The online version of this policy is official. Therefore, all printed versions of this document are unofficial copies.
1.0 SCOPE:
1.1 This Standard outline various best practices that OIT follows to protect the integrity of the data network infrastructure.
2.0 RESPONSIBILITY:
2.1 Director of Network Services
3.0 APPROVAL AUTHORITY:
3.1 Chief Information Officer
4.0 DEFINITIONS:
4.1 Network Access Control (NAC) appliances: a security solution that enforces policy on user accounts and devices that access networks to increase network visibility and reduce risk.
4.2 Sandbox: a testing environment that isolates untested code changes and outright experimentation from the production environment.
4.3 Baseline configuration: is used as a basis for future builds, releases, and/or changes.
4.4 Principal of least functionality: ensures that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system. (Provided by NIST)
4.5 Principal of least Privilege: requires organizations to grant users and processes only the rights necessary to accomplish their assigned tasks and responsibilities. Excessive or unnecessary privileges should be avoided. (Provided by NIST)
4.6 Layer 1: is defined in the 7-layer OSI model. It refers to a family of protocols that defines the physical specifications of network communication hardware such as fiber and Ethernet cabling.
4.7 Layer 2: is defined in the 7-layer OSI model. It refers to a family of protocols that define how data is transferred between network nodes on the same local area network.
4.8 Segment or segmentation: is the splitting of a network into smaller subnetworks. (Provided by NIST)
4.9 Data Segregation: the process of separating certain sets of data from other data sets so that different access policies can be applied to those different data sets.
4.10 Virtual Local Area Network (VLAN): is a logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group.
4.11 Wide Area Network (WAN): a network that spans beyond a single building or large campus to include multiple locations spread across a specific geographical area, or even the world.
5.0 Standard:
5.1 To protect the integrity of the network, OIT attempts to segregate all development and testing activities in a manner that does not allow them to impact the production network. This standard addresses NCSR PR.DS-7.
5.1.1 For lower cost networking equipment such as switches, routers and access points, OIT carries extra inventory so that trial configurations can be tested outside of the production network.
5.1.2 For more expensive items such as firewalls, controllers and NAC appliances, OIT builds test sandboxes so that, even when using an in-production appliance, the configuration being tested is isolated and controlled so that it cannot affect the production network.
5.2 To protect the integrity of physical network appliances, OIT uses various methods of climate control to maintain appropriate heat and humidity levels within data closets and the data center. This standard addresses NCSR PR.IP-5.
5.2.1 OIT uses climate control measures to ensure the temperature of data closets do not exceed 80 degrees.
5.2.2 OIT uses climate control measures to ensure that a data closet does not become humid to the point that condensation occurs.
5.2.3 OIT conducts visual inspections of data closets during routine work in and around closets to ensure proper climate control is being maintained.
5.3 To ensure a consistent, reliable and secure configuration of networking appliances, OIT uses baseline configuration when preparing new devices for deployment. This standard addresses NCSR PR.IP-1.
5.4 To help maintain a secure network environment, OIT uses the principle of least functionality as a guide when developing base configurations. This standard addresses NCSR PR.PT-3.
5.4.1 Often, out of the box, devices have many features and configuration in place and running that’s not needed by the organization. OIT will do it’s best to remove or disable such features as long as it does not reduce the effectiveness of the appliance.
5.4.2 OIT will not activate or add features that are not required by the University.
5.5 To ensure network efficiency, effectiveness and accessibility, OIT will ensure that adequate bandwidth to the Internet, data center and between buildings is maintained. Additionally, all networking appliances will have appropriate levels of RAM, processor, bandwidth and other necessary components to function in an acceptable manner. This standard addresses NCSR PR.DS-4.
5.5.1 OIT will periodically check bandwidth usage to the Internet. During the busiest time of the day, traffic should not routinely exceed 90% of the total capacity.
5.5.2 OIT will periodically check the hardware usage and capacity of all major networking appliances. If routine usage exceeds 90%, actions will be taken to increase a device’s capacity.
5.6 To ensure network efficiency, effectiveness and security, OIT will use Layer1 and Layer2 networking technologies to segment and segregate specific data types when appropriate. This standard addresses NCSR PR.AC-5.
5.6.1 OIT will use routed VLANs at Layer2 to segment traffic between buildings or building groups to minimize the propagation of a Layer2 events.
5.6.2 OIT will use Security Zones to segregate risky data groups from the University’s primary network as needed.
5.6.3 OIT will use isolated WAN circuits to segregate and isolate traffic that’s deemed too risky to be on university infrastructure.
6.0 ASSOCIATED DOCUMENTS:
6.1 NCSR POAM
7.0 RECORD RETENTION TABLE:
Identification |
Storage |
Retention |
Dispostion |
Protection |
NA |
NA |
NA |
NA |
NA |
8.0 REVISION HISTORY:
Date: Rev. Description of Revision:
1/31/2024 Initial Release
***End of Standard***