Information Technology Network Security Policy
Authority: Information Technology
Date Enacted or Revised: Enacted September 20, 2022
Purpose
The purpose of this policy is to protect the integrity of the campus network, to mitigate the risks and losses associated with security threats, and to ensure secure and reliable network access and performance for the University community. This policy is necessary to provide a reliable campus network to conduct the University’s business and prevent unauthorized access to institutional, research, or personal data.
Scope
This policy applies to all McNeese State University faculty, staff, students, contractors, guests, and any other agents who may connect to the University network. This policy also applies to all devices which are used by those individuals for network access, whether personally owned, University-issued, or otherwise obtained; software, whether installed on University devices or personally owned devices, connected to the network; and software used to store or process University data.
Policy
Addressing and Domain Services
- The Office of Information Technology is solely responsible for managing any and all Internet domain names related to the University (e.g., mcneese.edu). Individuals, academic colleges/departments, or administrative departments may not create nor support additional Internet domains without prior approval.
- To ensure the stability of network communications, the Office of Information Technology will solely provision and manage both the public and private IP address spaces.
- The Office of Information Technology may delegate administrative responsibilities to individuals for certain network ranges but retains the right of ownership for those networks.
Network Connections
- University faculty, staff, or students may not connect, nor contract with an outside vendor to connect, any device or system to the University’s network without prior review and approval. Colleges or departments that wish to provide Internet or other network access to individuals or networks not directly affiliated with the University must obtain prior approval from the Office of Information Technology.
- In order to maintain reliable network connectivity, no other department may deploy routers, switches, wireless access points, or protocol services (DHCP, DNS, etc.) on campus without prior review and approval.
- Users are permitted to attach devices to the network provided that they:
- are for use with normal University business or student operation;
- do not interfere with other devices on the network; and
- are in compliance with all other University policies.
- Unauthorized access to University networking equipment (firewalls, routers, switches, etc.) is prohibited. This includes port scanning or connection attempts using applications such as SSH/SNMP, or otherwise attempting to interact with University network equipment.
- Unauthorized access to University equipment/cabling rooms is prohibited.
Wireless
- The Office of Information Technology is solely responsible for managing the unlicensed radio frequencies (wireless networking) on campus, which includes the 2.4 GHz and 5 GHz spectrum and may include future wireless spectrum standards, as defined by the IEEE.
- The Office of Information Technology is responsible for maintaining a secure network and will deploy appropriate security procedures to support wireless networking on campus.
- The University will maintain a campus wireless network based only on IEEE 802.11 standards. The Office of Information Technology will collaborate with academic departments where devices used for specific educational or research applications may require specific support or solutions.
- Unauthorized devices operating in the 2.4 GHz and 5 GHz spectrums are prohibited due to interference in the operation of the University wireless network. Examples of this include but are not limited to:
- Wireless printers
- MiFi devices or Wi-Fi hotspots
- Wireless routers
External Traffic, Services, and Requests
- The University’s default firewall practice is to deny all external Internet traffic to the University’s network unless explicitly permitted. Academic colleges/departments and other administrative departments must register systems that require access from the Internet with the Office of Information Technology. Users that would like to request access through the University firewall must open a help desk ticket.
- Access and service restrictions may be enforced by device, IP address, port number, or application behavior.
- The Office of Information Technology reserves the right to decrypt SSL traffic which transits the University network.
Network Security
- The Office of Information Technology may investigate any unauthorized access of computer networks, systems, or devices. IT staff will work with academic or administrative departments and law enforcement when appropriate.
- All devices connecting to the network must have adequate security installed and must be configured and maintained in such a manner as to prohibit unauthorized access or misuse.
- If a security issue is observed, it is the responsibility of all University users to report the problem to the appropriate supervisor or the Office of Information Technology for investigation.
- The Office of Information Technology reserves the right to quarantine or disconnect any system or device from the University network at any time that is impacting regular network activity
- The Office of Information Technology may investigate any software which is written by faculty, staff, or students that are noncommercial (i.e., not generally accepted mainstream) and is installed on University equipment or running in the University’s network. If it does not have adequate security mechanisms, controls, and support, the Office of Information Technology reserves the right to prohibit the software or system from being connected to the University network, installed on University computers, or used to store or process University data.
Access Control
- Access to University resources requires a username and password. Passwords should adhere to best practices.
- Individual user account passwords should not be shared with anyone.
- Multi-Factor Authentication (MFA):
- MFA is required by all users, for applicable services, to minimize the risk of compromised credentials.
- The Office of Information Technology recommends using “push notifications” by installing the MFA app on a smartphone.
- Promptly report the theft or loss of a device you have configured for MFA access so IT can deactivate MFA for that device.
Policy Compliance
Compliance Measurement
The Office of Information Technology will maintain and monitor traffic logs for security auditing purposes. The Office of Information Technology reserves the right to monitor, access, retrieve, read, and/or disclose data communications when there is reasonable cause to suspect a violation or criminal activity.
Reasonable cause may be provided by the complaint of a policy violation or crime or as incidentally noticed while carrying out the normal duties of IT staff. The Office of Information Technology may perform penetration testing or non-intrusive audits of any University-owned devices or system on its network in order to determine potential risks.
Exceptions
Any exception to the policy must be approved by the Office of Information Technology in advance.
Non-Compliance
Any device found to violate this policy or found to be causing problems that may impair or disable the network or systems connected to it is subject to immediate disconnection. The Office of Information Technology may subsequently require specific security improvements before the device may be reconnected.
Attempting to circumvent security or administrative access controls for information resources is a violation of this policy. Assisting someone else or requesting that someone else circumvent security or administrative access controls is a violation of this policy.
Any student who violates this policy will be subject to appropriate disciplinary action in accordance with the Code of Student Conduct.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Any individual affiliated with the University who violates this policy will be subject to appropriate corrective action, including but not limited to termination of the individual’s relationship with the University.
Communication
This policy is distributed via the University Policies webpage.