System Security Policy

Table of Contents

Introduction ……………………………………………………………………………………………… 4

Title

Objectives

Scope

Audience

Responsible Organizational Structure

Document Standards

Hardware ………………………………………………………………………………………………… 6

New Acquisition Policies

Testing and Evaluation Policies

Installation Policies

Maintenance and Obsolescence Policies

Software ………………………………………………………………………………………………….. 9

Operating Systems

Applications

Utility Software

Patches

Upgrades

Backups

Physical Considerations ………………………………………………………………………………... 11

Disaster Precautions

Fire

Electrical Storm

Water Pipes Breaking

Other Natural Disasters

Plan of Action

Loss Prevention and Vandalism

Restricted Access

Wiring and Emanation Policies

Power Considerations

Waste Management Policies

Architecture …………………………………………………………………………………………….. 14

General Network Architecture Policy

Risk Assessment Policy

Audit Policy

Acceptable Encryption Policy

Demilitarized Zone (DMZ) Policy

Firewall Security Policy

Router Security Policy

Server Security Policy

Virtual Private Network (VPN) Policy

Dial-In Access Policy

Remote Access Policy

Wireless Communications Policy

Account Maintenance ………………………………………………………………………………….. 36

Student Arrival Policies

Student Departure Policies

Personnel Departure Policies

Maintenance

Student Usage Policy …………………………………………………………………………………… 38

Policy Version

Usage

Scope

Policy and Procedures

Personnel Policy ………………………………………………………………………………………... 42

Applicability

Purpose and Goals

Job Descriptions

Restricted Access (Physical)

Restricted Access (Logical)

Penalties ………………………………………………………………………………………………… 44

Violations and Incursions

Investigating and Reporting

Owner’s Authority

Privacy Policy …………………………………………………………………………………………... 45

Data Ownership

Monitoring

Department Liability

Definitions ………………………………………………………………………………………………. 46

Signatures ………………………………………………………………………………………………. 50

Purpose

Manager, Academic Computing Department

Director, Computing Center

President, East Stroudsburg University

1. Introduction

1.1 Title

This document shall be officially known as the System Security Policy of the Academic Computing Department of East Stroudsburg University. For convenience, it may also be referred to as the System Security Policy, or simply the Security Policy.

1.2 Objectives

This document is intended to codify all policies and procedures relating to the secure operation of the Academic Computing department at East Stroudsburg University and all facilities maintained by that department.

1.3 Scope

This document is designed to cover security policies and procedures for the computer facilities administered by the Academic Computing department at East Stroudsburg University. Those facilities include all labs in student residence halls and academic buildings, as well as the academic computing department operations center, and all connections between said facilities. This policy does not apply to faculty/staff computing facilities or Kemp Library.

1.4 Audience

This document is intended to be used as a reference by the members of the Academic Computing Department at East Stroudsburg University and the personnel responsible for oversight of said department. This document is expressly not intended for use by the general public, including the student population at East Stroudsburg University; other documents are more appropriate for publication outside the Academic Computing department.

1.5 Responsible Organizational Structure

This document is targeted for use by the employees of the Academic Computing department at East Stroudsburg University. That department is a part of the Computing Center at East Stroudsburg University, which is itself a part of the Pennsylvania State System of Higher Education.

1.6 Document Standards

1.6.1 Review Period

This document shall be revisited and revised not less often than once every two years, or more frequently as deemed necessary by the Academic Network Administrator.

1.6.2 Approval

All revisions to this document must be approved by the Academic Network Administrator, the Director of the Computing Center, and the President of East Stroudsburg University.

1.6.3 Distribution

When revisions have been made, revised copies of this document shall be distributed to all appropriate personnel as determined by (someone) to replace existing copies, which shall in turn be discarded. The Academic Network Administrator or a designated appointee shall maintain an archive of previous revisions of this document.

1.6.4 Versioning

As revisions are made to this document, the change in version shall be noted in the footer itself. Version numbers will be comprised of the year of the revision, plus the next letter in sequence for the year, beginning with A. For example, the first release in 2002 would be 2002A, followed by 2002B or 2003A.

2. Hardware

2.1 New Acquisition Policies

All purchases of new systems hardware or new components for existing systems must be made in accordance with Information Security and other University Policies. Such requests to purchase must be based upon a User Requirements Specification document and take account of longer-term academic needs.

East Stroudsburg University must identify candidate products that meet the functionality, performance, and security requirements of the Academic Computing Department.

East Stroudsburg University shall purchase a maintenance contract with a suitable response time in the event of a failure. Suitable response times must fall below six hours for mission critical equipment such as Firewall, Routers, and Network Servers.

Except for minor purchases, hardware must be purchased through a structured evaluation process, which must include the development of a detailed Request for Proposal (RFP) document. Information Security features and requirements must be identified within the RFP.

When selecting server hardware, security requirements must be considered and prioritized higher than the price of the hardware. The security capabilities of the vendors must be scrutinized. East Stroudsburg University shall choose products with fewer vulnerabilities and better security-related features in order to decrease the long-term operational costs associated with administration tasks.

East Stroudsburg University Academic Computing Center shall document the hardware configuration in order to aid and securely configure the software.

2.2 Testing and Evaluation Policies

East Stroudsburg University must test and evaluate new hardware to ensure the integrity, security, and availability of the data. East Stroudsburg University must test new hardware to verify it is working correctly.

East Stroudsburg University must apply further tests periodically to ensure continued effective functioning of the hardware.

East Stroudsburg University must ensure that all equipment is fully and comprehensively tested before being transferred to the live environment. East Stroudsburg University should periodically test devices that are known to degrade with time.

Hardware purchased with the intention to be operated as network servers must be tested to their full potential for duration of 24 to 48 hours before deployment.

East Stroudsburg University shall perform load tests on mission critical hardware that is going to be used as network servers.

2.3 Installation Policies

East Stroudsburg University must ensure that all hardware is adequately protected. Computer systems that are installed on the computer labs must be securely tied down to the desks where they stand. Computer systems must be tied down using metal wiring to prevent theft.

East Stroudsburg University must ensure that Health and Safety regulations are followed when installing the equipment, peripherals, and cables.

East Stroudsburg University must consider the use of closed circuit television (CCTV), digital video cameras and/or digital video recorders in the computer labs in order to decrease hardware vandalism.

East Stroudsburg University must consider the use of glue to maintain the integrity of the computer peripherals for hardware installed on computer labs that do not have any mechanisms to monitor users as described in the previous paragraph.

All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Installation of new equipment must be properly considered and planned to avoid unnecessary disruption and to ensure that security issues are adequately covered.

Information Security requirements for new installations are to be circulated for comment to all interested parties, well in advance of installation.

Major changes to hardware must take place between academic semesters, to minimize the risk of downtime.

East Stroudsburg University must ensure that all new installations are thoroughly tested after initial setup and prior to live use.

Hardware systems installed on the data center must be raised from the floor to avoid problems created by minor leakage of water pipes.

2.4 Maintenance and Obsolescence Policies

Hardware documentation must be kept up-to-date and readily available to the staff that is authorized to support or maintain the systems. East Stroudsburg University must store the documentation accessibly but safely.

East Stroudsburg University Academic Computing Department must allocate the resources necessary to train their staff on security issues on a yearly basis. East Stroudsburg University must ensure that their staff is kept up-to-date on current security issues.

East Stroudsburg University must adopt procedures that ensure that their operators complete all maintenance for which they are responsible according to the manufacturer's security recommendation(s).

A formal inventory of all equipment is to be maintained and kept up to date at all times. East Stroudsburg University must verify periodically the correctness of the inventory by checking that a sample of hardware is physically present.

East Stroudsburg University must ensure that maintenance is carried out promptly and as specified by the supplier.

East Stroudsburg University must establish a system for reporting faults. Hardware faults are to be recorded and reported to the appropriate trained staff or maintenance staff for corrective action.

East Stroudsburg University must name and label PCs with adequate information to allow a user to clearly identify their PC in the event of fault reporting.

East Stroudsburg University must document Hardware Security Incidents to maintain a record of all previous incidents, their resolutions, and to consider changes to the current Security Policy to prevent such incidents from happening.

East Stroudsburg University must clearly identify any equipment for disposal.

Equipment owned by East Stroudsburg University may only be disposed of by authorized personnel who have ensured that the relevant security risks have been mitigated.

East Stroudsburg University Academic Computing Department must ensure that all non-trivial data has been erased from any media before disposing of such media.

East Stroudsburg University must consider to physically destroying magnetic media if such media contained sensitive information.

3. Software

3.1 Operating Systems

Each of the operating systems employed by the Academic Computing department at East Stroudsburg University shall be secured using username/password access to log on to the system. Additionally, all appropriate efforts shall be made to restrict user access to the minimum feasible access for each individual user, to the point where the user can carry out all appropriate operations without restriction. Finally, all attempts by any user to breach those limits shall be logged and reported to the appropriate system administrator.

3.2 Applications

3.2.1 Productivity (Office)

All productivity applications administered by Academic Computing shall be secured in such a way that users are unable to gain access to other users’ private files. Additionally, applications shall be secured against all Internet-based vulnerabilities, including scripting and macro viruses and exploits.

3.2.2 Programming

All programming applications administered by Academic Computing shall be secured against third-party add-on software, except for that software which may be added by the application administrator.

3.2.3 Other Special-Use

Any other special-use or special-purpose software which may be found necessary for appropriate use on a system administered by Academic Computing must first be approved and appropriately configured by the application administrator, so as to prevent users from viewing other users’ private files.

3.3 Utility Software

3.3.1 Antivirus

Each system administered by the Academic Computing department at East Stroudsburg University must run virus-protection software. This software shall be kept current with upgrades applied weekly or as made available, whichever is later.

3.3.2 System Utilities

System utilities such as disk management, cache cleanup, and other maintenance features shall be administered remotely for user systems via login scripts. Other utility features not found in the operating system or easily scriptable shall be configured and run by the applications administrator.

3.4 Patches

Application and operating system patches (other than antivirus patches) shall not be applied immediately after their release. Instead, they should be given an incubation time after their release while they are publicly tested by early adopters. If they are found to be error-free after one week, they shall be applied to the appropriate systems administered by Academic Computing. Patches requiring immediate installation should be applied as soon as possible, without the waiting period. After any patch installation, security features and settings should be examined to ensure that they have not been corrupted or reset.

3.5 Upgrades

Operating systems and applications shall be upgraded only after the upgraded version has been tested on a standalone system (if possible) or publicly by other organizations to find any bugs or new vulnerabilities in the software package. Also, once applied, upgraded systems shall be tested to ensure unchanged system security.

3.6 Backups

3.6.1 Full

A full backup and verification shall be made weekly of each server administered by the Academic Computing department. System and application files shall be backed up, but user files and account information need not be backed up. Tapes from every other week shall be stored off-site in a physically secure location. Efforts should be made to verify that these backup tapes are viable and could be used to restore system integrity in the event of an emergency.

3.6.2 Incremental

Incremental backups and verifications shall be made nightly of all data specified above, regarding full backups. A different tape shall be used for each day of the week, not to be reused until the same day of the following week.

4. Physical Considerations

4.1 Disaster Precautions

Precautions should be taken by Academic Computing to deal with physical disasters such as fire, electrical storm, and water pipes breaking. Also, as a precaution for any type of a disaster, backups should be kept on a regularly scheduled basis. These backups should be stored offsite.

4.2 Fire

In every lab there should be fire prevention controls in place. These controls could be Halon or O² deprivation. Water should not be used since we are dealing with electrical equipment. These controls should also be implemented where the servers are stored.

CO² fire extinguishers should also be stored in easily accessible locations to help contain or put out a fire.

Fire walls should be included into the structure of the building to prevent a fire from spreading. Fire walls should be implemented in the room that contains the servers.

4.3 Electrical Storm

Optical wire (fiber optics) should be used to limit the amount of electrical interference that is expected during such a storm.

Every computer should be plugged into a surge protector. No computer should be plugged directly into an electrical outlet.

4.4 Water Pipes Breaking

If a water pipe were to break in the building it should not affect the servers in anyway. The location of the servers should be moved to a more secure location if this is a possible threat or precautions should be taken in the current room to avoid this situation.

Academic Computing should know which labs would be affected by a water pipe breaking. They should have a plan that goes into affect to save as many computers in these labs as possible or take steps to ensure this threat won’t affect the computer labs.

Frequent checks should be made of the air conditioning units in the labs. The units have a tendency to leak water, so they should be maintained regularly to avoid this from happening.

4.5 Other Natural Disasters

This section covers any other disaster that threatens the operation availability of Academic Computing through structural or equipment damage and personnel’s inability to get to work. It is understood that Academic Computing will have plans that can be put into affect to keep its operation availability.

4.6 Plan of Action

One or two rooms in Stroud that are not computer labs should be designed in such a way that a computer lab could be moved into that room. The room should be network ready so it is just a matter of moving the computers to the new location. This same precaution could also be done to a couple of rooms in a building other than Stroud Hall incase it is inaccessible. (Move to 401 or 415 in Stroud Hall; move to Tutoring Center in Rosenkrans.)

Another secure room with restricted access should also be dedicated as an alternate location for moving the servers. The room should be designed in such a way that the servers can be connected to existing wires in the room. The room should be a location that will not be affected by any type of disaster or have controls that would prevent a disaster from occurring. (Move to the Computing Center)

If there is a threat to a lab or the servers it is the responsibility of all Academic Computing personnel to salvage as much equipment as possible and move it to the new designated location.

Academic Computing may want to evaluate the current location of the labs and servers as a precaution. If the current location has numerous threats in terms of structural deficiencies the lab should be moved to a new location or the current location should be maintained.

If a water pipe breaks above one of the labs or where the servers are located Academic Computing should immediately cut the power to the computers and their components. Then large sheets of plastic should be draped over the computers so they can be moved out of the lab without being damaged.

4.7 Loss Prevention and Vandalism

To avoid theft and vandalism it is essential that Academic Computing know exactly what equipment they have and where it is. Also, appropriate controls should be implemented to monitor the student’s use of this equipment.

The serial numbers should be written down for all computers and their components on campus. These numbers should be grouped according to the lab in which they are currently located. These numbers should be filed in Academic computing.

Academic computing employees should make frequent checks of the labs on campus to make sure all computers are accounted for and that students are using them properly. This should occur at least two times a day.

Video cameras should be placed in all the labs to keep a constant eye on all the computers. Students would think twice about vandalizing or stealing if they were being video taped.

All computers and equipment should be secured to the desks they are placed on in order to help prevent theft.

4.8 Restricted Access

The labs on campus are only for students, staff, and faculty. It is Academic Computing’s responsibility to make sure that only authorized people are using the computers. Also, it is their responsibility to make sure personnel are the only ones that are allowed in Academic Computing past the help desk without an escort.

Late at night and on the weekends all lab doors should be locked and the glass doors to access the labs should also be locked. An Academic Computing employee should go around to all the labs before they close and make sure all lab doors are locked. If there are people in the labs it is their responsibility to make sure they are allowed to be there.

A meeting should be held for all staff members that the glass access doors are not to be propped. When these doors are propped it defeats the entire purpose of having the keypads on the doors.

Students can receive access numbers for the keypads in their classes. There should be no sharing of access numbers between students.

University police officers should make occasional rounds in Stroud checking all of the labs. This should be done at random times, so no pattern can be detected.

Only authorized personnel should be allowed near the servers in Academic Computing.

The boxes that house the network switches should be closed and locked at all times. If these switches are in the open someone could pull wires or plug a laptop into the switch.

4.9 Wiring and Emanation Policies

It is Academic Computing’s responsibility to make sure all wiring running between labs is not out in the open. People should not be allowed to tamper with these wires.

Fiber optic cables should be used to eliminate the possibility of emanation.

4.10 Power Considerations

If the university were to lose power the services that Academic Computing supplies should still be able available to students, staff, and faculty. This can be done with a backup generator in place.

4.11 Waste Management Policies

Any documents that contain sensitive information about students, staff, or faculty should be shredded and not placed in common garbage. Similarly, any documents that contain sensitive information about computers or the network, particularly passwords, should be shredded and not placed in common garbage. This garbage should not be in the general view of students or other unauthorized persons.

5. Architecture

5.1 General Network Architecture Policy

5.1.1 Purpose

This policy establishes information security requirements for East Stroudsburg University network to ensure that East Stroudsburg University confidential information and technologies are not compromised, and that network services and other East Stroudsburg University interests are protected from lab activities.

5.1.2 Scope

This policy applies to all internally connected labs, East Stroudsburg University employees and third parties who access East Stroudsburg University’s labs. All existing and future equipment, which fall under the scope of this policy, must be configured according to the referenced documents. DMZ facilities must comply with the DMZ Security Policy.

5.1.3 Policy

5.1.3.1 Ownership Responsibilities

Lab owning organizations are responsible for assigning lab administrators, a point of contact (POC), and a back-up POC for each lab. Lab owners must maintain up-to-date POC information with Academic Computing and the Academic Enterprise Management Team. Lab administrators or their backup must be available around-the-clock for emergencies, otherwise actions will be taken without their involvement.

Lab administrators are responsible for the security of their labs and the lab's impact on the academic network and any other networks. Lab administrators are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab administrators must do their best to safeguard East Stroudsburg University from security vulnerabilities.

Lab administrators are responsible for the lab's compliance with all East Stroudsburg University security policies. The following are particularly important: Password Policy for networking devices and hosts, Wireless Security Policy, Anti-Virus (3.3.1), and physical security.

The Lab Manager is responsible for controlling lab access. Access to any given lab will only be granted by the lab manager or designee, to those individuals with an immediate business need within the lab, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the lab have their access terminated.

The Network Support Organization must maintain a firewall device between the academic network and all lab equipment.

The Network Support Organization and/or Academic Computing reserve the right to interrupt lab connections that impact the academic network negatively or pose a security risk.

The Network Support Organization must record all lab IP addresses, which are routed within East Stroudsburg University networks, in Enterprise Address Management database along with current contact information for that lab.

Any lab that wants to add an external connection must provide a diagram and documentation to Academic Computing with business justification, the equipment, and the IP address space information. Academic Computing will review for security concerns and must approve before such connections are implemented.

All user passwords must comply with East Stroudsburg University’s Password Policy. In addition, individual user accounts on any lab device must be deleted when no longer authorized within three (3) days. Group account passwords on lab computers (Unix, windows, etc) must be changed quarterly (once every 3 months). For any lab device that contains East Stroudsburg University proprietary information, group account passwords must be changed within three (3) days following a change in group membership.

Academic Computing will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

5.1.4 General Configuration Requirements

All traffic between the academic and the non-academic network’s must go through a Network Support Organization maintained firewall. Lab network devices (including wireless) must not cross-connect the administration and academic networks.

Original firewall configurations and any changes thereto must be reviewed and approved by Academic Computing. Academic Computing may require security improvements as needed.

Labs are prohibited from engaging in port scanning, network auto-discovery, traffic spamming/flooding, and other similar activities that negatively impact the academic network and/or non-East Stroudsburg University networks. These activities must be restricted within the lab.

Please review the following policies for details of protecting information when accessing the academic network via remote access methods, and acceptable use of East Stroudsburg University’s network: Remote Access Policy, Virtual Private Network (VPN) Policy, Wireless Communications Policy, Student\Employee Usage Policy, and Dialup Access Policy.

Traffic between separate lab networks, is permitted based on academic and administrative needs and as long as the traffic does not negatively impact on other networks. Labs must not advertise network services that may compromise academic network services or put lab confidential information at risk.

Academic Computing reserves the right to audit all lab-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls and network peripherals.

Lab owned gateway devices are required to comply with all East Stroudsburg University product security advisories and must authenticate against the Academic Authentication servers.

The enable password for all lab owned gateway devices must be different from all other equipment passwords in the lab. The password must be in accordance with East Stroudsburg University’s Password Policy. The password will only be provided to those who are authorized to administer the lab network.

East Stroudsburg University should keep the laboratory computers in their own network segment. It should also allocate an IP subnet per computer lab. Keeping laboratory computers in their own subnet will increase security and will decrease network traffic by not propagating unnecessary broadcast and multicast traffic.

East Stroudsburg University should allocate an IP subnet per computer laboratory. The Academic Computing Department should also consider future allocation of devices to the laboratories, and should leave a number of IPs unallocated in every computer lab for future use.

East Stroudsburg University should keep machines that communicate with each other frequently with each other on the same subnet when possible.

East Stroudsburg University shall allocate common subnets for departments that communicate often, in order to provide better connectivity and decreased unnecessary network traffic between the departments.

In labs where non-East Stroudsburg University personnel have physical access (e.g., training labs), direct connectivity to the academic network is not allowed. Additionally, no East Stroudsburg University confidential information can reside on any computer equipment in these labs. Connectivity for authorized personnel from these labs can be allowed to the academic network only if authenticated against the Academic Authentication servers, temporary access lists (lock and key), SSH, client VPNs, or similar technology approved by Academic Computing.

All lab external connection requests must be reviewed and approved by Academic Computing. Analog or ISDN lines must be configured to only accept trusted call numbers. Strong passwords must be used for authentication.

All labs networks with external connections must not be connected to East Stroudsburg University academic network or any other internal network directly or via a wireless connection, or via any other form of computing equipment. A waiver from Academic Computing is required where air-gapping is not possible (e.g., Partner Connections to third party networks).

5.1.5 Enforcement

Any user or employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment and expulsion from the university, as well as legal action.

5.2 Risk Assessment Policy

5.2.1 Purpose

To empower Academic Computing to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.

5.2.2 Scope

Risk assessments can be conducted on any entity within East Stroudsburg University or any outside entity that has signed a Third Party Agreement with ESU. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

5.2.3 Policy

The execution, development and implementation of remediation programs are the joint responsibility of Academic Computing and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Academic Computing Risk Assessment Team in the development of a remediation plan.

5.2.4 Risk Assessment Process

For additional information, refer to the Audit Policy.

5.2.5 Enforcement

5.3 Audit Policy

5.3.1 Purpose

To provide the authority for members of East Stroudsburg University’s Academic Computing team to conduct a security audit on any system at ESU.

5.3.2 Audits may be conducted to:

· Ensure integrity, confidentiality and availability of information and resources

· Investigate possible security incidents ensure conformance to East Stroudsburg University security policies

· Monitor user or system activity where appropriate.

5.3.3 2.0 Scope

This policy covers all computer and communication devices owned or operated by ESU. This policy also covers any computer and communications device that are present on East Stroudsburg University premises, but which may not be owned or operated by ESU.

5.3.4 Policy

When requested, and for the purpose of performing an audit, any access needed will be provided to members of East Stroudsburg University’s Academic Computing team. This access may include:

· User level and/or system level access to any computing or communications device

· Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on East Stroudsburg University equipment or premises

· Access to work areas (labs, offices, cubicles, storage areas, etc.)

· Access to interactively monitor and log traffic on East Stroudsburg University networks.

5.3.5 Enforcement

5.4 Acceptable Encryption Policy

5.4.1 Purpose

The purpose of this policy is to provide aid in the guidance that limits the use of encryption, to those algorithms that have been scrutinized and recommended by United States Federal government. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

5.4.2 Scope

This policy applies to all valid users of the Academic Computing network at East Stroudsburg University.

5.4.3 Policy

Proven, standard algorithms such as 3DES, DES, RSA, and RC5 should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. East Stroudsburg University’s key length requirements will be reviewed annually and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Academic Computing. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

5.4.4 Enforcement

5.5 DMZ Policy

5.5.1 Purpose

This policy establishes information security requirements for all networks and equipment deployed in East Stroudsburg University labs located on the "De-Militarized Zone" (DMZ). Adherence to these requirements will minimize the potential risk to East Stroudsburg University from the damage to public image caused by unauthorized use of East Stroudsburg University resources, and the loss of sensitive/administrative confidential data and intellectual property.

5.5.2 Scope

East Stroudsburg University academic networks and devices (including but not limited to routers, switches, hosts, etc.) that are Internet facing and located outside East Stroudsburg University academic Internet firewalls are considered part of the DMZ Labs and are subject to this policy. This includes DMZ Labs in primary Internet Service Provider (ISP) locations and remote locations. All existing and future equipment, which falls under the scope of this policy, must be configured according to the referenced documents.

5.5.3 Policy

5.5.3.1 Ownership and Responsibilities

Equipment and applications within the scope of this policy must be administered by support groups approved by Academic computing for DMZ system, application, and/or network management.

5.5.3.2 Support groups will be responsible for the following:

Equipment must be documented in the academic wide enterprise management system. At a minimum, the following information is required:

· Host contacts and location.

· Hardware and operating system/version.

· Main functions and applications.

· Password groups for privileged passwords.

· Network interfaces must have appropriate Domain Name Server records

Password groups must be maintained in accordance with the academic wide password management system/process.

Immediate access to equipment and system logs must be granted to members of Academic computing upon demand, per the Audit Policy.

Changes to existing equipment and deployment of new equipment must follow and academic governess or change management processes/procedures.

All new DMZ Labs must present an operational justification with sign-off at the business unit Vice President level. Academic Computing must keep the business/operational justifications on file.

Lab-owning organizations are responsible for assigning lab administrators, point of contact (POC), and back up POC, for each lab. The lab owners must maintain up to date POC information with Academic Computing Lab administrators or their backup must be available around-the-clock for emergencies.

Changes to the connectivity and/or purpose of existing DMZ Labs and establishment of new DMZ Labs must be requested through a East Stroudsburg University Network Support Organization and approved by Academic Computing.

All ISP connections must be maintained by an East Stroudsburg University Network Support Organization.

A Network Support Organization must maintain a firewall device between the DMZ Lab(s) and the Internet.

The Network Support Organization and Academic Computing reserve the right to interrupt lab connections if a security concern exists.

The DMZ Lab will provide and maintain network devices deployed in the DMZ Lab up to the Network Support Organization point of demarcation.

The Network Support Organization must record all DMZ Lab address spaces and current contact information.

The DMZ Lab Administrators are ultimately responsible for their DMZ Labs complying with this policy.

Individual lab accounts must be deleted within three (3) days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three (3) days from a change in the group membership.

Academic Computing will address non-compliance waiver requests on a case-by-case basis.

To verify compliance with this policy, Academic computing will periodically audit DMZ equipment per the Audit Policy.

5.5.4 General Configuration Requirements

All equipment must comply with the following configuration policy:

Hardware, operating systems, services and applications must be approved by Academic computing as part of the pre-deployment review phase.

Operating system configuration must be done according to the secure host and router installation and configuration standards.

Services and applications not serving business requirements must be disabled.

Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Academic computing.

Services and applications not for general access must be restricted by access control lists.

Insecure services or protocols (as determined by Academic computing) must be replaced with more secure equivalents whenever such exist.

Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords (DES/SofToken) must be used for all access levels.

All host content updates must occur over secure channels.

Security-related events must be logged and audit trails saved to Academic computing-approved logs. Security-related events include (but are not limited to) the following:

· User login failures

· Failure to obtain privileged access.

· Access policy violations.

Academic computing will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

Academic network resources must not depend upon resources on the DMZ Lab networks.

DMZ Labs must not be connected to East Stroudsburg University’s academic internal networks, either directly or via a wireless connection.

DMZ Labs should be in a physically separate room from any internal networks. If this is not possible, the equipment must be in a locked rack with limited access. In addition, the Lab Manager must maintain a list of who has access to the equipment.

Lab Administrators are responsible for complying with the following related policies: Password Policy, Wireless Communications Policy, Lab Anti-Virus (3.3.1), Dialup policy, Remote Access Policy.

The Network Support Organization maintained firewall devices must be configured in accordance with least-access principles and the DMZ Lab needs. All firewall filters will be maintained by Academic Computing.

The firewall device must be the only access point between the DMZ Lab and the rest of East Stroudsburg University’s networks and/or the Internet. Any form of cross-connection which bypasses the firewall device is strictly prohibited.

Original firewall configurations and any changes thereto must be reviewed and approved by Academic Computing (including both general configurations and rule sets). Academic Computing may require additional security measures as needed.

Traffic from DMZ Labs to the East Stroudsburg University internal network, including VPN access, falls under the Remote Access Policy.

All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents.

Operating systems of all hosts internal to the DMZ Lab running Internet Services must be configured to the secure host installation and configuration standards.

Current applicable security patches/hot-fixes for any applications that are Internet services and or local application services must be applied. Administrative owner groups must have processes in place too stay current on appropriate patches/hotfixes.

Services and applications not serving business requirements must be disabled.

East Stroudsburg University Confidential information is prohibited on equipment in labs where non-East Stroudsburg University personnel have physical access.

5.5.5 Placement of Servers in DMZ Environments

The following section contains excerpts were taken from NIST’s guidelines on firewall and firewall policy to help facilitate in DMZ deployment.

Where to place servers in a DMZ environment depends on many factors, including the number of DMZs, the external and internal access required for the servers located on the DMZ, the amount of traffic, and the sensitivity of the data served. It is not possible to proscribe a “one size fits all” recommendation for server location, but several guidelines can be used to make the determination:

· Protect external servers with a Boundary Router/Packet Filter.

· Do not place externally accessible servers on the protected network.

· Place internal servers behind internal firewalls as their sensitivity and access require.

· Isolate servers such that attacks on the servers do not impair the rest of the network.

The following section contains some suggestions for locating specific servers and systems.

While the location of servers will be determined by each department’s specific requirements, every effort should be made to provide protection for the servers both from outside and inside threats, and to isolate attacks on the servers so that the rest of the organization is not affected.

Externally accessible web servers, as well as directory servers or DNS servers, can be placed on an external DMZ, that is, between a boundary router and a main firewall. The boundary router can provide some access control and filtering for the servers, and the main firewall can restrict connections from the servers to internal systems, which could occur if the servers are penetrated. In the case of popular, heavily used servers, a high-speed boundary router with several DMZ attachments could be used to isolate the server(s) on individual DMZ networks. Thus, if a DDOS attack is mounted against a server, the rest of the network would not suffer.

VPN and Dial-in Servers, These servers are better placed on an external DMZ so that their traffic passes through the firewall. One suggested configuration is to place the VPN server on the firewall platform, so that outbound traffic can be encrypted after it has been filtered (Ex: by an HTTP proxy) and inbound traffic can be decrypted and again, filtered by the firewall. The dial-in server should be placed on an external DMZ for the same reasons.

Internally accessible web servers, email servers, and directory servers can be placed on an internal DMZ, that is, between two dedicated firewalls, the main and the internal, with the internal firewall separating the DMZ from the protected network. Placing these systems on an internal DMZ provides defense in depth protection from external threats, and provides protection from internal threats. If an HTTP proxy is used for outbound HTTP traffic, placing this system on the internal DMZ provides more protection from insider/external threats.

Mail servers and some firewalls can be used to accept email, that is, SMTP connections. A popular configuration includes using the main firewall to (a) accept SMTP connections and (b) then pass them off to a dedicated proxy/email server located on the internal DMZ. This eliminates the need for the firewall to process the email for active content and attachments. If users need to access email from external networks, for example when on travel or at conferences, one method for protecting the organizational email server from direct external access is to run an SSL proxy on the main firewall. Using a web browser, external users would connect to the main firewall (the main firewall could be configured with an alias to disguise its name). The main firewall would forward the SSL connection to the internal proxy/email server, which would serve the email over the web. The solution prevents direct external access to the mail server, yet still permits external access through the firewall. This approach could be used for other types of servers as well.

5.5.6 New Installations and Configuration Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

· New installations must adhere to Hardware policy standards.

· Configuration changes must follow the Academic Computing Procedures.

· Academic Computing should system/application audits prior to the deployment of new services.

5.5.7 Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

5.5.8 Enforcement

5.6 Firewall Security Policy

5.6.1 Purpose

This document describes a required minimal security configuration for all firewalls connecting to an academic network or used in a academic capacity at or on behalf of ESU. This policy must conform to the basics of a, firewall’s capabilities and limitations, and the threats and vulnerabilities associated with TCP/IP. Firewalls generally implement one of two basic design policies:

1. Permit any service unless it is expressly denied.

2. Deny any service unless it is expressly permitted.

Firewalls that implement the first policy allow all services to pass, with the exception of those services that the service-access policy has identified as disallowed. Firewalls that implement the second policy deny all services, but then pass those services that have been identified as allowed. This restrictive second policy follows the classic access model used in all areas of information security. The permissive first policy is less desirable, because it offers more ways for circumventing the firewall. Users could access new services not currently addressed by the policy. For example, they could run denied services at non-standard TCP/UDP ports that are not specifically mentioned by the policy.

For proper implementation and maintenance of the firewall, these steps should be implemented with discretion towards operational functionality. Since the resource is of an academic nature the goal is to follow the policy model which would allow all services unless expressly denied.

5.6.2 Scope

All Firewalls connected to East Stroudsburg University academic networks are affected. Firewall within DMZ areas fall also under the guidelines of DMZ Policy.

5.6.3 Policy

Every firewall must meet the following configuration standards:

A firewall shall be placed between the company's network and the Internet to prevent un-trusted networks from accessing the East Stroudsburg University network.

The firewall shall be configured to implement transparency for all outbound services. Unless expletively denied, all in-bound services shall be intercepted and processed by the firewall.

The firewall shall notify the system administrator in near-real-time of any item that may need immediate attention such as a break-in into the network, little disk space available, or other related messages so that an immediate action could be taken.

Firewalls shall be tested off-line and the proper configuration verified.

All firewalls should fail to a configuration that allows all services.

All users who require access to Internet services must do so by using East Stroudsburg University -approved software and Internet gateways.

The firewall will be configured to allow all services not expressly denied and will be regularly audited and monitored to detect intrusions or misuse.

The firewall software will run on a dedicated computer - all non-firewall related software, such as compilers, editors, communications software, etc., will be deleted or disabled.

If available, Allow VPN services to be enabled on the firewall, so that outbound traffic can be encrypted after it has been filtered and inbound traffic can be decrypted and again, filtered by the firewall.

No local user accounts are configured on the fire wall.

The enable password on the router must be kept in a secure encrypted form. The firewall must have the enable password set to the current academic router password from the router's support organization.

Disallow the following:

· IP directed broadcasts

· Incoming packets at the router sourced with invalid addresses such as RFC1918 address

· TCP small services

· UDP small services

· All source routing

· The firewall shall not accept traffic on its external interfaces that appear to be coming from internal network addresses.

· Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself.

· Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.

· Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic.

· Inbound or Outbound traffic containing directed broadcast addresses.

Access rules are to be added as security needs arise.

The firewall must be included in the East Stroudsburg University management system with a designated point of contact.

The firewall security policy shall be reviewed on a regular basis (every six months minimum) by the firewall administrator(s) and other top information (security) managers. Where requirements for network connections and services have changed, the security policy shall be updated and approved. If a change is to be made, the firewall administrator shall ensure that the change is implemented and the policy modified. The details of the East Stroudsburg University internal trusted network should not be visible from outside the firewall.

Appropriate firewall documentation will be maintained on off-line storage at all times. Such information shall include but not be limited to the network diagram, including all IP addresses of all network devices, the IP addresses of relevant hosts of the Internet Service Provider such as external news server, router, DNS server, etc. and all other configuration parameters such as packet filter rules, etc. Such documentation shall be updated any time the firewall configuration is changed.

Each firewall must have the following statement posted in clear view: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."

5.6.4 Enforcement

5.7 Router Security Policy

5.7.1 Purpose

This document describes a required minimal security configuration for all routers and switches connecting to a academic network or used in a academic capacity at or on behalf of ESU.

5.7.2 Scope

All routers and switches connected to East Stroudsburg University academic networks are affected. Routers and switches within DMZ areas fall under the DMZ Policy.

5.7.3 Policy

Every router must meet the following configuration standards:

No local user accounts are configured on the router.

The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current academic router password from the router's support organization.

Disallow the following:

· IP directed broadcasts

· Incoming packets at the router sourced with invalid addresses such as RFC1918 address

· TCP small services

· UDP small services

· All source routing

· All web services running on router

· Disable SNMP management services

East Stroudsburg University should establish strong security measures on the border routers. These routers are the first line of defense against outside attacks.

East Stroudsburg University should not route any unnecessary LAN protocol traffic to the Internet. East Stroudsburg University should consider filtering out all but TCP/IP traffic.

East Stroudsburg University should disable web management tools on the routers. These management tools are usually based on software that needs to be currently patched, and it tends to be a frequent target for network crackers.

In the event that East Stroudsburg University would need to enable web-based management tools on the routers, East Stroudsburg University should only enable them on a per-use basis.

East Stroudsburg University should disable any unnecessary service running on their routers and switches. Some of these services may be running by default, and they are common targets for denial of service attacks.

East Stroudsburg University should also keep up with any security patches that the router and switch vendors supply.

East Stroudsburg University shall maintain a list of trusted hosts that will have telnet access to the routers. East Stroudsburg University shall deny access to all other hosts.

East Stroudsburg University should change the router and switches passwords once every year. East Stroudsburg University shall also encrypt the passwords stored in the routers.

East Stroudsburg University shall consider using network switches in place of network hubs. Network hubs forward the network packets to all the ports on the hub creating unnecessary risks for network snooping.

Routers and switches shall be maintained in areas where network administrators are the only people that would have access to them.

Network switches that are located on the computer laboratories shall be placed inside metal cabinets. These cabinets shall be locked at all times.

Access rules are to be added as security needs arise.

The router must be included in the enterprise management system with a designated point of contact.

Each router must have the following statement posted in clear view: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."

5.7.4 Enforcement

5.8 Server Security Policy

5.8.1 Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by ESU. Effective implementation of this policy will minimize unauthorized access to East Stroudsburg University proprietary information and technology.

5.8.2 Scope

This policy applies to server equipment owned and/or operated by ESU, and to servers registered under any East Stroudsburg University-owned internal network domain. This policy is specifically for equipment on the internal East Stroudsburg University network. For secure configuration of equipment external to East Stroudsburg University on the DMZ, refer to the Internet DMZ Equipment Policy.

5.8.3 Policy

5.8.3.1 Ownership and Responsibilities

All internal servers deployed at East Stroudsburg University must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Academic Computing. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Academic Computing.

Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact:

· Server contact(s) and location, and a backup contact

· Hardware and Operating System/Version

· Main functions and applications, if applicable

5.8.3.2 Information in the corporate enterprise management system must be kept up to date.

5.8.3.3 Configuration changes for academic servers must follow the appropriate change management procedures.

5.8.4 General Configuration Guidelines

Operating System configuration should be in accordance with approved Academic Computing guidelines.

Services and applications that will not be used must be disabled where practical.

Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible.

The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do.

Always use standard security principles of least required access to perform a function.

Do not use, root when a non-privileged account will do.

If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).

Servers should be physically located in an access-controlled environment.

Servers are specifically prohibited from operating from uncontrolled cubicle areas.

5.8.5 Monitoring

All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

· All security related logs will be kept online for a minimum of 1 week.

· Daily incremental tape backups will be retained for at least 1 month.

· Weekly full tape backups of logs will be retained for at least 1 month.

· Monthly full backups will be retained for a minimum of 2 years.

Security-related events will be reported to Academic Computing, who will review logs and report incidents to the proper authorities. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

· Port-scan attacks

· Evidence of unauthorized access to privileged accounts

· Anomalous occurrences that are not related to specific applications on the host.

· Theft of equipment or services.

· Denial of Service Attacks

5.8.6 Compliance

5.8.6.1 Audits will be performed on a regular basis by authorized organizations within ESU.

5.8.6.2 Audits will be managed by the internal audit group or Academic Computing, in accordance with the Audit Policy. Academic Computing will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification.

5.8.6.3 Every effort will be made to prevent audits from causing operational failures or disruptions.

5.8.7 Enforcement

5.9 Virtual Private Network (VPN) Policy

5.9.1 Purpose

The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the East Stroudsburg University corporate network.

5.9.2 Scope

This policy applies to all East Stroudsburg University students, employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the East Stroudsburg University network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.

5.9.3 Policy

Approved East Stroudsburg University students, employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy.

It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to East Stroudsburg University internal networks.

VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong pass phrase.

When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped.

Dual (split) tunneling is NOT permitted; only one network connection is allowed.

VPN gateways will be set up and managed by East Stroudsburg University network operational groups.

All computers connected to East Stroudsburg University internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the Academic Computing standard; this includes personal computers.

VPN should be implemented in a manner where VPN traffic is filtered through the firewall.

VPN users will be automatically disconnected from East Stroudsburg University’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

The VPN concentrator is limited to an absolute connection time of 24 hours.

Users of computers that are not East Stroudsburg University-owned equipment must configure the equipment to comply with East Stroudsburg University’s VPN and Network policies.

Only Academic Computing-approved VPN clients may be used.

By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of East Stroudsburg University’s network, and as such are subject to the same rules and regulations that apply to East Stroudsburg University-owned equipment, i.e., their machines must be configured to comply with Academic Computing Security Policies.

5.9.4 Enforcement

5.10 Dial-In Access Policy

5.10.1 Purpose

The purpose of this policy is to protect East Stroudsburg University’s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.

5.10.2 Scope

The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.

5.10.3 Policy

East Stroudsburg University students, employees and authorized third parties (customers, vendors, etc.) can use dial-in connections to gain access to the corporate network. Dial-in access should be strictly controlled, using one-time password authentication.

It is the responsibility of students and employees with dial-in access privileges to ensure a dial-in connection to East Stroudsburg University is not used by non-students or employees to gain access to university information system resources. An student or employee who is granted dial-in access privileges must remain constantly aware that dial-in connections between their location and East Stroudsburg University are literal extensions of East Stroudsburg University’s academic network, and that they provide a potential path to the university's most sensitive information. The student or employee and/or authorized third party individual must take every reasonable measure to protect East Stroudsburg University’s assets.

Dial-in accounts should be considered 'as needed' accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account.

5.10.4 Enforcement

5.11 Remote Access Policy

5.11.1 Purpose

The purpose of this policy is to define standards for connecting to East Stroudsburg University’s network from any host. These standards are designed to minimize the potential exposure to East Stroudsburg University from damages which may result from unauthorized use of East Stroudsburg University resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical East Stroudsburg University internal systems, etc.

5.11.2 Scope

This policy applies to all East Stroudsburg University students, employees, contractors, vendors and agents with a East Stroudsburg University-owned or personally-owned computer or workstation used to connect to the East Stroudsburg University network. This policy applies to remote access connections used to do work on behalf of ESU, including reading or sending email and viewing intranet web resources.

Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

5.11.3 Policy

5.11.3.1 General

It is the responsibility of East Stroudsburg University students, employees, contractors, vendors and agents with remote access privileges to East Stroudsburg University’s academic network to ensure that their remote access connection is given the same consideration as the user's on-site connection to ESU.

General access to the Internet for recreational use by immediate household members through the East Stroudsburg University Network on personal computers is permitted for students and employees. The East Stroudsburg University students and employees are responsible to ensure that any party related to them does not violate any East Stroudsburg University policies, does not perform illegal activities, and does not use the access for outside the academic and university’s business interests. The East Stroudsburg University students and employees in violation will bear responsibility for the consequences should the access be misused.

Please review the following policies for details of protecting information when accessing the academic network via remote access methods, and acceptable use of East Stroudsburg University’s network: Acceptable Encryption Policy, Virtual Private Network (VPN) Policy, Wireless Communications Policy, and Student\Employee Usage Policy.

For additional information regarding East Stroudsburg University’s remote access connection options, including how to order or disconnect service, cost comparisons, troubleshooting, etc., go to the Academic Computing office or the Telecommunications Office.

5.11.3.2 Requirements

Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy.

Remote access should be configured in a manner where network traffic is filtered through the firewall. (All external traffic must be filtered through the firewall.)

At no time should any East Stroudsburg University employee provide their login or email password to anyone, not even family members.

East Stroudsburg University employees and contractors with remote access privileges must ensure that their East Stroudsburg University-owned or personal computer or workstation, which is remotely connected to East Stroudsburg University’s academic network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

East Stroudsburg University students, employees and contractors with remote access privileges to East Stroudsburg University’s academic network must not use non-East Stroudsburg University email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct East Stroudsburg University business, thereby ensuring that official business is never confused with personal business.

Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

Non-standard hardware configurations must be approved by Remote Access Services, and Academic Computing must approve security configurations for access to hardware.

All hosts that are connected to East Stroudsburg University internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

Personal equipment that is used to connect to East Stroudsburg University’s networks must meet the requirements of East Stroudsburg University-owned equipment for remote access.

Organizations or individuals who wish to implement non-standard Remote Access solutions to the East Stroudsburg University academic network must obtain prior approval from Remote Access Services and Academic Computing.

5.11.4 Enforcement

5.12 Wireless Communication Policy

5.12.1 Purpose

This policy prohibits access to East Stroudsburg University networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by Academic Computing are approved for connectivity to East Stroudsburg University’s networks.

5.12.2 Scope

This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of East Stroudsburg University’s internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to East Stroudsburg University’s networks do not fall under the purview of this policy.

5.12.3 Policy

To comply with this policy, wireless implementations must: Maintain point to point hardware encryption of at least 56 bits. Maintain a hardware address that can be registered and tracked, i.e., a MAC address. Support strong user authentication which checks against an external database such as TACACS+, RADIUS or something similar.

5.12.4 Enforcement

6. Account Maintenance

6.1 Student Arrival Policies

When a student arrives at the university they must go to Academic Computing before they are able to log onto the system. The student must select their password and their username is assigned to them using their last name and social security number. The password must be at least eight characters long and have at least one digit in it.

Each student is also allotted 6mb of storage on their account. This storage remains untouched by Academic Computing until the student graduates.

6.2 Student Departure Policies

When a student departs from the university their account is cleared from the database, so that former student can no longer log into the system.

The 6MB of storage that each user has allotted to them is deleted from the system.

6.3 Personnel Arrival Policies

A background check should be done on an employee to ensure they don’t have a previous record of malicious acts using computers. Academic Computing should be sure its employees would not use sensitive information or compromise the system for their own purposes.

6.4 Personnel Departure Policies

6.4.1 Friendly Terms

If an employee of Academic Computing leaves on friendly terms there probably is no immediate need to change all the passwords, but it should still be done as a precaution. The system-level passwords should be changed immediately, to ensure the security of the system.

6.4.2 Unfriendly Terms

If an employee of Academic Computing leaves on unfriendly terms all system-level passwords on the system should be changed immediately. This should be done as a precautionary measure incase the former employee knew some of the old passwords. This way the former employee has no way to access the system using older information.

6.5 Maintenance

In order to keep the system secure, passwords should not exist for extended periods of time. A plan should be implemented that forces user-level passwords to be changed every six months. All system-level passwords should be changed every four months. They also should not be allowed to change their password to the one they previously had. The eight characters with at least one digit scheme should be enforced on these new passwords.

The password file should not be stored in a place where general users have access to it. If it is, the passwords should be stored in a different location that has restricted access. Also, all passwords on the system should be encrypted while they are being stored. Shadow passwords should also be implemented on the system to ensure the security of the passwords.

Passwords should not be written down or told to other people that do not have proper authorization. Flyers should be posted in Academic Computing and in the labs to remind users not to share their passwords with anyone.

7. Student Usage Policy

7.1 Policy Version

This section of the Security Policy is excerpted from the East Stroudsburg University Computer and Network Resources Usage Policy 2002-101-A. The Student Usage Policy 16-Jan-2002 preceded this policy.

7.2 Purpose

The purpose of this policy is to address the acceptable use of the computer and network resources that East Stroudsburg University provides for its students, faculty, staff, and associates.

7.3 Scope

This policy governs the use of all East Stroudsburg University computer facilities. This includes the use of all university computer labs and network connections. All Equipment devices and computers connected to the network are the responsibility of the East Stroudsburg University Computing Center.

Persons who do not abide by the policies listed below should expect possible suspension of computer privileges and possible referral to the University Disciplinary Committee. Offenders may also be subject to criminal prosecution under federal or state law, and should expect the Academic Computing Department to pursue such action.

7.4 Policy and Procedures

7.4.1 Network Connectivity

The data network at East Stroudsburg University is provided in support of academic and administrative services. Any equipment connected to the network must be authorized by the Computing Center.

In order to protect the security and integrity of computer and network resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the Computing Center reserves the right, at its discretion, to limit, restrict, or terminate the use of equipment or services, unauthorized or authorized, that the Computing Center perceives to be an impediment or compromise to its ability to securely deliver the services for which it is responsible.

7.4.2 Computer Lab and Network Use

The Academic Computing Department reserves the right to monitor user actions and examine all files on the lab computer hard drives and network server. The Academic Computing Department reserves the rights to limit, restrict, or extend computing privileges and access to its resources. Access to East Stroudsburg University equipment by members of the East Stroudsburg University community is not a right, but a privilege.

The Academic Computing Department should be notified about violations of computer laws and policies, as well as about potential loopholes in the security of its computer systems and networks. The user community is expected to cooperate with the Academic Computing Department in its operation of computer systems and networks as well as in the investigation of misuse or abuse.

7.4.3 Computer Lab Rules and Regulations

No food or drinks are allowed in the campus computer labs.

Physical abuse of the computer equipment is prohibited and will result in loss of computer lab privileges, University disciplinary action, and criminal prosecution.

Computer facilities are to be used by registered East Stroudsburg University students, faculty, and staff only.

The Academic Computing staff has the authority to use any equipment in the computer labs, or to request that others stop using any equipment in these labs, either temporarily or permanently.

Users must abide by the terms of all software licensing agreements and copyright laws.

Users must not attempt to modify in any way a program that the Academic Computing supplies for any type of use at its sites.

Users must not deliberately perform acts that are wasteful of computing resources or that unfairly monopolize resources to the exclusion of others.

Printing of multiple copies of any documents including resumes, thesis, and dissertations is strictly prohibited. Users are required to assist Academic Computing in the conservation of paper and printer toner by on-screen editing, running spell check, and print preview options before printing a copy of the document.

Recreational use on lab computers is restricted to low traffic times (Late evenings and weekends).

Recreational use includes, but is not limited to, game playing, Internet chatting, and downloading of multimedia files.

Recreational users may be asked to discontinue their use to provide access for academic applications. Students needing the computers for academic purposes have priority.

Recreational use over modem access is absolutely forbidden.

Users are expected to frequently use the anti-virus program to scan media and files for viruses. It is each user's responsibility to protect his/her own media from a virus. The University is not responsible for infection of non-university software or hardware.

Deliberate introduction of a virus affecting the computer labs and/or network will result in suspension of computer privileges, referral to the University Disciplinary Committee and possible criminal prosecution.

Faculty who has scheduled a computer lab for a class has priority to the lab and may request users to leave. It is the user's responsibility to consult the schedule for open lab time. Schedules are posted outside each lab.

7.4.4 Network Rules, Regulations, and User Guidelines

The U.S. Government provides many of the Internet resources. Abuse of the system thus becomes a Federal matter above and beyond simple professional ethics. Access to and use of the Internet is a privilege and should be treated as such by all users of the system. (Internet Activities Board 1/89)

Any network traffic exiting the University is subject to the acceptable use policies of the network through which if flows (SSHENET, SSHENET II, etc.), as well as to the policies listed below.

Sharing of network accounts for any reason is prohibited. Users must not reveal their account password to anyone. Users are responsible for any misuse of their account that is due to their own negligence. Users are responsible for reporting unauthorized use of their account to Academic Computing. Accounts can not be transferred to or used by other individuals.

East Stroudsburg University reserves the right to hold a user financially responsible if, through negligence or deliberate action, its computer resources are compromised in any way by the user or someone using the user’s account.

Users are responsible for their files. Files are to be copied to removable media. Academic Computing is not responsible for the user’s personal files.

East Stroudsburg University students, faculty, staff, and administrators are considered priority users. The network administrator has the right to limit affiliated or guest network access based on priority users needs.

Users must not use the Academic Computing network resources to gain or attempt to gain unauthorized access to remote computers.

Users must not deliberately perform an act that will seriously impact the operation of computers, terminals, peripherals, or networks. This includes, but is not limited to, tampering with components of a local area network (LAN) or the high-speed backbone network, otherwise blocking communication lines, or interfering with the operational readiness of a computer.

Users must not attempt to monitor another user's data communications. Users may not read, copy, change, or delete another user's files or software, without permission of the owner and Academic Computing.

If a computer account is being used in such a way that it causes conflicts with other machines, accounts, or people, some or all access privileges may be removed from the account.

Users must not harass others by sending annoying, threatening, obscene, or offensive messages, this includes sending chain letters.

Users are responsible to comply with all applicable laws of the United States when using the University network.

Users are not permitted to setup a server or use serving software without the written permission of Computing Services.

Use by commercial organizations for internal communications is strictly forbidden.

Distribution of unsolicited marketing, advertising, or personnel recruiting materials is strictly forbidden.

Use of the account or the network for business or commercial purposes is strictly forbidden.

Chain letters are strictly prohibited and should be reported to Academic Computing.

Bulk Mailing is strictly prohibited and should be reported to Academic Computing.

It is the user's responsibility when downloading programs, to check for copyright or licensing agreements.

8. Personnel Policy

8.1 Applicability

8.1.1 This policy applies only to the staff and designated personnel of the Academic Computing Department at East Stroudsburg University. Policies relating to the University’s faculty and other department staff are located elsewhere in this document.

8.2 Purpose and Goals

8.2.1 The purpose of this personnel policy is to ensure safe and secure operation and administration of the human resources involved with the Academic Computing department, from administrators to technicians.

8.2.2 Information Separation

8.2.2.1 One common weakness found in computing centers is that the entire operation hinges on one individual, who is either the day-to-day manager of all systems or has access to all systems. The investment of too much trust in one individual can lead to security lapses and conflicts of interest; therefore, system administration duties should be spread between different individuals.

8.2.3 Redundancy

8.2.3.1 While the investment of too much sensitive system information in an individual can be dangerous, the absence of an administrator, even temporarily, can lead to problems in very short order. For that reason, no individual should be the only person who can manage any particular system. This redundancy can be achieved through implementation of an operational manual or personal training.

8.3 Job Descriptions

Positions in the Academic Computing department should be well-defined, including general and specific duties, so as to avoid overlapping duties and conflicts of interest. Descriptions are available in full from East Stroudsburg University’s Human Resources department.

8.4 Restricted Access (Physical)

8.4.1 All sensitive equipment must be kept accessible to only those individuals who need directly access it. This includes keeping the server room locked, locking wiring and switch cabinets, and distributing electronic pass keys for after-hours access to the Academic Computing offices.

8.5 Restricted Access (Logical)

8.5.1 All efforts shall be made to keep administration information and personal user information private, including restricted access privileges and passwords placed on certain resources. These access controls will be implemented at the discretion of the administrator of the system in question, subject to review by the Academic Computing manager. All passwords shall be recorded by the administrator implementing them and copied to the Academic Computing manager. Password lists should never be distributed and passwords should only be shared on a need-to-know basis.

9. Penalties

9.1 Violations and Incursions

Security violations of the policies or procedures governing proper use of East Stroudsburg University data and systems may result in revocation of access privileges. The University considers any violation of user principles or guidelines to be a serious offense and reserves the right to copy and examine any files or information resident on University systems allegedly related to inappropriate use. Any user engaged in unauthorized use, disclosure, alteration or destruction of East Stroudsburg University data or systems is in violation of this policy and will be subject to appropriate disciplinary action, including dismissal. Improper use of East Stroudsburg University data or systems may constitute violation of international, federal, state and local civil and criminal laws including, but not limited to, the Pennsylvania Government Data Practices Act, the Privacy Protection Act of 1974, the Computer Fraud and Abuse Act of 1986 and other state and federal criminal laws regarding computer crime.

9.2 Investigation and Reporting

An individual's computer use and privileges may be suspended until an investigation is completed. Such suspected violations will be reported to the appropriate supervisors, department heads, and related East Stroudsburg University Academic Computing administration where applicable. Security violations may result in revocation of access and disciplinary action.

9.3 Owner’s Authority

If it is suspected that the East Stroudsburg University system internal security has been compromised, East Stroudsburg University has the authority to suspend any and all users from gaining access to the East Stroudsburg University data and systems. Academic Computing is responsible for investigating and determining the level of exposure. Academic Computing will take any appropriate action against the individual(s) involved in the violation, including prosecution to the fullest extent of the law. Academic Computing will inform the system and data owners of possible or actual exposures of the East Stroudsburg University data and/or systems. East Stroudsburg University will have the authority to take appropriate actions as needed.

10. Privacy

10.1 Data Ownership

Lab computers, servers, and network facilities are owned and operated by the East Stroudsburg University Academic Computing Department, which reserves the right to monitor any action or any record of any action that users perform while using the East Stroudsburg University academic computing system.

10.2 Monitoring

East Stroudsburg University Academic Computing Department has the right to monitor user’s actions because these facilities are owned and operated by ESU: access to this equipment by members of the East Stroudsburg University community is not a right, but a privilege.

The East Stroudsburg University Academic Computing Department also reserves the authority to delegate the right to monitor user actions to any legitimate representative of ESU.

East Stroudsburg University has the right to look at e-mail or the content of files, but it will do this only if there is reasonable cause and proper authorization is given. East Stroudsburg University reserves the right to look at e-mail and files if evidence indicates a violation of University rules and codes or local, state or federal laws.

Computer users are prohibited from monitoring or attempting to monitor another user’s data communications or copy, change, or delete another user’s files or software without permission of the owner.

10.3 Department Liability

East Stroudsburg University must ensure that all employees are aware and have agreed (in writing) to adhere to the Information Security Policies of the University.

East Stroudsburg University must ensure that all network users are aware and have agreed (in writing) that their actions could be monitored by the Academic Computing Department. East Stroudsburg University must ensure that all network users are reminded that their actions could be monitored by placing a banner screen on the network login screen.

East Stroudsburg University must ensure that the computer labs contain sufficient information reminding their users that their actions could be monitored by the Academic Computing Department.

East Stroudsburg University must ensure that all the data must be collected and used lawfully and fairly. East Stroudsburg University must ensure that the collected data is used only for the purpose it was originally collected.

Users must be aware that electronic mail and computer files could never be fully secured. East Stroudsburg University must recommend the use of encryption software to ensure higher levels of security of the user’s data.

East Stroudsburg University must ensure that their user’s privacy is not violated to minimize the risks of liability.

11. Definitions

ACL Access Control List. Lists kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).

Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

ATM Asynchronous Transfer Mode. Communications system encompassing voice, data and video traffic providing standards up to 155Mbps transmission speeds.

Authentication A system which attempts to validate the authenticity of a user.

Bandwidth Measurement for the rate at which data can be transferred over a network.

bps Bits per second. A measurement of bandwidth.

Bridge Device that connects two physically distinct network segments.

Cable Modem Cable companies provide Broadband Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps.

CCTV Closed Circuit Television.

CD Compact Disk. A standard for storing information on an optical media.

CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function.

Daemon A process that runs in the background performing automated processing.

Dial-in Modem A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name modem for modulator/demodulator.

DHCP Dynamic Host Configuration Protocol. A system by which IP addresses and other network configuration information can be dynamically assigned.

DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user's access channel in a frame relay network, and has local significance only to that channel.

DMZ De-Militarized Zone. Networking that exists outside of East Stroudsburg University primary academic firewalls, but is still under East Stroudsburg University administrative control.

DNS Domain Name System. System which identifies each computer as a network node on the Internet using an Internet protocol system to translate IP numbers to domain names and vice-versa.

DSL Digital Subscriber Line is a form of high-speed Internet access that works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Dual Homing Having concurrent connectivity to more than one network from a computer or network device.

Dumb Terminal Name given to a system that is running a terminal emulation program while connected to another system.

Email Software application that allows users to exchange messages over the Internet.

Encryption Process of using cryptography to protect data from unauthorized access.

Ethernet A standard for LAN communications. A method for directly connecting a computer to a network in the same physical location.

Firewall A device that controls access between networks. A device that adds security to a network by blocking access to certain services to and from the network.

Frame Relay A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company's network.

FTP File Transfer Protocol. Protocol which defines the method of serving and obtaining files over the Internet.

Hub Central connecting device of a LAN. Hubs broadcast network traffic to all the ports on the hub.

Internet Name given to the collective electronic network of computers and computer networks which are inter-connected throughout the world.

Intranet A private network using standard Internet protocols but with limited or no connectivity to the public Internet.

IP Internet Protocol. The standard communications scheme used for Internet connected hosts.

IPSEC Internet Protocol Security. A set of protocols for encryption of IP traffic.

IPSec Concentrator A device in which VPN connections are terminated.

IRC Internet Relay Chat. A world-wide distributed live chat system.

ISDN Integrated Services Digital Network. A digital telephone network that allows personal home computers to connect to remote networks.

ISP Internet Service Provider. An organization that provides access to the Internet.

LAN Local Area Network. Network contained within a single physical site.

LDAP Lightweight Directory Access Protocol, a set of protocols for accessing information directories.

MAC Address The low level address assigned to a device on an Ethernet.

Module A collection of computer language instructions grouped together either logically or physically. A module may also be called a package or a class, depending upon which computer language is used.

Multimedia Documents which contain text, sounds, graphics and video elements.

Name space A logical area of code in which the declared symbolic names are known and outside of which these names are not visible.

Packet A standardized unit of data. Data transmitted over a network.

Point of Demarcation The point at which the networking responsibility transfers from a Network Support Organization to the DMZ Lab. Usually a router or firewall.

POP Post Office Protocol. A standard for retrieving mail from a remote server.

Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.

Protocol Any standard for the exchange of information. A protocol defines the specific wording and control flow for communications between programs, devices or systems.

RFC Request For Comments. A document which defines Internet operating protocols.

RFP Request for Proposal. A document which defines a set of hardware, software and services from a vendor.

Router A type of Internet device that gateways packets between two or more networks.

Segment A physically or logically distinct section of a network.

Spam Unauthorized and/or unsolicited electronic mass mailings.

Split-tunneling Simultaneous direct access to a non-East Stroudsburg University network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into East Stroudsburg University’s academic network via a VPN tunnel. VPN Virtual Private Network (VPN) is a method for accessing a remote network via tunneling through the Internet.

Switch A network device that selects a path or circuit for sending a unit of data to its next destination. A device commonly used to connect devices of a LAN.

Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.

TCP/IP Transmission Control Protocol / Internet Protocol. A networking standard commonly used on the Internet.

Telco Telecommunications Company. It is the equivalent to a service provider. Telcos offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL.

Telnet Protocol which defines a method of logging into another computer as a terminal on that computer.

User Authentication A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.

Virus A computer program designed to infiltrate the security controls of a computer system.

VPN Virtual Private Network. The concept of using the Internet or other public networks as transit for private network traffic, usually in encrypted form.

Wireless Network A method using infra-red, ultra-violet or radio waves, of connecting computers into a network.

1. Signatures

1.1 Purpose

This page contains all signatures and dates required for approval of this document, the System Security Policy of the Academic Computing Department of East Stroudsburg University. This policy is not in effect until all personnel named below have signed and dated their approval.

1.2 Manager, Academic Computing

__________________________________________________________ _____________

Name Date

1.3 Director, Computing Center

__________________________________________________________ _____________

Name Date

1.4 President, East Stroudsburg University

__________________________________________________________ _____________

Name Date