The University Policy Manual

  • Home »
  • Security of Networks and Networked Data

Security of Networks and Networked Data

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, July 19, 2004, May 2010)

Purpose

The University of North Carolina at Greensboro's (hereinafter "University") computing and telecommunication networks, computing equipment, and computing resources are owned by the University and are provided to support the academic and administrative functions of the University. The purpose of this policy is to support a high standard of network security. Adherence to the policy will help protect the integrity of the campus network and networked data. Enforcement actions will mitigate risks and losses associated with security threats to the network and networked data.

Federal and state law, and University policies and procedures govern the use of this equipment and technologies. Additional rules and regulations may be adopted by divisions/departments to meet specific administrative or academic needs. Any adopted requirements must be in compliance with applicable federal and state laws, and this policy.

Scope

This policy applies to all faculty, staff, students, and other authorized individuals who connect network communications devices to the University data network. It is fundamental to all information security efforts at the University.

The intent of this policy is not to change the ownership of computing and telecommunication networks, computing equipment, or computing resources.

Policy

Network Operation And Transport

Physical Connections

The following restrictions apply:

  1. Only a single network communications device should be attached per Ethernet jack. If additional jacks are required, a cabling request must be submitted to Information Technology Services (ITS).
  2. Physical access to infrastructure network switching equipment is not permitted without specific authorization of ITS.
  3. Attached cables must be certified by ITS and shall not exceed 20 feet in length.
  4. Ethernet hubs/repeaters must not be attached.
  5. Ethernet switches/bridges must not be attached.
  6. Hardware firewall/network address translation devices must not be attached.
  7. Wireless enabled devices must not be attached.
  8. Network layer 3 (logical layer) routing devices must not be attached.
  9. All attached devices must have an identified owner and user.
Logical Addressing

UNCG has been granted Internet address spaces. ITS will exclusively provide allocation and administration of these address spaces in accordance with ITS procedures, standards, and protocols.

  1. All network attached devices require registration in the ITS network registration system.
  2. Name resolution to/from the Internet will only be provided for devices specifically identified as servers. Servers with administrative applications are subject to the Enterprise Systems Policy
  3. ITS will manage additional domain name space (for example, e-mail.uncg.edu, uncg.info) in support of the University mission.
  4. Individuals, academic colleges/departments, or administrative departments at UNCG may not create and support an Internet domain name space without prior approval of ITS.
Quality Of Service

ITS has the authority to implement Network Quality of Service technology to control the cost of providing Internet service, ensure equal communications access for all clients, and provide differential service for enterprise applications, which may include denial of transport.

Workstation Operation

Computer workstation users are expected to adhere to the following:

  1. Ensure that operating system and application software is kept up to date with manufacturer patches.
  2. Take all necessary precautions to avoid workstation compromise. Employees and departments are responsible for making use of the recommended security software from the ITS division as set forth in the Computing Supported Products (Standards for Computer and Related Technology) and for configuring the software according to ITS standards.
  3. Where possible, physically secure the workstation.
  4. Do not allow others to use a workstation when logged in with your authentication credentials.
  5. Ensure that data is retained and backed up if necessary.
  6. Store data that is classified as Restricted in the Data Classification Policy on ITS network storage facilities.
  7. Employ mobile device startup password protections.
  8. Follow ITS protocol for equipment disposal practices to ensure protection of data and licensed software.
  9. Take reasonable precautions to avoid actions that could deteriorate the performance of the University network or networked resources (devices connected to the UNCG network)
Server Operation

Application server administrators are expected to adhere to the following:

  1. Ensure that operating system and application software is kept up to date with manufacturer patches.
  2. Take all necessary precautions to avoid server compromise. Employees and respective departments are responsible for making use of the recommended security software from the ITS division as set forth in the Computing Supported Products (Standards for Computer and Related Technology) and for configuring the software according to ITS standards.
  3. Physically secure the server.
  4. Ensure that data is backed up and retained according to the Computer Systems Backup Procedure.
  5. Maintain system activity logs for auditing purposes.
  6. Equipment disposal practices must follow ITS protocols to ensure protection of data and licensed software.
  7. Adhere to the Enterprise Systems Policy.
Human Safety

Network connected devices with applications directly involving human safety must be operated on a physically or logically isolated network. Examples are physical security and environmental control devices.

Wireless Computing

The wireless communications spectrum is managed as part of the campus network. See Wireless Communications Policy.

Enterprise Passwords

Passwords are an important aspect of computer security. Passwords represent the front line of protection for all user accounts. A poorly chosen password may compromise UNCG’s entire network.

General Requirements
  1. System or user-level passwords must be changed on the currently recommended standard periodic basis.
  2. Passwords must be kept secure, and sharing of accounts is prohibited. Authorized users are responsible for the security of all assigned account and equipment activity and should follow security procedures determined by ITS standards.
  3. User accounts that have system-level privileges through some form of group membership, or other implementation, must have a unique password from other accounts held by that user.
  4. Passwords must not be inserted into e-mail messages or any other form of electronic communication.
  5. All manufacturer default passwords must be changed before network connection.
  6. The use of ITS enterprise authentication services is required.
Application Developer Requirements

Application developers with applications containing passwords, shared secrets, or key phrases contained within should adhere to the following guidelines:

  1. Support authentication through ITS enterprise authentication services.
  2. Support authentication of individual users and not groups.
  3. Must not store passwords in clear text or any form that is reversible.

Remote Access

  1. The public sections of the University’s Web site are available to any user through remote access.
  2. Remote access connections, whether originating from University-owned or personal equipment, should be given the same security consideration as an on-site connection.
  3. Faculty, staff, or students are the only ones permitted to remotely access University network resources and only through ITS-supported remote access technology.
  4. All remote access will be encrypted, and authenticated using ITS enterprise authentication services.
  5. Approaches to network traffic that threaten security are strictly prohibited.

Acceptable Encryption

Encryption technology protects information content during network transport.

  1. Some data must be encrypted in conformity with the Wireless Communications Policy and the Data Classification Policy.
  2. ITS-supported algorithms should be selected when using encryption technology.
  3. Cryptographic key lengths must be of sufficient length as to prevent successful intrusion in a short time period.
  4. The use of proprietary encryption algorithms is not allowed for any application housing data classified as Restricted as defined by the Data Classification Policy.
  5. Export of encryption technologies is subject to federal law.

Non-Affiliate Access

Visitors or non-University community members may require temporary access to computer or network resources. Non-affiliate network access is subject to the following restrictions:

  1. Non-affiliate network access is subject to all University policies including the Acceptable Use of Computing and Electronic Resources Policy.
  2. Only Deans and Department Heads can sponsor non-affiliate network access.
  3. Faculty, staff, and students must not use non-affiliate access procedures to gain any form of temporary computer or network access.
  4. Faculty and staff must not share their account information with non-affiliates.

Perimeter Security

The perimeter of UNCG’s network infrastructure is defined as the electronic border between the UNCG campus network, and the first Internet Service Provider (ISP) networking device supplying wide area network (WAN) connectivity.

  1. ITS maintains perimeter security for the purposes of general infrastructure protection.
  2. Only authorized ITS employees may modify perimeter security measures.
  3. All application servers must be specifically identified to ITS.

Application Service Providers

Requirements of the Sponsoring Department
  1. If the application is hosted on the campus, it is subject to the Enterprise Systems Policy
  2. Individuals, academic colleges/departments, or administrative units must contact ITS and lodge an Application Service Provider (ASP) request.
  3. If the application under consideration is to be hosted outside the campus, and the data manipulated is classified as Restricted as defined by the Data Classification Policy, an ITS security review must be completed.
Requirements of the Application Service Provider
  1. Application service providers must adhere to ITS ASP security standards.
  2. ITS may request that security measures be implemented in addition to the general ITS ASP security standards.
  3. ASP’s that do not meet the requirements may not be used for UNCG enterprise applications.

Extranet (External Network) Connections

Pre-Requisites
Security Review

All new extranet connectivity will go through an ITS security review to ensure that all access matches the business requirements in the best possible way, and that the principle of least access is followed.

Memorandum of Understanding

All new connection requests between third parties and UNCG require that the third party and UNCG representatives agree to and sign an Extranet Memorandum of Understanding. The Vice Chancellor/Chief Information Officer or his/her designee must sign this agreement, together with the Provost/Vice Chancellor of the requesting department, as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The agreement must be reviewed by the Office of the University Counsel prior to signature by University officials in accordance with the UNCG Policy on Contract Review and Approval. The signed document is to be kept on file with ITS.

Point of Contact

The requesting UNCG department must designate a person to be the Point of Contact (POC) for the extranet connection. The POC acts on behalf of the department, and is responsible for those portions of this policy and the Extranet Memorandum of Understanding that pertain to it. In the event that the POC changes, ITS and the extranet organization must be informed promptly.

Establishing Connectivity

Departments within UNCG that wish to establish connectivity to a third party are to file a new site request with ITS. The sponsoring organization must provide ITS with full and complete information as to the nature of the proposed access.

All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will UNCG rely upon the third party to protect UNCG’s network or resources.

Modifying Connectivity

All changes in access must be accompanied by a valid business justification, and are subject to security review. Individual departments are responsible for notifying ITS when there is a material change in their originally provided information so that security and connectivity evolve accordingly.

Terminating Connectivity

When access is no longer required, UNCG departments must notify ITS, which will then terminate the access.

Compliance With Laws And Regulations Relating To Networked Data

UNCG complies with federal and state laws and regulations relating to the security of networked data. UNCG designates compliance officers for laws/regulations, as appropriate, and ITS cooperates with the designated compliance officers.

Enforcement

ITS will enforce the Security of Networks and Networked Data Policy and establish standards, procedures, and protocols in support of the policy.

Alleged violations of this policy are subject to the due process provided in existing University policies.

Any violation of this policy by a University student is subject to the Student Code of Conduct in the student handbook. For employees, any violation of this policy is “misconduct” under EPA policies (faculty and EPA non-faculty) and “unacceptable personal conduct” under SPA policies, including any appeal rights stated therein. Employees and students are required to cooperate with ITS in investigations of any alleged violations of the policy. Violations of law may also be referred for criminal or civil prosecution.

ITS has the authority to disconnect network service or modify/enhance network security without notification in the event of law violation, systems compromise involving Restricted data, or negative network communications impact affecting service for other users.

Review

The Chancellor has approved the Security of Networks and Networked Data Policy and ITS will periodically review the policy as appropriate.

Links to Related University Policies

Contact

Comments or questions? Email the Policy Administrator.