Revised:
07/10/2008
Network Use Policy UPPS No. 04.01.05
Issue No. 2
Effective Date: 02/28/2006
Review: September 1 E3Y
01. POLICY STATEMENTS
01.01 The purpose of this UPPS is to establish
policies for the maintenance, expansion and use of the Texas State
University network infrastructure. These policies are necessary to:
a. Provide
a reliable university network and Internet connection to conduct the
University’s business;
b. Provide
only authorized access to institutional, research or personal data and
information on the university network; and
c. Protect
computer system and network integrity at Texas State University-San Marcos.
*01.02 To
optimize their accessibility, usability, security, and privacy, all Electronic
and Information Resources developed or procured for use within the TXSTATE.EDU
network domain shall comply with the applicable provisions of Texas
Administrative Code, Chapter 213, Subchapter C, Rules §213.30
– §213.37,
dealing with the accessibility, usability, and compatibility of Electronic and
Information Resources in Institutions of Higher Education, commonly known as
TAC 213.
02. RELATED DOCUMENTS
UPPS
04.01.01, Security
of Texas State Information Resources
UPPS
04.01.01, Attachment I, Information
Resources Security Manual
UPPS 04.01.07, Appropriate Use of Information Resources
03. DEFINITIONS
03.01 Device – Any hardware component involved with
the processing, storage, or forwarding of information making use of the Texas
State information technology infrastructure or attached to the Texas State
network. These devices include laptop computers, desktop computers, servers,
and network devices such as routers, switches, wireless access points, and
printers.
03.02 Network Address – A unique number associated
with a device used for the routing of traffic across the Internet or another
network; also known as Internet Protocol Address or IP Address.
03.03 Server Administrator – An individual with
principal responsibility for the installation, configuration, security, and
ongoing maintenance of an information technology device, including network
registration.
03.04 System
Compromise – Any device
that is no longer entirely under its owner's control. The two major forms of
compromise are:
a. infection
by a worm, virus or trojan horse; and
b. exploitation of an operating system or application vulnerability by another user giving that user remote control of the computer.
03.05 User – An individual who uses an information
technology device.
03.06 University Network – The data and communications infrastructure at Texas State University-San Marcos. It includes the campus backbone, local area networks, and all equipment connected to those networks (independent of ownership).
04. GENERAL GUIDELINES
04.01 All devices connected to the Texas State
university network (physical or wireless) must be associated with, and in
support of, the mission of the institution. The integrity, security, and proper
operation of the university network require an orderly assignment of network
addresses and the correct configuration of devices attached to the network.
Network access, performance and security are put at risk when devices are
introduced into the network environment without appropriate coordination.
Therefore, all connections to the university network must be managed with
accessibility, performance, and security concerns taken into consideration.
04.02 Technology Resources is responsible for the
university network, including routing, switching, domain name service, etc. It
is the logical entity to coordinate all connections to the university network
including the assignment of addresses. Technology Resources shall coordinate
the connection of any and all devices to the university network. Network users
may not alter, extend or re-transmit network services in any way. Users are
prohibited from attaching or contracting with a vendor to attach equipment such
as routers, switches, hubs, firewalls or wireless access points to the
university network without prior authorization from Technology Resources. This
does not include personal software firewalls, printers or other peripheral
devices connected to the workstation.
04.03 The use of devices connected to the university
network is accompanied by certain responsibilities. Specifically, all users are
required to perform timely updates of applications, operating systems and virus
protection software in order to minimize risks associated with computer hacking
and other threats such as worms and viruses. Technology Resources will provide
mechanisms to facilitate such updates to the extent reasonably possible.
04.04 All devices placed on the university network
acting in any role other than an individual workstation or printer (e.g.
servers regardless of function, hardware or software) must be registered with
Technology Resources. Following
registration, Technology Resources will perform a certification process to
ensure compliance with industry best practices. For registration and
certification details, see: http://www.tr.txstate.edu/security/wsr.
The
department account manager is responsible for designating a server
administrator for each registered device.
The
server administrator must:
a. Follow
Texas State University best practices and guidelines for securing network
attached devices in order to ensure that key security vulnerabilities are
addressed (http://www.tr.txstate.edu/security/bestpract/). Key vulnerabilities will change
over time as new threats and risks emerge. Best practices will evolve in
the same manner.
b. Cooperate
with Technology Resources to address and resolve security problems identified
with any device for which they are responsible. Technology Resources will
provide training, consulting and assistance in problem resolution.
c. Submit
to vulnerability scans, and take steps to resolve high risk issues identified
by the scans.
d. Report
system compromises and other security incidents in a timely manner to
Technology Resources at 512-245-HACK or itsecurity@txstate.edu.
05.01 Devices
posing an immediate threat to the university network will be disconnected from
the network to isolate the intrusion or problem and minimize risk to other
systems, until the device is repaired and the threat is removed. In
coordination with administrative departments and law enforcement, Technology
Resources will investigate any incident involving unauthorized access of the
university network. Devices involved in these and other security incidents
which do not have security best practices implemented will remain disconnected
from the university network until the user or departmental server administrator
brings the device into compliance. Technology Resources will attempt to notify
appropriate departmental personnel when devices in their department are disconnected
from the network.
05.02 Devices that are involved in repeated incidents may be disconnected from the campus network for longer periods of time as required. Server administrators will be required to show that they understand the best practices and guidelines and know how to implement them through an audit review or other assessment of the network attached devices for which they are responsible. If a server administrator lacks the knowledge or training needed to comply with this policy, Technology Resources will work with the department to help plan an appropriate training program.
*06.01 Reviewers of this UPPS include the following:
Position Date
Special
Assistant to the Vice President September
1 E3Y
Information
Security Officer September
1 E3Y
Assistant
Vice President, Technology September 1
E3Y
Resources
Director,
Infrastructure Services September
1 E3Y
Vice
President for Information September
1 E3Y
Technology
This
UPPS has been approved by the following individuals in their official
capacities and represents Texas State policy and procedure from the date of
this document until superseded.
Special
Assistant to the Vice President
Vice President for Information Technology
President