Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
- Type of network extensions allowed
- Network controls
- Configuration
- Systems to locate behind a Network Firewall
- Backup & Recovery of Software and System Configurations
- Systems to locate in a Protected Facility
Objective
To ensure the availability of the University network and to protect information security for networked services and systems, access must be controlled to the University network (both wired and wireless), including local area networks (LANs) and external network services.
Security Controls
Type of network extensions allowed
The following table defines the type of network extensions permitted on the University Network.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.A.01 | Do not allow locally-managed networks, defined by agreed-upon Network Hand-Off points | Required | Recommended | Recommended |
| NM.A.02 | Do not allow masking IP address (e.g., Network Address Translation (NAT)) | Required | Required | Required |
Network controls
The following table defines baseline network security controls for the University network (both wired and WiFi) and local area network (LAN).
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.B.01 | Obtain from and periodically review with Data Network Services the approval to connect the University network to third-party networks (suggest: annual review) | Required | Required | Required |
| NM.B.02 | Obtain from and periodically review with Data Network Services the approval to extend the network or expand beyond the network hand-off point for their unit (suggest: annual review) | Required | Required | Required |
| NM.B.03 | Document responsibility for the network at the hand-off point | Required | Required | Required |
| NM.B.04 | Review and update network map and network diagrams (suggest: annual) | Required Effective July 2019 |
Recommended | Recommended |
| NM.B.05 | Segment networks according to the security level and/or data classification1 | Required | Recommended | Recommended |
| NM.B.06 | For Wi-Fi networks: Use industry standard strong encryption for transmitting authentication information and data | Required | Required | Recommended |
| NM.B.06 | For wired networks: Use industry standard strong encryption for transmitting authentication information and data | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| NM.B.07 | Maintain logs to identify devices and users that connect to the network | Required | Required | Required |
| NM.B.08 | For Wi-Fi networks: Detect and mitigate unauthorized network extensions | Required | Required Effective July 2019 |
Recommended |
| NM.B.08 | For wired networks: Detect and mitigate unauthorized network extensions | Required | Required | Recommended |
| NM.B.09 | Use University approved network security technology2 | Required | Required | Optional |
| NM.B.10 | Authenticate access to WiFi network | Required | Required | Required Effective July 2019 |
| NM.B.11 | Periodically review network access controls that are in use (suggest: annual) | Required | Required | Required |
1PCI DSS requires additional network segmentation for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
2PCI DSS requires the use of network based intrusion detection and/or prevention technology for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Configuration
The following table defines the baseline security controls for configuring network infrastructure and systems.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.C.01 | Implement one primary function per server, container, or virtual system component to prevent different security levels co-existing on the same system | Required Effective July 2019 |
Recommended | Recommended |
| NM.C.02 | Use University provided common good network services (e.g., DNS, DHCP, NTP) | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| NM.C.03 | Use industry-accepted system hardening standards (e.g., CIS, NIST) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| NM.C.04 | Remove vendor or open source community software when the vendor or open source community no longer develops security patches | Required | Required | Required |
| NM.C.05 | Enable only necessary services, protocols, daemons, etc. for the function or management of the system | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| NM.C.06 | Implement additional security features for any required services, protocols, or daemons that are considered insecure (e.g., ftp, telnet, pop3, imap, snmp v1 & 2) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| NM.C.07 | Remove or disable unnecessary functionality (e.g., scripts, applications, drivers, features, subsystems, file systems) | Required Effective July 2019 |
Recommended | Recommended |
| NM.C.08 | Enable logging | Required | Required | Required |
| NM.C.09 | Apply and periodically review configuration hardening settings (e.g., router, switch, firewall, NTP , DNS, DHCP, VPN) (suggest: annual) | Required | Required | Recommended |
Systems to locate behind a Network Firewall
The following table defines the network and telecommunications IT Resources that need to be located behind a University approved network firewall.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.D.01 | Network and telecommunications systems | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
Backup & Recovery of Software and System Configurations
The following table defines baseline security controls for backup and recovery of software/applications and system configurations for network devices.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.E.01 | Back up software and system configurations for continuity | Required | Required | Recommended |
| NM.E.02 | Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of the backup, physical storage, access to backups, and backup testing (suggest annual) | Required | Required | Recommended |
| NM.E.03 | Test for a successful backup and restoration following documented procedures (suggest: annual) | Required | Required | Recommended |
Systems to locate in a Protected Facility
The following table defines IT Resources that need to be located in a University approved protected facility (e.g., data center, telecommunications room/closet).
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| NM.F.01 | Servers providing or supporting network services (e.g., DNS, DHCP, bastions) | Required | Required | Required Effective July 2019 |
| NM.F.02 | Network and telecommunications infrastructure1 | Required | Required | Required Effective July 2019 |
1Need to detect physical tampering on devices (e.g., WiFi) where it is not feasible to locate in a protected facility.
Resources Covered
This applies to IT resources owned or contracted by the University.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Network Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to network management.
Published Date
December 2014
Last Reviewed
April 2019