Skip Ribbon Commands
Skip to main content
Sign In
Search Policy Site
Pacific Logo

Skip Navigation LinksNetwork Attached System Security Policy

Network Attached System Security Policy


The University will take all prudent and reasonable measures to secure PacificNet and the systems that are attached directly to it and indirectly to the external Internet.

Note that the line above is University Institutional Policy and that what follows is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC).

Purpose

The internal data network and the external Internet are tremendously powerful tools in academia, facilitating the free exchange of ideas and instant access to a wealth of information. Likewise they are excellent business tools empowering University employees to gather information, improve internal and external communications, and increase efficiency in its business relationships. 

It is the purpose of this Policy to protect the network of information technology and communication systems of the University from accidental, intentional or unauthorized access, damage, hackers, viruses and other threats. This protection is essential to serving two goals. It preserves the integrity of the Network itself while at the same time maintaining and nurturing open access to information for Pacific community important to the pursuits of a vibrant academic culture. In addition, this Policy aims at providing network security that complies with Federal, State and Local law, protecting the University from all forms of liability, protecting the confidentiality of the information of users, and ensuring academic freedom. It is also the purpose of this Policy to provide a detailed framework for the development of Network Security Standards that are consistent with this policy and the mission and priorities of the University.

Pacific provides a network of information technology to ensure an effective information infrastructure that supports the mission of the University with respect to teaching, learning, research and administration. The University network is however vulnerable to attack, improper use, viruses and other forms of interferences with potential crippling effects on the network, users and data. The specific purpose of this policy is therefore to provide reasonable network security that protects the network, the University, and users while at the same time promoting the mission of the University. Pursuant to the mission of the University, no network security system should exceed what is reasonably necessary to provide adequate protection in accordance with this policy. The implementation of this policy should not unreasonably interfere with the basic or essential functions or needs of the different units, colleges or and schools of the University.  Given that the information technology needs of the different units, campuses and schools differ, any Network Security Standards must be developed in consultation, cooperation and collaboration with the information technology Administrators of these units.

Scope

Except as otherwise herein stated, this policy applies to the following:

  • Any person who attaches any computer or electronic device to the network
  • All university computers and electronic devices attached or connected directly, indirectly, remotely or by any other means to the network
  • All individually owned computers and electronic devices that are attached directly, indirectly, remotely or by any other means to the network
  • All other computers or electronic devices of whatever description and irrespective of their relationship to any person if any connection whatsoever to or with the network is sought

Exceptions to the Policy

The network security policy does not apply to the following:

  • Individually owned computers, devices or individual network systems of faculty, students, staff or other users who opt not to be attached to or otherwise linked directly or indirectly to the University network. No implementation of this Policy should interfere with the freedom of such users to communicate, by means of an independent connection to the Internet, with the University, users or devices attached to the network.
  • Individually owned computers or other electronic devices for which temporary access to the network is sought if such computers or electronic devices are determined by the Systems/Security Administrators to be at current OS patch levels and have adequate up-to-date anti-virus software. Temporary access is defined as 24 hours or less.
  • Laptops and other devices brought by visiting scholars, conference attendees and other temporary visitors to Pacific who cannot be presumed to comply with established Security Standards. The Systems/Security must develop an appropriate secured environment in order to provide access to the University network for such visitors.
  • Any other device that cannot meet the established Security Standards if the Systems/Security can provide a reasonable and cost-effective alternate secured environment for connectivity.

Responsibilities

Academic Council

The Academic Council (from the General IT policies) shall have the responsibility for approving all Information Technology Policies, amendments or the modifications of such Policies. Note that Security Standards are operational procedures and not policy. Also note that all institutional policies, including IT policies, are approved by Cabinet as they affect the entire University, not simply the Academic Division.

Information Strategies and Policies Committee

The Information Strategies and Policies Committee (ISPC) shall have the responsibility for developing and/or approving Network Security Policies and the necessary implementing Network Security Standards. It is also the responsibility of the ISPC to ensure that Network Security Standards do not unreasonably interfere with smooth and effective functioning of the different units, campuses or schools of the University.

OIT

It is the responsibility of OIT, the Systems/Security Administrators and Information Security Analyst (University Information Security Officer) to implement Network Security Standards after consultation with affected groups and hearings, as appropriate, with the Academic Council. Note that it is OIT and the CIO that are held accountable by the University for network security.

Chief Information Officer

The Chief Information Officer, working through the University Information Security Officer, shall have the ultimate responsibility for ensuring compliance with the IT Policies including the Network Security Standards.  

Compliance

Faculty, Staff, Students and other authorized Users are prohibited from attempting to circumvent or subvert any measures adopted pursuant to this policy and the Network Security Standards. Users have the responsibility of complying with this policy and its implementation. 

Network Security Standards  

Are to be established by the ISPC.  The Information Security Analyst (University Information Security Officer) will propose and maintain a set of Network Security Standards for servers, desktops, laptops and other devices that may be connected to PacificNet. These standards will derive from best IT security practice, carefully balance the need for security with the need for openness and transparency in an academic environment and be approved by the Information Strategies and Policies Committee (ISPC). Should the tension between openness and security in specific situations be irresolvable at the technical level, the ISPC will make a general policy revision or a specific exception.

It is the responsibility of the Systems/Security Administrators to see that Security Standards are maintained on systems that they are charged to oversee. View Security Standards. Non-conforming systems will not be provided network access based solely on financial hardship.

Scope

Notwithstanding any requirements or limitations imposed by this policy on the Network Security Standards the following are prohibited:

  • Unauthorized scanning of any network connected device beyond checking for compliance with vulnerability and Network Security Standards
  • Unauthorized access to personal files, confidential and other protected data or unauthorized, scanning, monitoring, copying or spying on files on any computer or any network connected device of the University, faculty, students, staff or other authorized users (See the Computing and Communications Confidentiality Policy for details)

Compliance

The Chief Information Officer, working through the University Information Security Officer, must establish procedures for ensuring compliance with these provisions by Information Technology Administrators responsible for carrying out this policy. Systems, including PCs (user laptops and desktops), that do not conform to Pacific’s security standards may be prohibited from full access to PacificNet and/or may be provided a class of service that appears to be technically outside of PacificNet.

Removal

Except as indicated above, systems, including PCs (user laptops and desktops), that do not conform to Pacific’s Security Standards and/or encounter security issues may be taken off PacificNet or have their access limited without prior notice.  Compliance may be periodically assessed using ISPC approved methods and any systems deemed in a state of non-compliance may be removed from PacificNet.  No detection of a disruptive Network connected device or a device that fails to meet the Network Security Standards through a vulnerability scan shall justify any actions prohibited by University Policy.

Intrusions

If for any reason whatsoever a Network connected device is intruded in a manner prohibited by University IT Policy, the user must be notified as soon as possible and all technically feasible steps must be taken by the Information Administrators to identify the intruder and/or the source of such intrusion.  Appropriate University disciplinary measures may be taken if the intruder is a Pacific user or Administrator. Disciplinary measures are addressed in the General Information section of these University IT policies under Sanctions and in the Acceptable Use Policy under Sanctions.

Prior Security Review

A security review is required before attachment. All systems, iP enabled hardware and computers (not including end-user computers, i.e. laptops and desktops) must undergo a Security Review by the University Information Security Officer before being attached to PacificNet. This is an audit requirement.

Definitions

Security Review

 A review of matters at hand, looking at best security practice and established security standards.  The Information Security Analyst (University Information Security Officer), and/or his/her designee, conducts the review. Such reviews may include, but are not limited to:

Contract review

Determine confidentiality & privacy requirements (if applicable)

Application process review

Application identification, trust identification, data flow

Data classification review

Determine if data should be confidential, restricted access, or public

Risk assessment review

Determine the impact on the campus of  going forward or not going forward

Security configuration review

Check relative to established security benchmarks

Access controls review

Check against audit requirements

Network services identification

Port scan to determine firewall configurations

Vulnerability Identification

Vulnerability scan against known attack vectors

Remediation planning

Helping remove the barriers to going forward

​​​​​​
About This Policy
Last Updated
10/15/2009
Original Issue Date
10/8/2009

Responsible Department
Information Technology


​​Roles, Responsibilities, & Sanctions
General IT Policy Information v1.0.pdfGeneral IT Policy Information v1.0.pdf​​