This guideline covers the security of the network on the Danforth Campus of Washington University in St. Louis.
Washington University is committed to conducting business in compliance with all applicable laws, regulations and Washington University policies. The university has adopted this guideline to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
This guideline and associated guidance are meant to provide to the computing community of Washington University directives to help ensure the protection and the privacy of information, protection of information against unauthorized modification or disclosure, protection of systems against denial of service, and protection of systems against unauthorized access. It is intended to protect the integrity of the private network and mitigate the risks and losses associated with external and internal threats.
- To ensure the Washington University network has appropriate security and capability
- To ensure applicable federal and organizational policies, mandates, etc. are applied and adhered to
- Security controls are effective, based on a cost benefit assessment, and meet the intent of applicable regulations and university policies
- To provide accountability within the network and other computing resources in which individuals have access
- To give network managers, engineers, and technicians guidance for implementing, maintaining and operating the university’s network in a secure manner
- Ensure that all critical functions of the university’s network have documented operational processes and disaster recovery plans to provide continuity of operation
- To maintain confidentiality, integrity and availability (CIA) of the information at Washington University
All network assets, service and operating personnel that comprise the network. This includes network infrastructure components, network management and service systems, and employees.
The network shall, with exceptions noted and approved by the Network Security Office (NSO), follow the guidance outlined in Washington University Information Security Policy.
External connections provide authenticated and authorized access into the university network through the NSO-approved remote access technologies. These connections shall follow best practices for implementation. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected then the confidentiality and integrity of the information shall also be in place. Controls shall also be implemented to restrict network access to those who have affiliations with the university only.
Backdoors circumvent/bypass external connections and are often unauthorized. These connections shall be approved by the NSO and have a legitimate business purpose. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected, and occurs over unprotected or public networks, then the confidentiality and integrity of the information needs to be protected with encryption.
Architecture and Design
Network design shall incorporate technologies that facilitate the addition of security controls. It should ensure, or enhance, the CIA of electronic information.
The core network shall be centrally managed to ensure the CIA of electronic information. Network managers and operators shall be given the authority to remove, revoke and implement measures to protect the network from unacceptable use.
Auditing by internal and/or external organizations along with network vulnerability assessments will periodically be conducted to determine risk of: availability, unauthorized access, exposure of protected information and regulatory violations.
Users of the network shall abide by the university’s acceptable use policy (AUP). Abuses of these policies will result in disciplinary measures and/or discontinued use of the network.
Controls shall be put in place to prohibit network activities that threaten business use and put protected information at risk.
Operation, Administration, Maintenance and Provisioning (OAM&P)
The network shall have an operations center for operation, administration, maintenance and provisioning (OAM&P) of the network. Capabilities of the operations center shall include monitoring of network and security events, a call and support center, and industry-best standard operating procedures (SOP) and processes.
There shall be a change control process in place to manage OAM&P tasks within the network.
Updated April 1, 2013