Policies and Standards ISO PS010 Network Service [Previous]  [Next]  [Policy Home]

Policy Name: Network Service
Policy Number: IS PS0010
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

The University will provide the required infrastructure for enterprise-wide local area network services, (including wireless) and connections to the internet, internet-2 and other external networks to further the mission of the University.

The Information Technology division is responsible for the provision and management of enterprise-wide local area network services, including wireless networks. All connections to the network must be via University approved mechanisms. Only authorized Information Technology staff may install, manage or change the network infrastructure including but not limited to enterprise servers, routers, switches and telecommunications equipment as well as access to these devices.

Administrative Standards:

• Network Configuration Authority
  (To help maintain the integrity, security, availability and necessary resources of the University network):
  • Information Technology provides all network address assignments.
  • Unauthorized University network installations or modifications will not receive IP addresses for computing devices on the unauthorized network. Such devices will be physically disconnected from the University network and the device's IP and/or MAC addresses will be blocked from University network access. Note: This includes wireless networks not connected to the University's enterprise network and/or private network devices operating within University facilities or University campuses.

• Connecting to University and affiliated computing resources from outside the University network
  All connections to these resources (servers, personal computing devices, networking equipment, etc.) must, except as noted, follow these standards:
  • Be via a secure and/or encrypted connection such as a VPN, secure HTTP, secure FTP, SSH, direct dial-in or other secure and/or encrypted method.
  • Be configured so that a user account and password is required and be compliant with the policies and standards described in ISO PS007 User Accounts and Acceptable Use and ISO PS008 Passwords.
  • If the connection is by a vendor or other third party (not faculty, staff or students) an Acceptable Use Agreement must be completed. See (link to be supplied shortly) for the applicable blank Acceptable Use Agreement. The original completed Acceptable Use Agreement must be received by Security and Accounts Management before the connection is allowed. Note: The Acceptable Use Agreement documents the vendor or partner's agreement to abide by the IS PS007 User Accounts and Acceptable Use Policy and to maintain their systems and practices to at least the applicable University policies and standards.
  • Connection interface (a VPN or dial-in vendor service line, for example) used for occasional connections should be disabled except during the periods when the connection capability is expected to be used.

  Exception: If the connection does not allow access to sensitive information then a properly configured and administered connection method is acceptable and no log-on is required. Example: A web site providing information intended for public availability could use standard http access.

• Network Use
  • Faculty, staff and administrators with University LAN accounts usually receive secure personal drive space accessed via the LAN for individual use (commonly called the "H" drive).
    
    The University Enterprise network drives also include the "I" drive shared storage area. Space in this area is used by departments and for shared data and is allocated by academic or administrative unit. Account holders have read/write access to subdirectories as appropriate.

• Monitoring/Altering Network Traffic
  • Users are expected to use end user applications such as network drive access, email and similar programs, as they are intended to be used on the University network. Scanning of the network, "packet sniffing", packet interception/copying/decryption and any other means of reading, altering, spoofing or otherwise monitoring and/or changing network communications is forbidden without specific approval in writing from both the Information Security Officer and Information Technology.
  • The University reserves the right to analyze network traffic at any time deemed necessary by either manual or automated means. For example, the University may specifically monitor network traffic if instructed by legal authorities or for the purpose of assessing system integrity, performance, management or possible policy violations.

• Guest/Temporary Network Use
  • Guest access to the wired network requires faculty, staff or administrator account sponsorship. See IS PS007 User Accounts and Acceptable Use for more details.
  • Limited guest access to the wireless network is available for visitors of the University and may be requested by faculty or staff. Guest access will expire after one week.

Technical Standards:

• General
  • All enterprise level authentication requirements external to an application must be configured to use the University's Enterprise directory services. (Note: This also allows easier configuration of single sign-on abilities).
• Wireless
  • Full authenticated network access requires a secure wireless connection and client software that supports current University secure wireless standards (see http://louisville.edu/it/services/network/wireless/ for more information).
  • A Wireless adapter card that fully supports 802.1x is required to access the network
• Voice
  • The University's Voice Networking (Voice Over Internet Protocol - VOIP) provided by Information Technology is based on FCC standards and specifications. This consists of the telecommunications services, dial tones, telecommunications equipment, and specialized circuitry. All VOIP connections are maintained and provisioned by the IT Division.

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]