Printed on: 06/14/2021. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Appendix

Network Management Standard

Appendix to Policy

Objective

To ensure the availability of the University network and to protect information security for networked services and systems, access must be controlled to the University network (both wired and wireless), including local area networks (LANs) and external network services.

Security Controls

Type of network extensions allowed

The following table defines the type of network extensions permitted on the University Network.

ControlSecurity Level
ID Description High Medium Low
NM.A.01 Do not allow locally-managed networks, defined by agreed-upon Network Hand-Off points Required Recommended Recommended
NM.A.02 Do not allow masking IP address (e.g., Network Address Translation (NAT)) Required Required Required

Network controls

The following table defines baseline network security controls for the University network (both wired and WiFi) and local area network (LAN).

Control Security Level
ID Description High Medium Low
NM.B.01 Obtain from and periodically review with Data Network Services the approval to connect the University network to third-party networks (suggest: annual review) Required Required Required
NM.B.02 Obtain from and periodically review with Data Network Services the approval to extend the network or expand beyond the network hand-off point for their unit (suggest: annual review) Required Required Required
NM.B.03 Document responsibility for the network at the hand-off point Required Required Required
NM.B.04 Review and update network map and network diagrams (suggest: annual) Required
Effective July 2019
Recommended Recommended
NM.B.05 Segment networks according to the security level and/or data classification1 Required Recommended Recommended
NM.B.06 For Wi-Fi networks: Use industry standard strong encryption for transmitting authentication information and data Required Required Recommended
NM.B.06 For wired networks: Use industry standard strong encryption for transmitting authentication information and data Required
Effective July 2019
Required
Effective July 2019
Recommended
NM.B.07 Maintain logs to identify devices and users that connect to the network Required Required Required
NM.B.08 For Wi-Fi networks: Detect and mitigate unauthorized network extensions Required Required
Effective July 2019
 Recommended
NM.B.08 For wired networks: Detect and mitigate unauthorized network extensions Required Required  Recommended
NM.B.09 Use University approved network security technology2 Required Required Optional
NM.B.10 Authenticate access to WiFi network Required Required Required
Effective
July 2019
NM.B.11 Periodically review network access controls that are in use (suggest: annual) Required Required Required

1PCI DSS requires additional network segmentation for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

2PCI DSS requires the use of network based intrusion detection and/or prevention technology for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Configuration

The following table defines the baseline security controls for configuring network infrastructure and systems.

ControlSecurity Level
ID Description High Medium Low
NM.C.01 Implement one primary function per server, container, or virtual system component to prevent different security levels co-existing on the same system Required
Effective July 2019
Recommended Recommended
NM.C.02 Use University provided common good network services (e.g., DNS, DHCP, NTP) Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
NM.C.03 Use industry-accepted system hardening standards (e.g., CIS, NIST) Required
Effective July 2019
Required
Effective July 2019
Recommended
NM.C.04 Remove vendor or open source community software when the vendor or open source community no longer develops security patches Required Required Required
NM.C.05 Enable only necessary services, protocols, daemons, etc. for the function or management of the system Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
NM.C.06 Implement additional security features for any required services, protocols, or daemons that are considered insecure (e.g., ftp, telnet, pop3, imap, snmp v1 & 2) Required
Effective July 2019
Required
Effective July 2019
Recommended
NM.C.07 Remove or disable unnecessary functionality (e.g., scripts, applications, drivers, features, subsystems, file systems) Required
Effective July 2019
Recommended Recommended
NM.C.08 Enable logging Required Required Required
NM.C.09 Apply and periodically review configuration hardening settings (e.g., router, switch, firewall, NTP , DNS, DHCP, VPN) (suggest: annual) Required Required Recommended

Systems to locate behind a Network Firewall

The following table defines the network and telecommunications IT Resources that need to be located behind a University approved network firewall.

ControlSecurity Level
ID Description High Medium Low
NM.D.01 Network and telecommunications systems Required
Effective July 2019
Required
Effective July 2019
Recommended

Backup & Recovery of Software and System Configurations

The following table defines baseline security controls for backup and recovery of software/applications and system configurations for network devices.

ControlSecurity Level
ID Description High Medium Low
NM.E.01 Back up software and system configurations for continuity Required Required Recommended
NM.E.02 Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of the backup, physical storage, access to backups, and backup testing (suggest annual) Required Required Recommended
NM.E.03 Test for a successful backup and restoration following documented procedures (suggest: annual) Required Required Recommended

Systems to locate in a Protected Facility

The following table defines IT Resources that need to be located in a University approved protected facility (e.g., data center, telecommunications room/closet).

ControlSecurity Level
ID Description High Medium Low
NM.F.01 Servers providing or supporting network services (e.g., DNS, DHCP, bastions) Required Required Required
Effective July 2019
NM.F.02 Network and telecommunications infrastructure1 Required Required Required
Effective July 2019

1Need to detect physical tampering on devices (e.g., WiFi) where it is not feasible to locate in a protected facility.

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

December 2014

Last Reviewed

April 2019

Document Feedback

Information Technology