The internal data network and the external Internet are tremendously powerful tools in academia, facilitating the free exchange of ideas and instant access to a wealth of information. Likewise they are excellent business tools empowering University employees to gather information, improve internal and external communications, and increase efficiency in its business relationships.
It is the purpose of this Policy to protect the network of information technology and communication systems of the University from accidental, intentional or unauthorized access, damage, hackers, viruses and other threats. This protection is essential to serving two goals. It preserves the integrity of the Network itself while at the same time maintaining and nurturing open access to information for Pacific community important to the pursuits of a vibrant academic culture. In addition, this Policy aims at providing network security that complies with Federal, State and Local law, protecting the University from all forms of liability, protecting the confidentiality of the information of users, and ensuring academic freedom. It is also the purpose of this Policy to provide a detailed framework for the development of Network Security Standards that are consistent with this policy and the mission and priorities of the University.
Pacific provides a network of information technology to ensure an effective information infrastructure that supports the mission of the University with respect to teaching, learning, research and administration. The University network is however vulnerable to attack, improper use, viruses and other forms of interferences with potential crippling effects on the network, users and data. The specific purpose of this policy is therefore to provide reasonable network security that protects the network, the University, and users while at the same time promoting the mission of the University. Pursuant to the mission of the University, no network security system should exceed what is reasonably necessary to provide adequate protection in accordance with this policy. The implementation of this policy should not unreasonably interfere with the basic or essential functions or needs of the different units, colleges or and schools of the University. Given that the information technology needs of the different units, campuses and schools differ, any Network Security Standards must be developed in consultation, cooperation and collaboration with the information technology Administrators of these units.
Except as otherwise herein stated, this policy applies to the following:
The network security policy does not apply to the following:
The Academic Council (from the General IT policies) shall have the responsibility for approving all Information Technology Policies, amendments or the modifications of such Policies. Note that Security Standards are operational procedures and not policy. Also note that all institutional policies, including IT policies, are approved by Cabinet as they affect the entire University, not simply the Academic Division.
The Information Strategies and Policies Committee (ISPC) shall have the responsibility for developing and/or approving Network Security Policies and the necessary implementing Network Security Standards. It is also the responsibility of the ISPC to ensure that Network Security Standards do not unreasonably interfere with smooth and effective functioning of the different units, campuses or schools of the University.
It is the responsibility of OIT, the Systems/Security Administrators and Information Security Analyst (University Information Security Officer) to implement Network Security Standards after consultation with affected groups and hearings, as appropriate, with the Academic Council. Note that it is OIT and the CIO that are held accountable by the University for network security.
The Chief Information Officer, working through the University Information Security Officer, shall have the ultimate responsibility for ensuring compliance with the IT Policies including the Network Security Standards.
Faculty, Staff, Students and other authorized Users are prohibited from attempting to circumvent or subvert any measures adopted pursuant to this policy and the Network Security Standards. Users have the responsibility of complying with this policy and its implementation.
Are to be established by the ISPC. The Information Security Analyst (University Information Security Officer) will propose and maintain a set of Network Security Standards for servers, desktops, laptops and other devices that may be connected to PacificNet. These standards will derive from best IT security practice, carefully balance the need for security with the need for openness and transparency in an academic environment and be approved by the Information Strategies and Policies Committee (ISPC). Should the tension between openness and security in specific situations be irresolvable at the technical level, the ISPC will make a general policy revision or a specific exception.
It is the responsibility of the Systems/Security Administrators to see that Security Standards are maintained on systems that they are charged to oversee. View Security Standards. Non-conforming systems will not be provided network access based solely on financial hardship.
Notwithstanding any requirements or limitations imposed by this policy on the Network Security Standards the following are prohibited:
The Chief Information Officer, working through the University Information Security Officer, must establish procedures for ensuring compliance with these provisions by Information Technology Administrators responsible for carrying out this policy. Systems, including PCs (user laptops and desktops), that do not conform to Pacific’s security standards may be prohibited from full access to PacificNet and/or may be provided a class of service that appears to be technically outside of PacificNet.
Except as indicated above, systems, including PCs (user laptops and desktops), that do not conform to Pacific’s Security Standards and/or encounter security issues may be taken off PacificNet or have their access limited without prior notice. Compliance may be periodically assessed using ISPC approved methods and any systems deemed in a state of non-compliance may be removed from PacificNet. No detection of a disruptive Network connected device or a device that fails to meet the Network Security Standards through a vulnerability scan shall justify any actions prohibited by University Policy.
If for any reason whatsoever a Network connected device is intruded in a manner prohibited by University IT Policy, the user must be notified as soon as possible and all technically feasible steps must be taken by the Information Administrators to identify the intruder and/or the source of such intrusion. Appropriate University disciplinary measures may be taken if the intruder is a Pacific user or Administrator. Disciplinary measures are addressed in the General Information section of these University IT policies under Sanctions and in the Acceptable Use Policy under Sanctions.
A security review is required before attachment. All systems, iP enabled hardware and computers (not including end-user computers, i.e. laptops and desktops) must undergo a Security Review by the University Information Security Officer before being attached to PacificNet. This is an audit requirement.
A review of matters at hand, looking at best security practice and established security standards. The Information Security Analyst (University Information Security Officer), and/or his/her designee, conducts the review. Such reviews may include, but are not limited to:
Determine confidentiality & privacy requirements (if applicable)
Application identification, trust identification, data flow
Determine if data should be confidential, restricted access, or public
Determine the impact on the campus of going forward or not going forward
Check relative to established security benchmarks
Check against audit requirements
Port scan to determine firewall configurations
Vulnerability scan against known attack vectors
Helping remove the barriers to going forward