POLICY TITLE:  Network Citizenship Policy

POLICY #: IT - 08

DATE DRAFTED: 11/04/01

DATE POSTED  

APPROVED DATE: 04/04/02

REVISION DATE: 08/19/04 (Version 2 Revision)

BRIEF DESCRIPTION: Any computer or device physically connected to or accessing the University telecommunications network must be secured using baseline security standards to minimize disruptions to the operation of the network.

Introduction | Policy Scope | Policy Statement | Enforcement | Related Policies | IT Policy Index

Introduction:

The University of Iowa relies heavily on computers to meet its operational, financial, and information requirements. Network connectivity provides important functionality for these computing uses. In order to protect that functionality, it’s important that persons owning, or overseeing the use of, devices connecting to the network assume responsibility for securing these devices to insure that they don’t disrupt the operation of the campus network.

Scope:

This policy governs all devices that are connected to the campus network. Systems that are not properly managed can become a threat to the operation of the network. The responsibility for the security and integrity of the devices connected to the campus network initially rests with the person who connects the device to the network. Thereafter, the primary user of a computer has first responsibility, and whomever provides IT support has secondary responsibility, followed by the department housed in the physical space the computer occupies. Technical staff who manage multi-user shared resources will have primary responsibility for them. Faculty, staff, students, and other individuals who have devices connected to the network, even if the devices are not owned by the University, as well as persons who have authorized the purchase of vendor operated and managed systems, are included as “system administrators” for the purpose of this policy.

Policy Statement:

The network citizenship policy is intended to protect the integrity of the campus network and to mitigate the risk and losses associated with threats to the campus network and networked resources. System administrators and users must

  1. Follow University of Iowa Baseline Security Standards for securing network attached devices in order to ensure that key security vulnerabilities are addressed. Key vulnerabilities will change over time as new threats and risks emerge. Security standards will evolve in the same manner. See Appendix A for current Baseline Security Standards. 

  2. Cooperate with the University of Iowa Information Technology Security Office to resolve security problems identified with any systems you are responsible for.

  3. Submit network connected devices to vulnerability scans, and resolve high risk issues identified by the scans.

  4. Immediately report compromises and other security incidents to the Information Technology Security Office or local IT support staff.

  5. Comply with the individual responsibilities stated in Section IV of the University’s Acceptable Use Policy for Information Technology Resources.

Enforcement:

Systems posing an immediate threat to the campus network will be removed from the network to isolate the intrusion or problem and minimize risk to other systems, until the system is repaired and the threat is removed. Systems involved in security incidents which do not have Baseline Security Standards implemented will remain off the campus network until the system administrator brings the system into compliance. Departmental Network and Security Contacts will be notified when systems in their department are removed from the network.

Systems that are involved in multiple incidents may be disconnected from the campus network for longer periods of time as required. System administrators will be required to show that they understand best practices and know how to implement them through an audit review or other assessment of their devices, before they will be allowed to reconnect them to the campus network. If a system administrator lacks the knowledge or training needed to comply with this policy, the Information Technology Security Officer will work with the department to help plan an appropriate training program for the system administrator.

Related Policies, References and Attachments:

Acceptable Use of Information Technology Resources Policy

Computer Vulnerability Scanning Policy

Enterprise Password Policy

Security Best Practices Documentation

Appendix A: Baseline Security Standards

  1. UPDATES: Keep all software (operating systems and applications) up to date. Configure devices to install security updates automatically, or perform the operation manually on a frequent, regular basis.
  2. ANTI-VIRUS: Install anti-virus software on all eligible devices, using UI site-licensed software where possible, and make certain the virus detection signatures are updated on a daily basis. Configure the software to scan all incoming files.
  3. ADMINISTRATOR PASSWORDS: Configure accounts with high-level system access (e.g., administrator or root) to have long, complex passwords, and change them on a regular basis.
  4. SUPPORT: Know who provides technical support for the computers you use. Department IT support staff, central (ITS) help desk, or other (contracted) support names, phone numbers, and/or email addresses should be known and available at all times.
  5. BACKUP: Arrange to have/make backup copies of all important files under your control.
  6. BEST PRACTICES: Review and implement security best practices appropriate for the device in question. A collection of resources and documentation for best practices is available at the IT Security website. 

 

Copyright © 2005 The University of Iowa. All rights reserved.