Data Network Security Policy

Attention: open in a new window. PDFPrintE-mail

Policy on Electronic Devices Connected
to the St. Peter Claver School Network

Preamble

The St. Peter Claver School campus has established a policy with regard to connecting electronic devices to the school network. To conform to this school policy, this document defines the Network Security Policy for connecting devices to the St. Peter Claver School network segment of the school network.

Goals

  • To protect the St. Peter Claver School network and its computing resources from exploit or compromise by persons or software, whether internal or external to the College.

  • To protect the St. Peter Claver School intellectual property from unauthorized access, alteration, theft, or deletion. Intellectual property includes research data and data that are protected by local, state or federal laws or regulations as well as information that is protected by copyright, license agreements or non-disclosure agreements.

  • To provide network service that allows secure transmission of data with the expectation that the data will not be altered or tampered with en route to a school-controlled resource.

  • To provide reliable network services to all customers of the St. Peter Claver School network with a minimum of unplanned outages, including those outages caused by other customers.

  • To maintain complete records of all equipment on the school network. This will facilitate prompt notification to customers of potential security deficiencies with their systems and notification to customers of planned network interruption arising from system upgrades or containment of security breaches.

Principles

  • The St. Peter Claver School Network Security Policy will not be less restrictive than the policy set for the school’s network.

  • The St. Peter Claver School will make every reasonable effort to protect the school and school networks from compromise or exploitation.

  • The St. Peter Claver School reserves the right to suspend access to the network to preserve the integrity of the network.

Policy

  • Every device connected to the St. Peter Claver School network must meet St. Peter Claver campus requirements.

  • Every device connected to the St. Peter Claver School network must be registered with Computer-Aided Engineering (CAE), with accurate and up-to-date information. At a minimum, this information must contain the names and contact information for the following people along with the hardware address of the device: the primary user of the device, the technical support person, and the faculty member responsible for a course or the principal investigator or the office manager. Devices that connect to the St. Peter Claver School wireless network are not required to register but must be authenticated to the St. Peter Claver School wireless firewall by a method supported by CAE.

  • Every wireless access point to be deployed or connected to the network requires consultation of the responsible party with Computer-Aided Engineering to discuss interference and other risks associated with deployment.

  • Every device connected to the St. Peter Claver School network must use DHCP to obtain the IP address assigned by the school. Exceptions will be made for those devices that are incapable of using DHCP and must have its assigned IP address statically configured.

  • Every proposed service to be offered over the network on an individual basis (e.g., web server, email server, ftp server, etc.) requires a thorough search for an existing service, already being provided and maintained elsewhere in the school, amenable to the one proposed. Where reasonable, users will be expected to use existing resources.

College contribution

  • The St. Peter Claver School will provide firewall functionality at the border between the school and the rest of the school and Internet. The default firewall configuration will protect the school from all inbound connections. Exceptions (open ports) will be reviewed, controlled, and documented by a school committee (See Appendix A).

  • The St. Peter Claver School will provide consultation and help in deploying firewalls for groups that wish to further enhance group security.

  • The St. Peter Claver School will monitor the network for anomalous activity and investigate such activity as needed.

  • The St. Peter Claver School will research new security threats as they arise and communicate such threats to the College. Threats will be classified by the danger they pose. Examples of classifications are, in order of increasing severity:

    • Possible denial of service to a single computer (end user)

    • Possible compromise of a single computer where the attack cannot propagate past that computer

    • Possible access to sensitive data

    • Possible compromise of multiple systems, or the possibility that attacks on other computers may be mounted from a compromised computer

  • The St. Peter Claver School will compose ‘Best Practice’ guides for the College, regarding ‘safe’ computer usage, etc. and update these guidelines on a regular basis to account for changes in technology or policy.

  • The St. Peter Claver School will provide security resources locally for computers in the St. Peter Claver School. Examples include managed antivirus servers and mechanisms for automating patch retrieval and installation.

  • The St. Peter Claver School will perform scans of the network for devices that are not sufficiently protected against current threats. School guidelines also permit scans of network devices.

  • When a vulnerable device is identified, the users registered with CAE for that device will be notified. Depending on the perceived severity of the vulnerability, some grace period will be specified during which the vulnerability must be removed. If it is not fixed before the end of the grace period, the device itself may be preemptively disconnected from the network to prevent a problem.

  • As network security situations warrant, users of potentially vulnerable computers may receive further notifications advising of an increased level of threat and a corresponding shortening of the grace period.

  • Any person who re-connects a device that has been disconnected from the network to obviate a threat, without assuring the identified vulnerabilities have been removed, may be subject to additional action.

Appendix A – Firewall exceptions

A firewall and its enforcement of network “rules” can unexpectedly impede the business of the St. Peter Claver School. Thus, the following policy establishes requirements and guidelines before exceptions are established through a firewall protecting individual or groups of devices:

  1. A professional information technology staff person must administer the device(s).

  2. Security and anti-virus must meet campus requirements.

  3. A device will be disconnected from the network if a security incident occurs and the port(s) granted the exception will be closed until the device again complies with items 1 and 2.

Exception requests

Any exceptions requested for a given interface must be thoroughly researched by the department making the request for both the necessity of the exception as well as the possible security risks associated with making the exception. Where possible, similar services at the department, or school level should be used. If there is no alternative, a request may be submitted to the Security Administrator at Computer-Aided Engineering.

Requests for exceptions to firewall rules should include the following information:

  1. The specific need for the exception and the port(s) to be opened.

  2. The Internet name and address of the devices(s) for the exception.

  3. Security measures in force on the system including password policy, auditing policy, antivirus software (if any), and any additional security related software and/or settings of the machine.

  4. A statement to the effect that the owner of the device(s) “understands that the device(s) will be disconnected from the network and the port(s) granted the exception will be closed if: a security incident occurs with that device, contact information for the technology staff person responsible for the device is not kept current, or security patches are not being applied in a timely manner.”

If your request is not granted, you may appeal to the CAE Executive Committee.

Questions about this school security policy or any other security issue in the school should be directed to This e-mail address is being protected from spambots. You need JavaScript enabled to view it