Franklin & Marshall College Franklin & Marshall College

Network Security Policy

I. Information Security Policy 

Introduction

Franklin & Marshall College, like all colleges and universities, is responsible for maintaining the integrity of a wealth of personal, sensitive, and confidential information collected during the course of normal business operations. Financial, medical, and academic records include details such as social security numbers, bank accounts, and credit card numbers -- details which are protected by federal and state laws, industry regulations, and contractual obligations. The exposure of such sensitive information could cause irreparable harm to the College or individual members of this community. Therefore, it is imperative that all members of the College community work to diligently protect information to which they are granted access.

This information security policy is not intended to impede the fundamental teaching or research missions of the College; rather, we aim to balance information security with community members’ needs to conduct their work. Should any aspects of the information security policy obstruct teaching, learning, academic freedom, or research endeavors, appropriate provisions will be made to allow these essential functions to proceed in a secure manner.

Scope

The Franklin & Marshall College (F&M) Information Security Policy provides the administration with direction and support, establishes an implementation framework for security, and ensures compliance of information security within F&M. At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time.  Currently the following components comprise the Information Security Policy:

  • Acceptable Use Policy
  • Access Control Policy
  • Anti-Virus Protection Policy
  • Network Security Policy
  • Password Policy
  • Wireless Network Policy
  • Exceptions to Policy

Audience

This policy applies to all members of the F&M community, which includes but is not limited to employees, students, alumni, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain F&M information assets.  “Information assets” are defined as the computers, communications facilities, networks, data, and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications, and procedures for their operation, use and maintenance.

Policy Maintenance

The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

The Information Security Policy provides a proper strategic direction to demonstrate the importance of information security to the F&M community. This direction will be propagated, maintained, and adopted by F&M.  The College Information Technology Committee and the College’s Senior Staff has approved and endorsed this Information Security Policy.  The Vice President for Finance and Administration and the Associate Vice President for Information Technology are responsible for enforcement and evaluation of the Information Security Policy.

II. Exceptions to Policy

Scope

This policy defines the procedures that will be followed by College personnel to identify any exceptions to policies that must occur in order to successfully complete college operations. It outlines the documentation that must be completed as well as the approvals that must occur before the exception to policy will be allowed.

Exceptions to Policy Statement

In instances where there is a justifiable need to perform actions that are in conflict with F&M policy standards, management will consider providing a waiver for these exceptions. F&M recognizes that policies cannot be created and enforced which address 100% of all community issues. Exceptions are designed to facilitate new F&M needs, or to address areas where technological changes are not addressed by current policies. However, it is the responsibility of management to understand and mitigate risks.

Any exceptions will be reviewed on a periodic basis dependent on the level of risk involved in the exception and the level of mitigating controls implemented to manage the risk of the exception.

Guidelines

Requests for exceptions to policies must have a justifiable reason documented and must have the necessary approvals to be considered valid. Exceptions must be approved and signed by the Information Owner, Information Security Officer, and by the Chief Information Officer. Once approved, exceptions to policy will be valid for a period of one year at which time the exception must be re-evaluated and re-approved.

III. Network Security Policy 

Scope

This policy defines the requirements for network security at Franklin & Marshall (F&M). At their discretion, the College Information Technology Committee (CITC) reserves the right to modify the scope of this policy at any point in time.

Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, alumni, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance

The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

Strong network security is essential to an effective information security program. Network security controls should be implemented and maintained to ensure a secure computing environment that strives to maintain the confidentiality, integrity, and availability of F&M information assets.

Network Security Guidelines for users of the F&M Network

Remote Access for Users

Remote Access by virtual private network (VPN) is permitted for current faculty, staff and students, and only through a VPN system approved & maintained by the IT department. Systems providing remote access to F&M information assets that contain sensitive and confidential data must use authentication and encryption. Remote users accessing information assets that store, process, or transmit cardholder data must use two-factor authentication for access, i.e. something you know (username/password), and/or something you have (secure ID), and/or something you are (biometrics).  Exceptions to the above stated procedures will be reviewed and granted according to the exceptions to policy section of the Information Security Policy.

Remote Access for Research Collaborators

Faculty and staff increasingly collaborate with research colleagues at other institutions and occasionally these collaborations require access to departmental servers. Remote Access by virtual private network (VPN) may be requested for research collaborations, on a case-by-case basis. After the IT Security Group (CIO, Chair of CITC, Coordinator of Access and Security, Shared Chief Information Security Officer) conducts an evaluation of the risk associated by opening the firewall and the risk is deemed acceptable, access is approved and connections are established in partnership with Information Technology Services and the requesting department.

Remote Access for Vendors

Remote Access by virtual private network (VPN) is permitted for vendors, on a case-by-case basis, where the vendor needs to maintain software or equipment on the F&M network.  Access is approved by the IT Security Group and only through a VPN system approved & maintained by the IT department. Maintenance ports and modems should be disabled until they are required for use. If a vendor requires access for maintenance purposes, their activity must be monitored and logged, and the opened ports must be disabled upon completion.

Guest Network Access

In order to use our wireless network it is necessary to register your computer and submit to a scan for known security vulnerabilities.  Users who do not have an F&M NetID will be considered 'wireless guests', and must be sponsored by an F&M professional staff member or faculty member. Wireless guests, unlike users who have an F&M NetID, will be required to identify themselves by name when registering a device, and access will be restricted to the public Internet for a limited period of time.

Network Security Guidelines for Information Technology Staff

Current Network Diagram

A network diagram documenting all connections to confidential data, including any wireless connections, should exist and be kept current by the Network Infrastructure & Systems Staff. Any major modifications or changes to the network should be reflected in the network diagram in a timely manner. The network diagram should be reviewed on a semi-annual basis to ensure that it accurately reflects the current network infrastructure. All reviews of the network diagram should include management approval and be retained.

Network Controls

All F&M network connections to public networks i.e. the Internet should be fire walled to prevent unauthorized entry to the F&M campus network. A firewall should also be placed between any Demilitarized Zone (DMZ) and the F&M campus network. Only connections originating from within the F&M network are allowed through the firewall. All direct connections to campus machines will be denied by default.  Some inbound traffic may be necessary for connections that originate outside F&M due to technical requirements. These connections should be addressed on a service-by-service basis and should be approved by the IT Security Group (CIO, Chair of CITC, Coordinator of Access and Security, Shared Chief Information Security Officer). Reviews of firewall and router rule sets must be completed on a quarterly basis and documented accordingly with management sign-off.

Configuration Standard

A configuration standard should exist for both firewalls and networking devices. All F&M network connections to public networks i.e. the Internet must be configured using a firewall design approved by the IT Security Group. The standards must be applied to any new firewall or networking device prior to deploying it into the production environment. A formal process that requires management approval and testing of all external network connections and changes to the firewall configuration by the Network Infrastructure & Systems Staff must exist. All testing and management approval documentation must be retained.

Network Segmentation

Full-unrestricted connections of different networks are not allowed. Separation of networks, dependent on information class, must be implemented to increase the level of security provided during processing, transmitting, or storing sensitive and/or confidential data. Where technically feasible, strict routing architectures must be used to limit remote access to specific necessary points in the network.

Connected Entities

The F&M IT Security Group must approve all external connections. A formal process must exist for connecting and disconnecting entities, i.e. business partners, service vendors, etc, and a current list of connected entities must be maintained. Prior to connecting an entity, due diligence must be performed and the process must include verification that each entity is in compliance with all of F&M’s Legal and Regulatory Guidelines.

Inbound Connections

All inbound connections from external organizations must be limited to specific hosts and specific applications on these hosts. If possible, these specific hosts and applications must be physically or logically segmented from production F&M networks. External parties are not permitted unlimited access to the F&M computers or networks.

Remote Access for Vendors

Remote Access by virtual private network (VPN) is permitted for vendors, on a case-by-case basis, where the vendor needs to maintain software or equipment on the F&M network.  Access is approved by the IT Security Group and only through a VPN system approved & maintained by the IT department. Maintenance ports and modems should be disabled until they are required for use. If a vendor requires access for maintenance purposes, their activity must be monitored and logged, and the opened ports must be disabled upon completion.

Network Access Points

All access points into F&M's environment must be assessed and approved by Information Technology Services (ITS) and the IT Security Group. The use of non-authorized wireless access points, routers, modems, or remote access solutions is strictly forbidden and a violation of the F&M Information Security Policy. Therefore, no unauthorized access points or remote access software may be used without the expressed written consent of ITS and the IT Security Group. The IT Security Group must frequently perform network security assessments to ensure that only approved access points into F&M’s environment exist. Any access points found to be in violation of the F&M Information Security Policy must be removed from the network immediately. At the discretion of the IT Security Group and the CIO, appropriate disciplinary actions may be taken against the individuals responsible for the rogue network access points


Last Reviewed: 17 September 2013