Governance & Policies
The College of Staten Island has experienced many malicious attacks on computer servers connected to CSI's LAN from hackers outside our network. These attacks vandalize our software and hardware. Once a computer is compromised, it is used to attack other computers on campus. In addition, since CSI is part of CUNY's network, network connections to compromised systems are disabled when they are identified and not reconnected until they are secured. This security policy is framed to assist in maintaining a secure network and addresses many issues dealing with computer use including but not limited to the following issues:
- Who can connect a computer workstation to CSI's LAN and what are the computer user's responsibilities?
- Who can connect a server to CSI's LAN and what are the server administrator and other user's responsibilities?
- Who can access campus based servers from off campus and how this connection is established?
- What are Internet users responsibilities, i.e.: What can the Internet and e-mail be used for?
Internet / Intranet Security Policy
The resources, services and interconnectivity available via the Internet, and Intranet, all introduce opportunities and risks. In response to the risks, this policy describes College of Staten Island official policy regarding Internet and Intranet security.
Although this policy document addresses many of the security issues that are likely to be encountered, it is not possible to catalogue every conceivable security risk. The threats to information assets are continually changing. For additional information or clarification on information security issues, you are encouraged to contact the Office of Information Technology.
Preventing security breaches is where this policy comes to the forefront. The most important function of the policy is to make all aware of Internet security issues and College Internet policies and to secure our equipment to prevent security breaches. Students, staff and faculty must be instructed to report any security weaknesses that they become aware of, either internally or from external sources.
This policy applies to all students, staff,
faculty, contractors, temporaries who use the Internet or Intranet
with College of Staten Island computing or networking resources,
as well as those who represent themselves as being connected
-- in one way or another -- with College of Staten Island. All
Internet and Intranet users are expected to be familiar with
and comply with these security policies as well as the CUNY Computer
User's Responsibilities. Questions should be directed to the
Office of Information Technology. Violations of these policies
will be subject to penalties as outlined in the CUNY Computer
Users Responsibilities which can lead to revocation of system
privileges, disciplinary action including dismissal, termination
and criminal prosecution. This policy defines acceptable use,
user responsibilities and procedures for using existing network
devices and installing new devices requiring network access.
The vigorous enforcement of this policy is essential to ensure
reliable, secure network access to CSI's shared resources. Since
a network is a shared resource that permits distributed interaction
amongst disparate users, the activities of one user affects others.
Section 1: Network Access
2: College User Resources
3: Network Server
4: External Access
to Campus Services
5: Campus Access
to External Services
Section 1: Network Access Section
Any device that requires network access must be connected to CSI's LAN directly with a category 5 cable that runs from the device to the closet where a switch is housed. It is a violation to use hubs or any other device that shares network access amongst devices unless installed by the Office of Information Technology. This may require the installation of cabling and telecommunications equipment to terminate as per category 5 specifications. All such installation of cables and network equipment is to be directed by the Office of Information Technology and funded by the department housing the device. The Office of Information Technology reserves the right to disable any unauthorized hubs or other devices on its LAN at the network switch or port as appropriate to ensure the orderly administration and security of the LAN.
The following are procedural requirements for acquisition of new runs for network connectivity:
Section 2: College User Resources and Responsibilities
- The Office of Information Technology must
approve requests for new or additional network connections.
The Vice President to whom the department reports must make
the request in writing to the Vice President of the Office
of Technology Systems.
- Any purchase of equipment that requires
network connection must have approval from the Office of Information
Technology. The Vice President to whom the department reports
must make the request in writing to the Vice President of the
Office of Technology Systems.
- A network port (jack) must
exist in the room for any device requiring network access.
If no port exists in the room, the device cannot be purchased
without authorization from the Office of Information Technology.
The Vice President to whom the department reports must make
the request in writing to the Vice President of the Office
of Technology Systems.
- Hubs and/or switches will not be
permitted to connect more than one device per jack. If a
hub or switch is used, the Office of Information Technology
reserves the right to immediately disconnect the device from
the network. Each device must have its own port to connect
to the network. This requirement is essential for effective
network administration to ensure a secure network environment
for authorized users.
- If a department's space is changed
whether by expanding, renovating or relocating, the Office
of Information Technology and the Director of Telecommunications
must be consulted in the early stages of the design phase
of the project. A survey of the space must be conducted for
telephone and data connections required ensuring continued
access to campus telephones and network resources. The Office
of Information Technology will coordinate any network-related
work. The department doing the project is responsible for
covering all the cost associated with the network configuration
including but not limited to network switches, network media
connectors and other devices, jacks, and cable runs.
- User account information must not be written down and left
in a place where unauthorized persons might discover it.
- User account information must not be shared, distributed
or exchanged to anyone other than the person to whom the
information was assigned. This includes College of Staten
Island usernames or userids, passwords, assigned IP addresses,
or any other information that may jeopardize the security
of the College of Staten Island network.
- The Office of Information Technology will assign all IP
addresses. Staff and faculty are prohibited from modifying
their assigned IP address, without explicit written authorization
from The Office of Information Technology.
- Staff working for vendors and system developers are responsible
for providing systems, which prevent the distribution of
College of Staten Island user account information to the
- Staff must not modify user accounts without authorization
from Office of Information Technology. This includes, but
is not limited to: adding new accounts, modifying existing
accounts, and disabling or deleting accounts. This policy
does not apply to staff who are assigned the responsibility
by The Office of Information Technology to make such changes.
- Faculty and staff will not use hubs to connect multiple
devices to the network. All ports will be secured and only
one device will be permitted per port.
Modification of Software
Staff must not alter, modify or delete data files, executable code, source code, or system files that can be accessed on or through the Internet or Intranet unless the staff member is the explicit owner of the file.
Special Software Tools
Unless specifically authorized by the Office of Information Technology, College of Staten Island staff members must not possess or use software or hardware tools that can be used to break security mechanisms. Examples of such tools are those that facilitate illegal copying of copy-protected software, unintended discovery of secret passwords, unauthorized packet capturing/sniffing, or unauthorized decryption of encrypted data.
Software owned by College of Staten Island must not be up-loaded to any other non-College of Staten Island site, through the Internet/Intranet unless such up-loading is consistent with relevant license agreements and either: (a) Office of Information Technology has previously approved of such up-loading, or (b) up-loaded copies are being made for contingency planning purposes.
Downloaded software must be scanned for virus or malicious code prior to execution or access.
Faculty and staff are expected to understand, and abide by all software license agreements. Software must not be copied, distributed, or shared, unless specifically allowed for in the software license agreement.
Section 3: Network Server Access Policy
Only computer servers authorized by the Office of Information Technology will be permitted access to CSI's LAN.
Administrators of servers connected to CSI's LAN are responsible for maintaining a secure server environment; this includes but is not limited to maintaining the most recent version of all security patches for the operating system running on the server.
The Office of Information Technology and the CUNY Instructional Technology and Information Services reserve the right to immediately disable network accesses to any unauthorized server as well as any server that has been compromised.
Access to servers from off campus through any method other than Secure Shell Telnet and Secure FTP through CSI's VPN is strictly prohibited as described below. Only access to servers for HTTP for connections to a web page is permitted from the Internet.
CSI maintains email for the College Community through the CSI mail server, mail.csi.cuny.edu. The College does not support in any way other email servers and indeed asks the college community's cooperation in not running any email servers on its LAN.
For special or extenuating circumstances, the Office of Information Technology will consider authorizing email servers on CSI's LAN. Such requests must be made in writing by the appropriate Vice Present to the Vice President of the Office of Technology Systems with a copy to the Network Manager. Without written confirmation from the Office of Information Technology permitting running an email server, the server will not be permitted on the LAN.
Written requests for authorization for connecting a server to CSI's LAN should be made by an appropriate Vice President and sent to the Vice President for the Office of Technology Systems with a copy to the network administrator.
To obtain authorization the following information must be included in the request to the Office Technology Systems' network administrator:
Name of server administrator:
Server IP address:
Server MAC address:
Server Operating system:
List of patches and security patches installed:
Who will access server from off campus?
When do you access server from off campus?
How do you access the Internet from off campus, e.g. ISP or remote LAN?
Section 4: External Access to Campus Services
All College of Staten Island
confidential information, including student specific information,
that is accessible from an external site should be transmitted
using a secure Internet protocol (e.g.: SSL, VPN) or be encrypted
prior to being transmitted.
Section 5: Campus Access to External Services
All College of Staten Island confidential information that is transmitted to one or more external sites must be transmitted using a secure Internet protocol (e.g.: SSL, PCT, SET, S/MIME) or be encrypted prior to being transmitted.
Information communicated via newsgroups or electronic mail must not conflict with the level of confidentiality assigned to that information or violate the CUNY Computer Users Responsibilities.
External Site Access and "Blocking"
site will be blocked if the site promotes mass distribution of
unsolicited material, also known as "spamming" or is
used in a way that is not consistent with the CUNY Computer User's
A site will be un-blocked if the following two conditions are met: 1) it becomes necessary in the best interest of College of Staten Island; and 2) the Office of Information Technology grants approval.
The only services that will be allowed to the
College of Staten Island from the Internet will be those for
which Application Protocol Gateways are available. These services
include FTP (get only), HTTP, HTTPS, and Electronic Mail (E-mail).
Other services such as SecureFTP (put) and SecureTelnet through
a VPN will be provided to individual users on an "as needed" basis.
The requestor's Chairperson and Office of Information Technology
must approve all requests for additional services. Services provided
are limited to specific port configurations.
Staff members must not interfere with, or disrupt the normal operation of the Internet/Intranet services located on College of Staten Island computers, or accessible through the Internet.
The Office of Information Technology is responsible for revising this policy on an annual basis, or as the need arises. In addition, the Office of Information Technology is responsible for working with the necessary organizations to ensure that there is a global consistency of implementation of this policy.
The Office of Information Technology is responsible for daily maintenance and maintaining the security of the systems they operate. They are further responsible for notifying users of their security policies and any changes to these policies. All security policies must be reviewed and approved by the Office of Information Technology.
In the event of an Internet or Intranet Security Breach requiring interruption or denial of service between a subnet and the Internet or Intranet, the Vice President of the Office of Technology Systems must be informed prior to the separation.
Definitions / Terms
Gateway Program or device that passes information
between networks or applications.
Category 5 Cabling
standard used for Ethernet LANs
process of taking encrypted text, or ciphertext, and converting
it to plaintext.
process of altering characters, based on an encryption key, so
that the characters appear to be nothing but random, garbage characters.
system or element that provides a function of filtering or blocking
services, protocols, or packets between systems and/or networks.
service that supports file transfers between local and remote
A unique address that is assigned to an individual machine.
The address is used as a means of identifying each machine.
This covers all public networks, such as PSTN, Internet, or
A device that examines individual IP packets and determines
whether or not the packet is allowed to proceed to its destination
Refers to any group of characters that are not encrypted.
Secure Shell SSH
lets you establish secure terminal sessions between machines using
cryptographic authentication and automatic session encryption.
Allows users to access computers and their data at thousands of
places around the world, most often at libraries, universities,
and government agencies.
to employees, contractors, temporaries, etc.
World Wide Web
The accessible information available on many computers attached
to the Internet. The Web has a body of software, a set of protocols
and a set of defined conventions for getting at the information
on the Web.
Constraints / Waivers
Appeals for an exception to this policy should be submitted to the Office of Information Technology for approval.
It is essential that any violation
of this policy be reported immediately to the Office of Information
Technology Network Director, his immediate staff, so that appropriate
action can be taken to ensure the security of other resources
on CSI's LAN.
Violations will result in appropriate disciplinary actions as outlined in the CUNY Computer Users Responsibilities and including, dismissal and prosecution.