NET-S008 Network Physical and Remote Access Control

1.0    SCOPE:  
1.1    This Standard describes the mechanisms used to control physical and remote access to the University network and network components.

2.0    RESPONSIBILITY:  
2.1    Director of Network Services

3.0    APPROVAL AUTHORITY:
3.1    Chief Information Officer

4.0    DEFINITIONS:
4.1    TeamDynamix: is the IT Service Management System used by OIT to manage customer requests and other forms of OIT data.
4.2    Main Distribution Frame (MDF): serves as a core hub for the building to which all other data closets are connected forming a physical hub and spoke or star topology.
4.3    Intermediate Distribution Frame (IDF): serves as a distribution point to which all end-points in the geographic area link back to for the purpose of passing network traffic to other areas of the building, campus or Internet.
4.4    Core Closet: serves as a distribution point to which a number of buildings connect for the purpose of sending/receiving traffic to and from other groups of buildings or the Internet.
4.5    University “A” key: The university has a master key that is refereed to as the “A” key. That key open’s a majority of doors throughout campus with a few exceptions. Access to “A” keys is determined and managed by Physical Plant.

5.0    Standard:
5.1    The majority of the network appliances are permanently housed within Core Closets or building data closets known as Main Distribution Frames (MDFs) or Intermediate Distribution Frames (IDFs). Physical locks are in place to limit access to those spaces. This standard addresses NCSR PR.AC-2 and PR.AC-4.
          5.1.1    Core Closets are to remain locked at all times. The only University staff that has access to the Core Closets are those who have been issued a university “A” key.
          5.1.2    The majority of building MDFs and IDFs will remain locked at all times. The only University staff that has access to the data closets are those who have been issued a university “A” key. Due to a lack of space, in some buildings, data closets are spaces that are shared with university departments outside of OIT. In those instances, a data closet may remain unlocked so that full-time employees and student workers can access appropriate materials stored within the space.
          5.1.3    Once a person has physical access to a network appliance, the ability to gain access and make configuration changes is controlled by username and password. On most appliances, there is a local administrator account. However, whenever possible, appliances will be configured to use Active Directory login accounts for the purpose of access. Determining which accounts have the privilege to access appliance configuration is manages using AD security groups. Only select personnel from OIT are allowed access. If a person has remote access to the university network, remote appliance configuration access is controlled with the same AD security groups.
5.2    On-premise and remote network access is controlled using a combination of services to include a firewall, Network Access Control appliance, Active Directory accounts, active directory security groups and pre-shared keys. This standard addresses NCSR PR.AC-3 and PR.AC-4.
          5.2.1    The majority of local WiFi control is accomplished using a NAC appliance and AD accounts/security groups. There are a couple scenarios where this was not possible and a pre-shared key is used. Access is restricted and privileges are determined by an individual’s active directory account type and status within the organization.
          5.2.2    Remote access to the university network is controlled using a Virtual Private Network (VPN) connection which is managed within the campus firewall. The firewall leverages AD accounts and security groups to determine access rights. Remote access is only provided to those who have been approved by the OIT security department which is accomplished using a TeamDynamics ticket request.

6.0    ASSOCIATED DOCUMENTS:
6.1    NCSR POAM

7.0    RECORD RETENTION TABLE:
 

8.0    REVISION HISTORY:
Date:    Rev.    Description of Revision:
2/1/2024        Initial Release
        

***End of Standard***