  | |
|
Section: 135-3 |
|
California Public Records Act (1976) California State Assembly Bill (AB) 1298 (2007) California State Assembly Bill (AB) 1950 (2004) California State Senate Bill (SB) 1386 (2003) Confidentiality of Medical Information Act Electronic Communication and Privacy Act of 1986 Federal Family Educational Rights and Privacy Act of 1974 (FERPA) Federal Privacy Act of 1974 Federal Information Security Management Act of 2002 (FISMA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health Information and Technology for Economic and Clinical Health (HITECH) Act (2009) State of California Penal Code, Section 502, Chapter 858, relating to Computer Crime This document sets forth a security policy for the UCSD data communications network that will preserve network integrity and protect the information assets of network users. Other University policies also apply to the operation of the campus network. Relevant policies are mentioned under References above. Jurisdiction of this policy is under the auspices of Administrative Computing and Telecommunications (ACT). Questions concerning this policy should be referred to computingpolicies@ucsd.edu. A user is any individual who makes use of the network. A username is a network user's personal identifier. Depending on the computer system this identifier may be variously known as the Active Directory username, network user name, Business Systems username, Kerberos principal, or account name. A sponsor is an organization or individual who provides verification of a user's need for network services and their affiliation to the campus. The UCSD Backbone network consists of routers, switches, and cabling that make up the node-to-node campus network backbone, not including building distribution equipment. The UCSD Production network is all data networking at UCSD that permits data to flow over building distribution networks, the UCSD backbone, or a connection to an outside network. The UCSD Data Communications Network encompasses both the Production network and all other data networks that may exist at UCSD. (e.g. experimental and research networks). Networking equipment is equipment that provides routing, repeating or switching functions on a wired or wireless network, including routers, switches, wireless access points, hubs, and computers that provide any of these services for a network segment. Data equipment is equipment capable of generating binary data on a wired or wireless network, including, but not limited to, desktop computers, servers, IP phones, printers, PDAs, netbooks, tablets, smart phones, laptops, and IP-based FAX machines. A server room is a room where six or more ports are dedicated to servers providing file storage, email, Web and/or other computing services. Ports in server rooms are typically provided by a switch that is owned and managed by the department and has been approved by ACT in advance of purchase. Core network services are services such as Active Directory, radius, VPN, DHCP and DNS that facilitate network use by attached data and networking equipment, and that are offered beyond the local switched segment. Restricted network services are those from which an authorized user may make modifications to data, initiate connections to other networks, or which have data with sensitive or secure content. Unrestricted network services are those that provide read-only access to publicly available network services. Information is a principal asset of UCSD and must be protected from unauthorized modification, destruction or disclosure, whether accidental or intentional. The UCSD Data Communications Network must therefore be kept secure, as it is essential to the transmission of information. The level of protection on the Network must be high enough to ensure that the most sensitive information traversing it is protected while still allowing free access to public information. The security of the UCSD Data Communications Network, as a shared resource, is the responsibility of all network participants. Primary responsibility for the security of the production network rests with the IT Infrastructure group of Administrative Computing and Telecommunications (ACT). All other managers of a segment of the network (including managers of networks not directly connected to the UCSD Production network) are also responsible for maintaining the security of their segment. A network user will have at least one sponsor. All campus users of the network will have an organization to act as a sponsor; in most cases this will be the individual's home department. Students are sponsored by their college. UCSD sponsors limited guest wireless access to the network, which may be revoked or limited for violations of Minimum Network Connection Standards (Exhibit B). Non-UCSD users of restricted services must find a sponsor within UCSD. Authorization to use services on a network device is granted by the operator of the service who may also be a sponsor. Sponsors have the responsibility of ensuring sponsored users meet all applicable policies, including Minimum Network Connection Standards. All users of restricted network services are bound by the University of California Electronic Communications Policy. Key provisions include: The user agrees to behave in an ethical manner and will be responsible for his or her own actions. Under California State Law any person who maliciously accesses, alters, deletes, damages or destroys any computer system, network, computer program or data is guilty of a felony. The user understands that the network is a shared resource and will not intentionally take actions that will interfere with the operation, integrity or security of the network. The user will not provide access to third parties without the approval of a sponsoring organization. The user understands that network traffic and files may be subject to search under court order. In addition, system administrators may monitor network traffic or access user files as required to protect the integrity of the computer network. The user understands that access to the network may be temporarily suspended during maintenance and that UCSD will not be liable for damages due to a failure of some network service or due to a breach of security. The user should understand that misuse of networking resources may result in the loss of privileges. Additionally, misuse can be prosecuted under applicable statutes. The user may be held accountable for his/her conduct under any applicable University or campus policies, procedures, or collective bargaining agreements. Complaints alleging misuse of network resources will be directed to those responsible for taking appropriate disciplinary action. Any wired or wireless networking equipment connected to the UCSD Backbone network must be approved and/or operated by ACT/IT Infrastructure. Network services and networking equipment connected to the UCSD Production network must be approved by ACT/IT Infrastructure; the process of obtaining approval should begin before purchase of said equipment. Such equipment and services must conform to current NGN standards and will be operated by ACT/IT Infrastructure except where special approval is granted, as in the case of server room switches (see IV Definitions, server room). All such equipment must provide routing and access control technology to enable separation of connected segments for security and bandwidth control purposes that meet current campus standards at the time of installation. Installation of networking equipment to avoid the expense of additional wall jacks is not likely to be approved, nor is any network equipment to support end user connections. Note that ACT/IT Infrastructure provides network firewalls for most UCSD departments or units. Under special circumstances when centrally-provided services are unable to meet these needs, department-installed network firewall devices may be approved under the following rules: All networking equipment must be registered with ACT/IT Infrastructure, meet all applicable Minimum Network Connection Standards (see Exhibit B), permit login access by ACT Data Communications network personnel and be located in areas inaccessible by the general public, secured behind locked doors, or monitored by staff. Anyone wishing to attach a new piece of data equipment to the UCSD Production network will contact ACT/IT Infrastructure prior to doing so and follow the appropriate ACT/IT Infrastructure registration procedures. Any attempt to change connectivity by the introduction of new protocols or new physical or logical links will be subject to review by ACT/IT Infrastructure. Any piece of data equipment attached to the UCSD Production network is bound by this policy and its owner is subject to the policies listed in Section I, References and Related Policies. (See Exhibit B, "UCSD Minimum Network Connection Standards".) Departments should, wherever possible and with ACT assistance, logically divide their networks between administrative, research, instruction, or business activities. In addition, those networks should be further subdivided by security profile, such as external-facing servers, internal-facing servers, and clients. This allows for the best combination of performance and security. Providers of network services (e.g. file/print, VPN, proxy, Web services) will do so in a manner that is consistent with good facility management; network security is a function of the network participants. The Minimum Network Connection Standards (Exhibit B) pertaining to the specific classification of server must be followed. Providers of restricted network services will ensure that all applicable policies and guidelines (e.g. Business and Finance Bulletin IS-3) for access security are followed. Services shall not interfere with other services on the network. Services offering access to non-public University resources (network bandwidth, restricted-access materials, etc) will authenticate users in accordance with the terms of use of the resource. Organizations will designate a Technical Contact (a person or group of people) to be used in the event of questions or concerns about a device. It is the organization’s responsibility to keep its contact data current with ACT/IT Infrastructure. ACT/IT Infrastructure monitors traffic on the network for the purpose of maintaining proper network function. By extension, traffic generated by users of computer systems on the network is also monitored. In addition, ACT/IT Infrastructure uses automated tools to proactively scan network-attached devices for vulnerabilities that, if left unaddressed, could allow those devices to be compromised and further damage the network. ACT/IT Infrastructure practices proactive blocking. Network devices that are identified as being vulnerable to or having suffered a security breach will be removed from the network at the discretion of ACT/IT Infrastructure until the problem is resolved. Actions taken for the purposes of circumventing such a removal are not acceptable. Devices may be blocked even when this will impact devices served by the device in question; security of the campus network is paramount. Network services having vulnerabilities that are known to pose a significant threat to campus network security may be blocked on the network at the discretion of ACT/IT Infrastructure. Solutions will be available to allow access to blocked services by authorized remote users. Exceptions to service blocks for individual machines may be granted where circumstances dictate. (See Exhibit A, "Network Service Port Blocking") Any device or equipment that interferes with the campus wired or wireless network, including, but not limited to, devices creating radio interference and unauthorized wireless access points, will be removed from the network at the discretion of ACT/IT Infrastructure unless ACT/IT Infrastructure has consented in advance to such interference. ACT will attempt to notify the person/group responsible but if they are unable to make contact quickly, the violating device may be removed without notice. In order to preserve the safety and integrity of the UCSD Data Communications Network, UCSD authorized users are required to use encrypted connections when connecting remotely to campus to access, transmit, view or modify any sensitive data. The UCSD Virtual Private Network (VPN) service, administered and managed by ACT/IT Infrastructure, is the recommended encrypted solution; in some circumstances, other protocols such as https and ssh may be sufficient. Users are advised that use of the VPN for all remote connections is strongly recommended. System or service administrators should use VPN in conjunction with standard encrypted connection protocols such as ssh when administering services using higher-level (e.g. "root") access. In special cases, divisions with higher-security needs may request ACT approval to administer local VPN services. Such approval is contingent upon the technical inability of central services to support requirements of federal, state or local legislation or the terms of a specific research contract. Machines remotely connected to the UCSD network to conduct University business are expected to conform to the Minimum Network Connection Standards (Exhibit B). Information regarding major security vulnerabilities and fixes for them is available from ACT. Users should contact their Systems Administrator and/or the manager of their local network for security information and local policy. University policy prohibits the use of University property for illegal purposes and for purposes not in support of the mission of the University. In addition to any possible legal sanctions, violators of this policy may be subject to disciplinary action including but not limited to suspension or dismissal as relevant, pursuant to University policies and collective bargaining agreements. Questions concerning this policy should be referred to computingpolicies@ucsd.edu. Specific questions about security issues should be directed to security@ucsd.edu. Questions about network connectivity or function should be addressed to hostmaster@ucsd.edu. PPM 135-3 Exhibits and Appendices [pdf format] |
|
