Trusted Network Specifications Specifications for Networks Connected to the Administrative Information Services through the High-Speed Data Backbone Administrative data at Penn State is afforded a higher level of security than normal network traffic. This is done by restricting the locations on the Penn State Backbone a user can access administrative data. Those work units requiring access to administrative data must apply for access through their ASR to the AIS Security Office. After confirming that the work unit's sub-network meets the specifications listed below, an agreement is signed by the ASR and Network Administrator with the AIS Security Office. At that time, IP addressed of the sub-network can be put in the AIS IP filter, allowing connectivity. This is done to ensure that administrative data is protected from unauthorized access and eaves dropping on the network. Administration: Trusted networks must have a person designated as the Network Administrator. The Network Administrator will maintain network schematics and relevant technical documentation (e.g., O/S, equipment, IP addresses, bridges, routers, etc.). The Network Administrator will enact adequate physical/environmental security for the network equipment (e.g., servers, keyboards, work stations, wiring closets, etc.). Such protection should include, but not limited to: door locks/key control, climate control/sensing devices, UPS, etc. The Network Administrator will ensure that adequate logical security is utilized within the network server and connected workstations. Such protection should include, but not be limited to: keyboard locking for the server, various password mechanisms (such as change requirement, etc.) and controlled network resources and privileges. Machines on the trusted network must be password protected if they are servers or store University data. Passwords must be changed at a minimum of every 90 days. Network administrators must ensure that common or easily cracked passwords are not used. There must be limited and controlled Internet access to a University network from the "outside" world or other internal networks if that University network resides on a trusted network. Administrative data must not travel over networks that have student systems connected to them. In such cases where student systems must reside on the same network, these systems will be either bridged off from the rest of the network or separated through the use of secure hubs (i.e., smart hubs) to prevent administrative data from traveling over that portion of the network. The Network Administrator must be able to identify all users authorized to connect to their network and list their network user privileges. All expired accounts for users that have been transferred or terminated must be eliminated from systems connected to the trusted network in a timely manner. No sharing of a userID, passwords, or unauthorized reading or writing of data under the stewardship of that userID will be allowed. No sharing IP addresses (i.e., the IP address used to access AIS must not be swapped or shared with other workstations). Anonymous FTP servers on the trusted network must allow read access only with only public data residing on them. Methods must be developed to monitor all traffic to help identify penetration attempts. In addition to abiding with and enforcing University security policies, Network Administrators should develop site-specific policies/procedures/standards and/or guidelines as required. The Network Administrator and network users need to fully understand and be aware of University computing/data security guidelines and policies (ADG01, ADG02, AD11, AD20, AD23 and AD35). Offices must implement an education program to inform their user community about the importance of password security and other types of computer network security. ASRs, Network Administrators, and network users need to receive adequate training with regard to the uses of networks in general and specifically as data storage facilities. Responsibility must be emphasized. Data Management: Monitor the storage of data on any network server and ensure controlled distribution/access. If University data is stored on a network server, in essence, the network has become an operational computer facility/data center and should be secured as such, per ADG02. If data is to be stored on the network file server, a process or procedure should be established to control the retention and purging of data. This would aid in avoiding the misuse of out-of-date/inaccurate data and prevent accidental access to data that is obsolete. The Network Administrator should be aware of the "types" of data stored on the network file server as categorized in AD35. Distributed Data User Requirements: Distributed data users (such as Power Users and Ad-hoc programmers) connected to a trusted network should be known/identifiable to Network Administrators and ASRs due to their ability to download large amounts of sensitive data. Distributed data users should work with Network Administrators to ensure that any data stored on the network file server is only accessible by properly authorized individuals. Distributed data users should not store data on "untrusted" networks, only their individual computer or a trusted network with adequate data security arrangements. Distributed data users should be responsible for ensuring that their workstations have adequate security arrangements to protect data (such as power-on passwords, screen-saver locks, file passwords, etc.) Distributed data users should receive adequate training not only in how to obtain data, but also the securing of data and responsibilities awareness (such as University policies applying to protection and confidentiality of data: AD11, AD20, AD23 and AD35). Security awareness should be reinforced through recurring training or security bulletin distribution on an annual basis. Trusted Network Certification Form - Print and submit completed form via University mail to: AIS Security Office 24 Shields Building University Park, PA 16802-1202

Printer friendly view