SC-002 – System and Communication Protections

Responsible Office: Office of Cybersecurity

Last Review: 03/27/2020

Next Review: 03/27/2022

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

This standard establishes the system and communications protection for information systems supporting the UTHSC Computing and Communication environment.

Scope

This Standard applies to the security of UTHSC IT Resources in the form of electronic communications, stored data, and electronic communications resources used to transmit, store, and process such data.

Standard

  1. UTHSC will protect the confidentiality, integrity, and availability of UTHSC IT Resources including data residing within these UTHSC IT Resources and the communications among these UTHSC IT Resources and with systems external to the UTHSC.
  2. User functionality (including user interface services) shall be separated from information system management functionality in its systems.
  3. Unauthorized and unintended information transfer via shared system resources shall be prevented.
  4. UTHSC shall take preventive measures to protect against or limit the effects of denial-of-service attacks.
  5. UTHSC shall implement boundary protection. This protection shall address the external boundary as well as key internal boundaries, which shall be identified in the system security plan.
  6. Publicly accessible UTHSC IT Resources are to be located on separate sub-networks from internal networks.
  7. There will be no public access to the UTHSC internal network.
  8. Interfaces, interconnects, and their protection mechanisms to external networks shall be managed, monitored, and documented.
  9. The number of external network connections shall be limited.
  10. By default, the principle to deny traffic shall be implemented.
  11. UTHSC shall terminate network connections at the end of the session or after a period of inactivity for remote sessions.
  12. The integrity and confidentiality of UTHSC data and information with a classification ranking of 3 in any area during transmission shall be protected with encryption that meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation.
  13. UTHSC shall provide Domain Name System (DNS) services that:
  14. Use encryption of all DNS services, when supported.
  15. Process name/address resolution requests from internal clients only with internal DNS servers.
  16. Process name/address resolution information requests from external clients only with external DNS servers.
  17. Provide fault-tolerant name/address resolution service for all information systems.
  18. Provide mechanisms to protect the authenticity of communications sessions.
  19. Failure to comply with these standards may result in a loss of access or other disciplinary actions, up to and including termination

References

  1. UTSA IT Policy [IT0135] System and Information Integrity
  2. GP-002-Data & System Classification
  3. Human Resources Policy 0525
  4. National Institute of Standards and Technology (NIST) publication FIPS 140-2
SC-002 – System and Communication Protections
Version: 5 // Effective: 03/17/2018
PDF icon Downloadable PDF

Related Procedures:

Related Policies: