Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 1 of 9
University of Southern California
Information Technology
NETWORK INFRASTRUCTURE USE
Responsible Office: Information Security Office
http://ooc.usc.edu [email protected] (213) 743-4900
1.0 Purpose
The University of Southern California (USC) provides its faculty, staff and students with a network infrastructure to facilitate the missions of the university, including instruction, research, service and administration. The purpose of this policy is to confirm the
ownership of the USC Network Infrastructure, defined below, and establish the
responsibilities of faculty, staff, students and other employees in protecting and securing the network infrastructure.
2.0 Scope
This policy applies to all university faculty members (including part time and visiting faculty), staff and other employees (such as postdoctoral scholars) and students
(including postdoctoral fellows and graduate students) as well as any other users of the network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to university systems.
3.0 Policy
3.1 Ownership of Network Infrastructure
The USC Network Infrastructure is owned by and is the property of USC. The Information Technology Services (ITS) department is primarily responsible for overseeing the operations of the network infrastructure. There is no expectation of a right to privacy when using the network infrastructure, which includes, but is not limited to, the following:
• USC network connections (wired and wireless) and other network equipment including jacks, wiring, switches, panels, hubs and routers;
• USC network-based communication services, such as e-mail and instant messaging;
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 2 of 9
faxes, pagers, IP phones) that are purchased or leased using university funds; and
• USC purchased, licensed or developed software. 3.2 User Responsibilities
“User” is defined as anyone who has access to or is otherwise connected to the network infrastructure (see section 2.0, above, and the information security policy at www.usc.edu/policies for additional information about users).
Users are expected to comply with information security policies to ensure the security of the network infrastructure, which includes ensuring that the devices they use that are connected to the network infrastructure are in compliance with this policy. A complete list of information security policies is available at www.usc.edu/policies.
Users are responsible for utilizing appropriate measures (including passwords, virus protection and current patch management software, and other measures as described below and in the appendices to this document) to protect the security of those components of the network infrastructure that they access and/or use. 3.3 System Administrator Responsibilities
“System administrator” is defined as any faculty, staff, or other employee who has been designated by the USC Information Steward or Owner, as defined in
information security policy, as the individual responsible for maintaining the security of the network infrastructure for that particular school, unit, division or department1
www.usc.edu/policies
. In many cases, the system administrator may be that department or unit’s Information Security Liaison, as described in information security policy at
.
The system administrator is responsible for overseeing the security of the network infrastructure for his or her school, unit, division or department, which includes monitoring and oversight of user compliance with this policy.
1
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 3 of 9
3.4 Private Networks (a.k.a. Local Area Networks, Sub-Nets, Non-Standard and Specialized Networks)
Private networks are defined as any network segment or subnet behind a router, firewall, or Network Address Translation (NAT) device, behind which ITS does not have administrative control of the switches or routers to which the end-systems (PCs, servers, etc.) connect.
a) All private networks must have a system administrator assigned to oversee and maintain security, who will liaison with ITS and the Information Security Office (ISO).
b) System administrators must promptly register any departmental servers2 on a private network (as defined in this section) with the Director of ITS Systems Security in accordance with ITS’s registration procedures.
c) System administrators should document the network infrastructure which includes, but is not limited to, hardware inventory, network diagram, physical location, IP addresses, description and related information about the system. This documentation shall be made available to the ISO and ITS upon request. d) All private networks must comply with all information security policies. 3.5 Access and Authorization Procedures
System administrators must establish written procedures to grant, modify, and terminate access to the information systems within the administrator’s
department, school, or unit. Refer to Appendix A for further information about access and authorization procedures.
3.6 Virus Protection and Patch Management
Desktops, laptops, and servers must have up-to-date virus protection and patch management. This is a shared responsibility between the user and system administrator. Refer to Appendix B for further information about computer security maintenance procedures, including how to obtain and maintain current virus protection and patch updates.
2
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 4 of 9
3.7 Audit Logs
System administrators are responsible for implementing and monitoring audit logs on desktops containing information requiring enhanced protections (as defined by the information security policy, available at www.usc.edu/policies) and
departmental servers. 3.8 Physical Security
System administrators are responsible for establishing procedures to secure the physical environment of departmental servers, including, at minimum: (a) locked or otherwise restricted access to server rooms, and (b) current inventory of all individuals with access to server rooms.
3.9 Unauthorized Access to Network Infrastructure
Unauthorized access to, or tampering and interference with, the network infrastructure is prohibited. The responsibility to implement access control mechanisms to prevent unauthorized access or use of the network infrastructure is shared between ITS and the system administrators for private networks.
4.0 System Monitoring and Auditing
ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain operation and security. The ISO is authorized to conduct monitoring and auditing of ITS, users, and system administrators to ensure compliance with this and other information security policies, in coordination with Audit Services, as appropriate. The university reserves the right to access any computer or electronic device connecting to the USC Network Infrastructure in order to verify compliance with this and other applicable information security policies.
5.0 Enforcement
Compliance with information security policies shall be monitored regularly in
conjunction with the university’s monitoring of its information security program. Audit Services will conduct periodic internal audits to ensure compliance with federal and state laws and regulations as well as university policy.
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 5 of 9
Any disciplinary action under this policy shall take into account the severity of the offense and the individual’s intent. Disciplinary action can include revocation of
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 6 of 9
Related Policy and/or Additional References Appendix A
Access Authorization Procedures
1.0 Purpose
This appendix A describes the procedures for establishing, modifying, and terminating access to USC information systems.
2.0 Establishing and Modifying Access
a) System administrators shall have documented procedures for establishing and modifying user access to information systems and applications within the department/school/unit.
b) The procedure will document the process for obtaining supervisor approval to establish or modify access.
c) System administrators will perform an annual review of their access procedures and will update and revise accordingly.
d) System administrators shall determine to which systems and applications these procedures apply, and will document the justification for their determinations.
3.0 Terminating Access
a) System administrators shall have documented procedures for terminating user access to information systems and applications within the department/school/unit. b) System administrators must promptly delete user access upon notification by
Human Resources that access should be terminated.
4.0 Password Guidelines
4.1 User Responsibilities
1) Users shall not give their passwords to other individuals to use on their behalf.
2) Users shall not post or otherwise display their passwords where they can be seen by others.
3) Where applicable, users shall create strong passwords. For example: a) Passwords should consist of a minimum of 6 alphanumeric
characters.
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 7 of 9
c) Passwords should be selected with the intention of not allowing other people to guess them easily.
d) Passwords must never be the same as or resemble the Logon-ID. Passwords such as “password”, “administrator”, “user”, “guest”, “123456”, etc. should not be used. Repeating passwords such as “111111” or “Z1Z1Z1” should not be used.
4.2 System Administrator Responsibilities
1) Where possible, system administrators should enforce user responsibilities as outlined above.
2) Where possible, passwords should use an expiration policy requiring passwords to expire.
3) Where possible, systems should be configured to disallow re-use of passwords for 3 generations.
4) Where possible, systems should be configured to “lock-out the account” after 5 incorrect password attempts.
5) Where possible, the use of single sign-on (shibboleth) logins and
passwords for applications through the Global Directory Services (GDS) should be encouraged.
6) Passwords should be stored in an encrypted format only, not in plain text format.
7) Where possible, system administrators should implement password protected screensaver controls after a specified idle time, to be determined by the system administrator and unit.
8) System administrators have the discretion to implement stricter guidelines; the above are minimum standards.
4.3 Exceptions
a) Those systems that operate in an environment that does not allow for the use of passwords (i.e. sub-systems and systems without a user interface), must be appropriately secured by other security means by system
administrator.
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 8 of 9
Appendix B
Virus Protection and Patch Management Procedures
1.0 Purpose
This Appendix B describes USC’s requirements for anti-virus protection and patch management.
2.0 Anti-Virus Protection
2.1 System Administrator Responsibilities
a) System administrators must ensure that all departmental servers and workstations have current and updated anti-virus software installed.
b) With the exception of troubleshooting or special installation activities, system administrators shall ensure that anti-virus software is not modified or disabled on servers or workstations.
c) Any virus with potential harmful impact on the network infrastructure should be reported to ITS.
2.2 User Responsibilities
a) Users must contact their system administrator for assistance if they become aware that they do not have current up to date anti-virus software installed on their workstation or laptop.
b) Once the anti-virus software is installed, users shall not modify the software or its configuration in any manner, unless directed by their system
administrator or ITS.
c) Users should report virus incidents to system administrator or ITS. 3.0 Patch Management
3.1 System Administrator Responsibilities
System administrators must ensure that all departmental servers and
Issued by: Elizabeth Garrett
Provost and Senior Vice President, Academic Affairs
Todd R. Dickey
Senior Vice President, Administration
Date issued: November 5, 2010
University of Southern California Page 9 of 9
3.2 User Responsibilities
Once the automated patch management is configured on the computer, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS.
4.0 ITS Responsibilities
a) ITS is responsible for providing an enterprise anti-virus solution for university computers.
b) ITS is responsible for providing guidelines on installing and maintaining the anti-virus software and updates on university computers.
5.0 System Monitoring and Auditing
ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain the operation and security of the network infrastructure (refer to section 3.6 of this policy).
6.0
Exceptions
