College of Staten Island
 The City University of New York
 
  

Governance & Policies
 Internet & Intranet Acceptable Use and Security Policy

Introduction

The College of Staten Island has experienced many malicious attacks on computer servers connected to CSI's LAN from hackers outside our network. These attacks vandalize our software and hardware. Once a computer is compromised, it is used to attack other computers on campus. In addition, since CSI is part of CUNY's network, network connections to compromised systems are disabled when they are identified and not reconnected until they are secured. This security policy is framed to assist in maintaining a secure network and addresses many issues dealing with computer use including but not limited to the following issues:
  1. Who can connect a computer workstation to CSI's LAN and what are the computer user's responsibilities?
  2. Who can connect a server to CSI's LAN and what are the server administrator and other user's responsibilities?
  3. Who can access campus based servers from off campus and how this connection is established?
  4. What are Internet users responsibilities, i.e.: What can the Internet and e-mail be used for?

Internet / Intranet Security Policy
The resources, services and interconnectivity available via the Internet, and Intranet, all introduce opportunities and risks. In response to the risks, this policy describes College of Staten Island official policy regarding Internet and Intranet security.

Although this policy document addresses many of the security issues that are likely to be encountered, it is not possible to catalogue every conceivable security risk. The threats to information assets are continually changing. For additional information or clarification on information security issues, you are encouraged to contact the Office of Information Technology.

Preventing security breaches is where this policy comes to the forefront. The most important function of the policy is to make all aware of Internet security issues and College Internet policies and to secure our equipment to prevent security breaches. Students, staff and faculty must be instructed to report any security weaknesses that they become aware of, either internally or from external sources.

Scope
This policy applies to all students, staff, faculty, contractors, temporaries who use the Internet or Intranet with College of Staten Island computing or networking resources, as well as those who represent themselves as being connected -- in one way or another -- with College of Staten Island. All Internet and Intranet users are expected to be familiar with and comply with these security policies as well as the CUNY Computer User's Responsibilities. Questions should be directed to the Office of Information Technology. Violations of these policies will be subject to penalties as outlined in the CUNY Computer Users Responsibilities which can lead to revocation of system privileges, disciplinary action including dismissal, termination and criminal prosecution. This policy defines acceptable use, user responsibilities and procedures for using existing network devices and installing new devices requiring network access. The vigorous enforcement of this policy is essential to ensure reliable, secure network access to CSI's shared resources. Since a network is a shared resource that permits distributed interaction amongst disparate users, the activities of one user affects others.

General
Section 1: Network Access
Section 2: College User Resources and Responsibilities
Section 3: Network Server Access Policy
Section 4: External Access to Campus Services
Section 5: Campus Access to External Services

Section 1: Network Access Section
Any device that requires network access must be connected to CSI's LAN directly with a category 5 cable that runs from the device to the closet where a switch is housed. It is a violation to use hubs or any other device that shares network access amongst devices unless installed by the Office of Information Technology. This may require the installation of cabling and telecommunications equipment to terminate as per category 5 specifications. All such installation of cables and network equipment is to be directed by the Office of Information Technology and funded by the department housing the device. The Office of Information Technology reserves the right to disable any unauthorized hubs or other devices on its LAN at the network switch or port as appropriate to ensure the orderly administration and security of the LAN.

The following are procedural requirements for acquisition of new runs for network connectivity:

  • The Office of Information Technology must approve requests for new or additional network connections. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Technology Systems.
  • Any purchase of equipment that requires network connection must have approval from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Technology Systems.
  • A network port (jack) must exist in the room for any device requiring network access. If no port exists in the room, the device cannot be purchased without authorization from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Technology Systems.
  • Hubs and/or switches will not be permitted to connect more than one device per jack. If a hub or switch is used, the Office of Information Technology reserves the right to immediately disconnect the device from the network. Each device must have its own port to connect to the network. This requirement is essential for effective network administration to ensure a secure network environment for authorized users.
  • If a department's space is changed whether by expanding, renovating or relocating, the Office of Information Technology and the Director of Telecommunications must be consulted in the early stages of the design phase of the project. A survey of the space must be conducted for telephone and data connections required ensuring continued access to campus telephones and network resources. The Office of Information Technology will coordinate any network-related work. The department doing the project is responsible for covering all the cost associated with the network configuration including but not limited to network switches, network media connectors and other devices, jacks, and cable runs. 
Section 2: College User Resources and Responsibilities Account Information
  • User account information must not be written down and left in a place where unauthorized persons might discover it.
  • User account information must not be shared, distributed or exchanged to anyone other than the person to whom the information was assigned. This includes College of Staten Island usernames or userids, passwords, assigned IP addresses, or any other information that may jeopardize the security of the College of Staten Island network.
  • The Office of Information Technology will assign all IP addresses. Staff and faculty are prohibited from modifying their assigned IP address, without explicit written authorization from The Office of Information Technology.
  • Staff working for vendors and system developers are responsible for providing systems, which prevent the distribution of College of Staten Island user account information to the Internet community.
  • Staff must not modify user accounts without authorization from Office of Information Technology. This includes, but is not limited to: adding new accounts, modifying existing accounts, and disabling or deleting accounts. This policy does not apply to staff who are assigned the responsibility by The Office of Information Technology to make such changes.
  • Faculty and staff will not use hubs to connect multiple devices to the network. All ports will be secured and only one device will be permitted per port.


Modification of Software
Staff must not alter, modify or delete data files, executable code, source code, or system files that can be accessed on or through the Internet or Intranet unless the staff member is the explicit owner of the file.

Special Software Tools
Unless specifically authorized by the Office of Information Technology, College of Staten Island staff members must not possess or use software or hardware tools that can be used to break security mechanisms. Examples of such tools are those that facilitate illegal copying of copy-protected software, unintended discovery of secret passwords, unauthorized packet capturing/sniffing, or unauthorized decryption of encrypted data.

Software Transfers and Licenses
Software owned by College of Staten Island must not be up-loaded to any other non-College of Staten Island site, through the Internet/Intranet unless such up-loading is consistent with relevant license agreements and either: (a) Office of Information Technology has previously approved of such up-loading, or (b) up-loaded copies are being made for contingency planning purposes.

Downloaded software must be scanned for virus or malicious code prior to execution or access.

Faculty and staff are expected to understand, and abide by all software license agreements. Software must not be copied, distributed, or shared, unless specifically allowed for in the software license agreement.

Section 3: Network Server Access Policy
Only computer servers authorized by the Office of Information Technology will be permitted access to CSI's LAN.

Administrators of servers connected to CSI's LAN are responsible for maintaining a secure server environment; this includes but is not limited to maintaining the most recent version of all security patches for the operating system running on the server.

The Office of Information Technology and the CUNY Instructional Technology and Information Services reserve the right to immediately disable network accesses to any unauthorized server as well as any server that has been compromised.

Access to servers from off campus through any method other than Secure Shell Telnet and Secure FTP through CSI's VPN is strictly prohibited as described below. Only access to servers for HTTP for connections to a web page is permitted from the Internet.

CSI maintains email for the College Community through the CSI mail server, mail.csi.cuny.edu. The College does not support in any way other email servers and indeed asks the college community's cooperation in not running any email servers on its LAN.

For special or extenuating circumstances, the Office of Information Technology will consider authorizing email servers on CSI's LAN. Such requests must be made in writing by the appropriate Vice Present to the Vice President of the Office of Technology Systems with a copy to the Network Manager. Without written confirmation from the Office of Information Technology permitting running an email server, the server will not be permitted on the LAN.

Written requests for authorization for connecting a server to CSI's LAN should be made by an appropriate Vice President and sent to the Vice President for the Office of Technology Systems with a copy to the network administrator.

To obtain authorization the following information must be included in the request to the Office Technology Systems' network administrator:

Name of server administrator:

Server name:

Server IP address:

Server MAC address:

Server Operating system:

List of patches and security patches installed:

Who will access server from off campus?

When do you access server from off campus?

How do you access the Internet from off campus, e.g. ISP or remote LAN?

Section 4: External Access to Campus Services
Confidential Information
All College of Staten Island confidential information, including student specific information, that is accessible from an external site should be transmitted using a secure Internet protocol (e.g.: SSL, VPN) or be encrypted prior to being transmitted.

Section 5: Campus Access to External Services
Confidential Information
All College of Staten Island confidential information that is transmitted to one or more external sites must be transmitted using a secure Internet protocol (e.g.: SSL, PCT, SET, S/MIME) or be encrypted prior to being transmitted.

Information communicated via newsgroups or electronic mail must not conflict with the level of confidentiality assigned to that information or violate the CUNY Computer Users Responsibilities.

External Site Access and "Blocking"
A site will be blocked if the site promotes mass distribution of unsolicited material, also known as "spamming" or is used in a way that is not consistent with the CUNY Computer User's Responsibilities.

A site will be un-blocked if the following two conditions are met: 1) it becomes necessary in the best interest of College of Staten Island; and 2) the Office of Information Technology grants approval.

Internet Services Provided
The only services that will be allowed to the College of Staten Island from the Internet will be those for which Application Protocol Gateways are available. These services include FTP (get only), HTTP, HTTPS, and Electronic Mail (E-mail). Other services such as SecureFTP (put) and SecureTelnet through a VPN will be provided to individual users on an "as needed" basis. The requestor's Chairperson and Office of Information Technology must approve all requests for additional services. Services provided are limited to specific port configurations.

Staff members must not interfere with, or disrupt the normal operation of the Internet/Intranet services located on College of Staten Island computers, or accessible through the Internet.

The Office of Information Technology is responsible for revising this policy on an annual basis, or as the need arises. In addition, the Office of Information Technology is responsible for working with the necessary organizations to ensure that there is a global consistency of implementation of this policy.

The Office of Information Technology is responsible for daily maintenance and maintaining the security of the systems they operate. They are further responsible for notifying users of their security policies and any changes to these policies. All security policies must be reviewed and approved by the Office of Information Technology.

In the event of an Internet or Intranet Security Breach requiring interruption or denial of service between a subnet and the Internet or Intranet, the Vice President of the Office of Technology Systems must be informed prior to the separation.

Definitions / Terms / Acronyms

Term Definition

Application Protocol Gateway Program or device that passes information between networks or applications.

Category 5 Cabling standard used for Ethernet LANs

Decrypt The process of taking encrypted text, or ciphertext, and converting it to plaintext.

Encrypt The process of altering characters, based on an encryption key, so that the characters appear to be nothing but random, garbage characters.

Firewall Any system or element that provides a function of filtering or blocking services, protocols, or packets between systems and/or networks.

FTP A service that supports file transfers between local and remote computers.

IP Address A unique address that is assigned to an individual machine. The address is used as a means of identifying each machine.

LAN Local Area Network.

Network This covers all public networks, such as PSTN, Internet, or carrier networks.

Packet Filter A device that examines individual IP packets and determines whether or not the packet is allowed to proceed to its destination address.

Plaintext Refers to any group of characters that are not encrypted.

Secure Shell SSH lets you establish secure terminal sessions between machines using cryptographic authentication and automatic session encryption.

Telnet Allows users to access computers and their data at thousands of places around the world, most often at libraries, universities, and government agencies.

Worker Refers to employees, contractors, temporaries, etc.

World Wide Web The accessible information available on many computers attached to the Internet. The Web has a body of software, a set of protocols and a set of defined conventions for getting at the information on the Web.

Constraints / Waivers
Appeals for an exception to this policy should be submitted to the Office of Information Technology for approval.

Compliance
It is essential that any violation of this policy be reported immediately to the Office of Information Technology Network Director, his immediate staff, so that appropriate action can be taken to ensure the security of other resources on CSI's LAN.

Violations will result in appropriate disciplinary actions as outlined in the CUNY Computer Users Responsibilities and including, dismissal and prosecution.