|
August 2019
Department: Information Security
Document ID: 05.3.0
June 2022
Department: Information Security
Document ID: 05.3.3
Proprietary Statement
This document was developed specifically for and by Christopher Newport University. The concepts and methodologies contained herein are proprietary to Christopher Newport University. Duplication, reproduction, or disclosure of information in this document without the express written consent of Christopher Newport University is prohibited.
All Trademarks, Registered Trademarks, Service Marks, and brand and product names used in this document are the property of their respective owners.
© Copyright 2020 Christopher Newport University. All rights reserved.
Review and Revision History
Date | Version | Description of Change (Affected Sections) | Author |
August 2019 | 1.0 | Initial Release - All | Wendy L. Murray |
August 2020 | 1.1 | Annual Review | Wendy Corrice |
April 2021 | 1.2 | Annual Review | Wendy Corrice |
June 2022 | 1.3 | Annual Review | Wendy Corrice |
TABLE OF CONTENTS
Introduction: 5
Purpose: 5
Scope: 5
Standards Statement: 5
Procedures: 6
Exceptions: 8
References: 8
Review:
In accordance with the Christopher Newport University Acceptable Use Policy, all systems owned or managed by the University must be adequately protected to ensure confidentiality, integrity, availability and accountability of such systems. Firewalls may be used to establish a perimeter between the University network and the public Internet, or within the University to maintain segmentation between the networks.
To establish a uniform set of standards for implementing and maintaining established network firewall policies. Including, but not limited to, defining network security zones within the University’s network and the type and nature of traffic which will be allowed or denied access to those zones. Also, to maintain the stability of the network and increase the security for identified resources.
These standards cover the configuration of the Christopher Newport University network and network firewalls.
The University network must be protected from malicious Internet traffic. Information Technology Services (ITS) will minimally restrict traffic at the connection points between the University and the Internet. Restrictions will be based on current guidance from authoritative sources, such as the SANS/FBI Top 20 Internet threats list, and from historical knowledge of common avenues of attack.
Network architecture decisions are made after careful evaluation of network performance, business rules and requirements, and the protective value of the institutional assets involved. Actions are taken in the best interest of the overall security and performance of the network.
The University network employs methods to manage and improve security through logical and physical segregation. Groups of users and information systems are segregated on the network.
Controls are applied to the network based on system security, timing, operational impact, and funding limitations.
Access to network resources is segmented into user and system domains and access is authorized on a necessity basis only after a valid business reason is determined and approved. Security controls are placed on many shared access segments to mitigate the spread of malicious traffic.
ITS is responsible for the installation or coordination of network cabling at Christopher Newport University. All communication cabling activities are required to meet code for the locality involved. ITS uses industry standards according to a quality of service criteria. Cabling is best viewed as a component of the building infrastructure. Its design and management must be considered in context with the long term requirements of the campus.
Users are prohibited from altering or otherwise extending the campus network. All network connectivity is coordinated through ITS. Only authorized personnel have access to campus wiring closets.
In-house or third-party network service agreements must include detailed requirements for security compliance, service levels, and management requirements. Users are required to follow the Acceptable Use of Computing Resources Policy when using the University’s network and other technology resources.
All equipment and applications within this scope will be administered by the ITS Infrastructure team.
“This system is the property of the Commonwealth of VA.
Only persons authorized shall be allowed access to this system.
Those permitted access shall use this system ONLY for purposes
for which they have been authorized. ALL access and usage on
this system is logged. ANY unauthorized access, use, or abuse of
this system or the information contained therein shall be reported
to appropriate authorities for investigation and prosecution to the
fullest extent of the law.”
Exceptions to this standard will be handled on a case by case basis and approval of the Information Security Officer.
VITA ITRM Information Security Standard (SEC501)
ITS Managed Network Infrastructure Standard
Next Review Date: June 2023