measures, such as session timeout or lockout mechanisms, that require re-authentication before users return to interactive use. Devices that host confidential or critical information may be subject to additional requirements.