BX:Network Security Policy
From CCGB
Revision as of 14:46, 7 October 2010 by Phalenor (talk | contribs) (Created page with 'Devices connected to The Center for Comparative Genomics and Bioinformatics (CCGB) network (BX) and the users of those devices must be in compliance with University Policies AD-2…')
Devices connected to The Center for Comparative Genomics and Bioinformatics (CCGB) network (BX) and the users of those devices must be in compliance with University Policies AD-20, AD-23 and AD-53. In addition, The CCGB has the following policy regarding network devices:
- To comply with University Policy, State and Federal Law, it must be possible for CCGB/BX IT staff to trace a device's network activity to an individual user. In accordance with this, the following requirements must be satisfied based on the connection method:
- 802.1x - If the device connects via 802.1x, the user credentials used to "log in" will be considered the "user of record" for all activity generated by the device during the time that it is connected.
- MAC-based - If the device is connected to an unauthenticated connection (based on its MAC address or other hardware address):
- Users must be required to log in to the device with both a username and password.
- All users of the device must have separate usernames/logins and passwords. Users must not share their userid and password with anyone.
- Shared, or "Group" accounts are permitted only when in compliance with group account policy as specified in University Policy AD-20.
- The device must maintain a log of logins and logouts containing at least the username and date/time for a minimum of 1 year.
- When the device is registered with BX IT staff, contact information for the primary users, designated Custodian, and/or designated System Administrator for the device must be provided along with the MAC address of the device.
- In the event of a security incident, if the device's System Administrator cannot produce the specified detailed usage information (logs of logins/logouts) upon demand, the designated Custodian and System administrator's contact information will be provided to security investigators for the case and the device will be permanently barred from connection to the BX Network. Additionally, other devices under the care of the System Administrator will be checked and barred if they are found to be out of compliance with this policy.
- It is recommended, but not required, that the Device be integrated with the rest of the central BX infrastructure, where it will be properly and securely maintained in accordance with this policy.
- Where applicable, the Device must have Anti-virus software installed and configured to obtain automatic updates. The Anti-virus software must also be enabled and active before it will be allowed to connect to any network.
- Where applicable, the Device must be configured to obtain OS updates automatically.
- AD-20 states that any Device connected to the BX network may be investigated for violations of University Policy or Law whether it is owned by the University or a Private Citizen. During an investigation, the College or University may search and/or seize a Device regardless of ownership. Owners who object to this requirement are discouraged from connecting private Devices to the network.
- The University is concerned about Intellectual Property Rights. The BX Network is maintained to best support the Teaching and Research missions of the CCGB and University. Use of Peer to Peer (P2P) file sharing software should be limited to those occasions where it supports the mission of the University. Any Device found participating in an unauthorized P2P network may be disconnected from the network without prior notice. Any violations of Intellectual Property Rights discovered during routine maintenance activities will be reported to ITS Security Operations and Services (SOS)
- Violations of these policies may result in any of the following without prior notice to the user:
- Referral to Judicial Affairs or Human Resources
- Limitation of access to some or all BX and University IT services.
- Initiation of Legal action by the University.
- Requirement of the violator to provide restitution for any improper use of service.
- Disciplinary Sanctions, which may include dismissal.