Network Security Policy

Scope

This policy defines the requirements for network security at Franklin & Marshall (F&M). At their discretion, the College Information Technology Committee (CITC) reserves the right to modify the scope of this policy at any point in time.

Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, alumni, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance

The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

Strong network security is essential to an effective information security program. Network security controls should be implemented and maintained to ensure a secure computing environment that strives to maintain the confidentiality, integrity, and availability of F&M information assets.

Inbound Connections

Unsolicited, inbound connections to systems providing services on the Franklin & Marshall network shall be limited to those systems which are used by the public at large (e.g. public web servers) or by currently enrolled students (course management, email, student portal, etc).  Direct connections from untrusted networks to systems outside of the campus data center or systems not managed, maintained, or contracted by Information Technology Services are not permitted. Systems which provide administrative functionally that supports the business and operational needs of the College shall not be directly connected to the internet.  Administrative systems can be accessed only from designated portions of the on-campus network, or remotely through a virtual private network (VPN) connection. 

Perimeter Security

All connections which flow between the campus network and the Internet are inspected by intrusion detection and intrusion prevention systems in order to detect and mitigate cyber attacks, virus outbreaks, and other attacks.  

Remote Access for Users

Remote access to the campus network by way of a virtual private network (VPN) connection is available to current students, faculty, and professional staff of the College.  Members of the College community may not install or use any other remote-access or screen sharing technology without the express permission of the Chief Information Officer and the Chief Information Security officer. Exceptions to the above stated procedures will be reviewed and granted according to the exceptions to policy section of the Information Security Policy.

Remote Access for Vendors

Remote Access by virtual private network (VPN) is permitted for vendors, on a case-by-case basis, where the vendor needs to maintain software or equipment on the F&M network.  Access is approved by the Chief Information Officer (CIO) or the Chief Information Security Officer, and only through technology approved and maintained by the IT department.

Guest Network Access

A guest wireless network is provided for use by visitors to our campus.  This network provides internet access only and does not provide access to any on-campus resources beyond what is available directly from the internet.  Guests with a demonstrated need to access additional on-campus resources will be treated as vendors and granted temporary credentials and access in accordance with the vendor procedures outlined above.   

--------

Policy Maintained by: Information Technology Services, Associate Vice President and Chief Information Officer

Last Reviewed: 9 February 2017