|
Responsible Office: Office of Cybersecurity |
Last Review: 03/01/2025 Next Review: 03/01/2027 |
|
Contact: Chris Madeksho |
Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
To specify the authority for the University of Tennessee (UTHSC) network infrastructure access, implementation, maintenance, operations, and change in the UTHSC network infrastructure.
Scope
This Standard applies to all UTHSC members of the UTHSC Community and others using UTHSC network services.
Network – Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
Responsibilities
The Executive Leadership of ITS approves Network Service Providers. It is the responsibility of the Network Service Provider to provide network services that exceed or meet the security requirements of the UTHSC Information Security Program.
Network Services provided by external entities (contracted Network Service Providers) must be formalized via an executed contract and/or service level agreement that includes security requirements that exceed or meet those of the UTHSC Information Security Program.
Standard
- Formally approved Network Service Providers and approved IT Staff are the only entities in UTHSC authorized to:
- Implement, change, remove, monitor, and operate the UTHSC network infrastructure. This encompasses any and all essential network devices and components such as, but not limited to, cabling, hubs, switches, routers, network firewalls, intrusion detection and prevention devices, and wireless access points.
- Offer alternate methods of network access, access to network resources, and virtual private networks (VPNs).
- Offer or delegate network infrastructure services such as, but not limited to, DHCP and DNS.
- Assign and manage the network Internet Protocol (IP) address space.
- Monitor, analyze, and manage the security, utilization, and traffic patterns of the UTHSC network and network resources.
- Use tools to capture network traffic for diagnostic purposes.
- Inspect network traffic to confirm malicious or unauthorized activity that may harm the UTHSC network or devices connected to the network. Such activity shall be limited to the least perusal of contents required to resolve the situation. User consent is not required for these routine monitoring practices.
- Block and/or modify any network traffic deemed problematic or malicious affection of the integrity, availability, and confidentiality of the UTHSC network.
- All network-connected equipment must be configured to a specification consistent with Network Service Provider requirements.
- All hardware connected to the network is subject to Network Service Provider network management and monitoring standards.
- The network infrastructure supports a well-defined set of approved networking protocols.
- All access to the UTHSC network must be authenticated.
- No unsecured access points are allowed on the UTHSC network.
- Vendor access to network resources must be coordinated with the network service provider in collaboration with the Office of Cybersecurity.
- Exceptions to this practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls.
- Failure to comply with this policy could result in loss of network access by the offending device and/or disciplinary action for the offender(s).
Policy History
| Version # | Effective Date |
| 1 | 03/17/2016 |
| 2 | 04/14/2020 |
| 3 | 05/17/2022 |
| 4 | 02/27/2023 |
| 5 | 03/01/2025 – new naming convention |
References
- UTHSC Information Security Program
- IT4912-Information Technology Security Configuration Management
- UT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
- NIST Glossary of Terms
Downloadable PDF
