PURPOSE

The purpose of this policy is to outline the requirements and procedure to request exceptions to firewall rules which secure the Mont Alto data network. These rules are in place to protect the employee and the confidentiality and integrity of data transmitted via the Mont Alto campus data network. Exceptions without proper precautions may expose the Mont Alto campus to a higher level of risk including virus attacks, compromise of network systems and services, and possible litigation.

SCOPE

This policy applies to employees, students, contractors, consultants, temporaries, and other workers at the Mont Alto campus, including all personnel affiliated with third parties and other university departments and locations. This policy applies to all electronic equipment that is connected to the Mont Alto campus data network.

DEFINITIONS

Device – A computer, electronic tool or communication apparatus with the ability to connect to a data or communication network.
Internet - A worldwide system of computer networks
Firewall – An electronic device used to monitor and inspect data transmission traveling between data networks (i.e. The Internet and the Mont Alto data network.)  Based on a programmed rule set managed by the campus ITS department, the firewall with either allow or disallow traffic with the aim of preventing unauthorized access to the campus private data network.
VPN (Virtual Private Network) – A technology used to allow a user or network to connect in a secure and virtual manner via open or public communication channels.  A VPN grants a remote user (e.g. working from home) secure access to local network services as if he/she were sitting in his/her office.
IP Address – A unique network addressed assigned to a device connected to a network.
Mont Alto Data Network – The technology infrastructure, hardware, and software installed at the campus which is used to facilitate the flow of digital information between (but not limited to) personal computers, prints, servers, the Internet, etc.

POLICY

It is recognized that a firewall can restrict certain activities on the network and Internet at large that are necessary to conduct the teaching, research, and outreach functions of the University. Thus, the following policy establishes requirements and guidelines before exceptions are granted through a firewall protecting individual or groups of computers and servers:

  1. All exception requests must be made by a system administrator.
  2. The computer(s) must be administered by a professional information technology staff person and/or a system administrator who has read campus policy, “Server Security Policy” and has signed an “End-User Computer Agreement.”The purpose is to provide campus and departmental servers the accessibility they need to provide their intended services.Ad hoc, personal, or research servers should make use of departmental, college, or University resources whenever possible rather than solicit an exception.Dedicated appliances or servers that cannot be incorporated into the aforementioned services provided by the department, college, or University due to technical reasons will be reviewed on a case-by-case basis.
  3. Security patches must be installed in a timely fashion (as soon as possible, but not to exceed one week of release by the vendor) by the system administrator.The only exception would be if the patch prevents the proper function of installed software and no satisfactory work-around can be found. Occasionally, the College staff will check computers granted exceptions to ensure that the latest security patches have been installed.
  4. A computer will be disconnected from the network if a security incident occurs and the port(s) granted the exception will be closed until the computer again complies with items 1 and 2.

Exceptions

Exception process – Any exception requested for a given device must be thoroughly researched by the department making the request for both the necessity of the exception as well as the possible security risks associated with making the exception.  Upon approval by the department, a request must be made to the campus Information Technology Services (ITS) department via email ([email protected]).   Any such requests will be reviewed by the Mont Alto ITS department and either subsequently adopted for the department, or campus as a whole, or denied based on security risks associated with adopting the exception. 

When a system administrator submits a request for exception, the following information should be included:

  1. The specific need for the exception and port(s) to be opened with justification for each.
  2. The Internet name (FQDN) and IP address of the computer(s) for the exception.
  3. The name, phone number, and email address of the person responsible for the system administration of the computer(s). If staffing changes leave an excepted server unmanaged the exception(s) may be removed if an unreasonable security risk arises from the system remaining unmanaged.
  4. Security measures in place on the system including password policy, auditing policy, antivirus software (if any), and any additional security related software and/or settings of the machine.
  5. A statement to the effect that the owner of the computer(s) “understands that the computer(s) or server will be disconnected from the network and the port(s) granted the exception will be closed if a security incident occurs involving the computer or server.As the system administrator of the computer or service, security and operating system patches must be installed as prescribed by campus policy.”

Exceptions may not be granted for a request if the ITS staff considers the proposed exception too vulnerable to attack, or for operating systems and applications without a proven record of adequate security.

Enforcement

If security measures are mitigated after exception has been granted, the exception can be immediately rescinded.

CROSS REFERENCE

Other policies that should also be referenced:

AD20 - Computer and Network Security
PSU-MA-ITS-000 – End User Computer Agreement
PSU-MA-ITS-004 – Acceptable Use and Security Policy
PSU-MA-ITS-005 – Password Policy
PSU-MA-ITS-006 – Anti-Virus Policy
PSU-MA-ITS-008 - Server Security Policy

POLICY HISTORY

Ratified June 5, 2009

January 5, 2016 - Updated version ratified by Administrative Council