Information Technology at Western Carolina University
Home | Contact | Western Home
 
 
About Us

Accounts & Passwords
Banner
Computer Purchasing
Downloads
Email
Faculty Computing
Governance
Help Desk
Network & Internet
News & Events
Policies & Standards
Research & Presentations
Security
Strategies & Planning
Student Computer Requirement
Student Computing
Workshops & Training
 

Firewall
 
DRAFT POLICY
 
Share your feedback after reading this policy
 

• I. Purpose

The purpose of this policy is to provide guidelines for Information Technology security related to all applications, users and connectivity on the Western Carolina University campus. This provides a broad approach to security and provides users with links to rules, regulations and standards in the Information Technology policy section that detail the tools and mechanisms used to monitor, enforce and implement this policy.

The Division of Information Technology (IT) supports the university's mission by providing a secure, reliable, comprehensive information technology environment to enhance teaching, learning, research, services, and business operations. The division encourages effective, innovative, and ethical uses of technology while assuring efficient use of university resources. This policy is designed to enhance the ability of the university to effectively use those resources.

 

• II. Coverage

This policy applies to all users of the WCU Information Technology that connect in any way to the university's campus infrastructure (voice, data, video, wireless, wired etc.), including but not limited to faculty, students, administrators, vendors and guests.

Any device that is not owned by Western Carolina University must comply with the standards set by the IT Division before the device is attached to the university network.
 

• III. Overview

This section briefly describes security issues covered in other policies and standards dealing with security on the WCU campus.

Acceptable use standard (AUS)
The infrastructure resources are to be used for the educational mission of the university and not for personal use. This standard is published on the IT policies and standards section of the WCU web site.

Continuity Planning / Disaster Recovery
The Division of IT shall develop, publish, maintain and test a contingency plan to ensure that the resources of the University can be recovered. This includes back-ups and restores and data relocation.

Communication
At least once a semester and at other appropriate times, the IT Division will provide a means of communications to the entire community on security events, changes or other non-emergency security issues.

In an emergency, the IT division will use appropriate means to notify impacted users of the security incident and what, if any, action to take.

Data access, storage and back-up
All university, faculty and student corporate and private data will be secured by a second layer firewall and a secondary password and will be backed-up and secured using current educational best practices.

Firewalls
A set of firewalls shall be installed to protect the university from intrusion at various levels. The main site will be protected from the state Intranet and the World Wide web. A second firewall shall protect all corporate and private data. All remote sites shall have a firewall protecting them. Virtual Private Networks (VPNs) shall be developed from ?trusted sites? to allow access to sensitive data.

The firewalls shall be set up in a way that blocks all services unless ?approved? to enter the campus. The IT Division will work with all users in setting up and removing services to ensure that proper access is allowed through these firewalls and stopped when the service is no longer needed.

Incident Response Team
The Division of IT provides a Computer Incident Response Team that investigates all security breaches and makes recommendations to the university's Chief Information Officer. This team consists of the following:

•  The Director IT Planning
This director is the chair of the team and the key contact person for all incidents, including internal and external requests.

•  The Director of Networking Operations & Communications

•  The Director of Applications, Development and Support
These Directors provide the actual incident investigation and report back to the chair of the team. They utilize their staffs as appropriate for each incident.

New Equipment, Exceptions
The Division of Information Technology recommends a security audit consultation with IT staff prior to the purchase of any device that may be connected to the university's network infrastructure. To request assistance related to these standards, please send a request to the IT Help Desk. IT consultants will work with the user to find a solution that can then be forwarded to the Chief Information Officer for approval if a standards exception is required.

Passwords
Passwords for all devices and applications connected to the university network must be complex (e.g. two or more of the following upper case and lower case letter, number or symbol) and must be changed on a regular basis. The more sensitive the data the more secure the password for the data will be made.

The Division of IT will work toward a single sign-on for most campus use to ease password management and change.

Physical Security of Network Devices
Any device attached to the University network must have adequate physical security in place to prevent unauthorized access to the device. The physical location of servers and other devices providing critical university services will be determined by the Chief Information Officer.

Protection from Unauthorized Access to Network Devices
When a new network device is added to the University network, the device must be protected. Usernames and passwords must be protected from unauthorized access based on the principle that each user is responsible for all activity that occurs in his/her account. Furthermore, sharing of accounts is prohibited by university policy unless specifically exempted by the Chief Information Officer.

All guest computers should apply to the Information Technology Division for a temporary password to access either the wired or wireless network.

State and federal laws and regulations
It is not the intention of this document to list all state and federal policies or to override them. All applicable IT security regulations, laws and policies will be followed by the University and enforced by the IT Division and investigated by the CIRT as needed. Some of the laws which apply include: Family Educational Rights and Privacy Act (FERPA) and more specifically the Buckley Amendment, copyright and the DMCA, state and federal personnel acts, state and federal public records acts, and the Health Insurance Portability and Accountability Act (HIPAA).

The CIRT will comply with all requests from outside agencies investigating security issues that stem from the campus and impact services outside of the campus.

Virtual Private Networks (VPNs)
Virtual Private Networks shall be established between trusted sites to allow for secure transfer of sensitive data between them. When an individual needs remote access to university data, a VPN will be established to allow for access to the appropriate data.

The Division of IT shall provide a procedure to allow for set-up and removal of all VPNs based on needs of the individual sites of users.

Virus Protection and System Security
All devices connected to the Western Carolina University network are required to use approved, current virus protection. All devices are also required to incorporate available security updates and patches.

 

• IV. Enforcement

The Division of Information Technology will develop and maintain a Computer Incident Response Team for any reported violations of this security policy.

Any security violations found during routine network security scans performed by the IT Division may result in disabling the network connection immediately, if necessary, to protect the security of the network.
 

• V. Disclaimer

The Division of Information Technology has the right to change, suspend or modify this policy without prior notice, if necessary, based on the needs of the university. In the event this policy is changed, the Division of Information Technology will notify the university community as quickly as possible.

 

• VI. IT Security rules, regulations, standards and other applicable policies

Details of the following policies and standards can be found at:

Use of Computers and Data Communications / Policy #52

Network Security Standards (PDF)

Wireless Network Standards (PDF)

Division of IT Policy Handbook (PDF)
 

• VII. FAQ and other related documents

The IT Division will maintain a Frequently Asked Questions section of the IT Web page and will post and maintain data with general information for the users of the university infrastructure.

This will provide questions, short answers and links to policies and standards and other information as needed to enhance the security of the campus environment.

This site will also provide access to current security issues, hoaxes and other problems impacting campus IT security links to off-site information or actions to be taken by the users.

 
Share your feedback on this policy
 
 
Copyright ? 2005 Western Carolina University