SC-001 – Network Security

Responsible Office: Office of Cybersecurity

Last Review: 04/14/2020

Next Review: 04/14/2022

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To specify the authority for UTHSC network infrastructure access, implementation, maintenance, operations, and change in the UTHSC network infrastructure.

Scope

This Standard applies to all UTHSC members of the UTHSC Community and others making use of UTHSC network services.

Responsibilities

The Vice Chancellor for Information Technology/CIO approves Network Service Providers.

It is the responsibility of the Network Service Provider to provide network services that exceed or meet the security requirements of UTHSC Information Security Program.

Network Services provided by external entities (contracted Network Service Providers) must be formalized via an executed contract and/or service level agreement that include security requirements that exceed or meet those of the UTHSC Information Security Program.

Standard

  1. Formally approved Network Service Providers and approved IT Staff are the only entities in UTHSC authorized to:
    1. Implement, change, remove, monitor, and operate UTHSC network infrastructure. This encompasses any and all essential network devices and components such as, but not limited to, cabling, hubs, switches, routers, network firewalls, intrusion detection and prevention devices, and wireless access points.
    2. Offer alternate methods of network access, access to network resources, and virtual private networks (VPNs).
    3. Offer or delegate network infrastructure services such as, but not limited to, DHCP and DNS.
    4. Assign and manage the network Internet Protocol (IP) address space.
    5. Monitor, analyze, and manage the security, utilization, and traffic patterns of the UTHSC network and network resources.
    6. Use tools to capture network traffic for diagnostic purposes.
    7. Inspect network traffic to confirm malicious or unauthorized activity that may harm UTHSC network or devices connected to the network. Such activity shall be limited to the least perusal of contents required to resolve the situation. User consent is not required for these routine-monitoring practices.
    8. Block and/or modify any network traffic deemed problematic or malicious affection of the integrity, availability and confidentiality of UTHSC network.
  2. All network-connected equipment must be configured to a specification consistent with Network Service Provider requirements.
  3. All hardware connected to the network is subject to Network Service Provider network management and monitoring standards.
  4. The network infrastructure supports a well-defined set of approved networking protocols.
  5. All access to the UTHSC network must be authenticated.
  6. No unsecured access points are allowed on UTHSC network
  7. Vendor access to network resources must be coordinated with the network service provider in collaboration with the Information Security Team.
  8. Failure to comply with this policy could result in loss of network access by the offending device and/or disciplinary action for the offender(s).

References

  1. UTHSC Information Security Program
  2. UT Policy IT0120 Secure Network Infrastructure