Internet & Intranet Acceptable Use and Security Policy

Introduction

The College of Staten Island has experienced many malicious attacks on computer servers connected to CSI's LAN from hackers outside our network. These attacks vandalize our software and hardware. Once a computer is compromised, it is used to attack other computers on campus. In addition, since CSI is part of CUNY's network, network connections to compromised systems are disabled when they are identified and not reconnected until they are secured. This security policy is framed to assist in maintaining a secure network and addresses many issues dealing with computer use including but not limited to the following issues:

  • Who can connect a computer workstation to CSI's LAN and what are the computer user's responsibilities?
  • Who can connect a server to CSI's LAN and what are the server administrator and other user's responsibilities?
  • Who can access campus based servers from off campus and how this connection is established?
  • What are Internet users responsibilities, i.e.: What can the Internet and e-mail be used for?

 

Internet / Intranet Security Policy
The resources, services and interconnectivity available via the Internet, and Intranet, all introduce opportunities and risks. In response to the risks, this policy describes College of Staten Island official policy regarding Internet and Intranet security. 

Although this policy document addresses many of the security issues that are likely to be encountered, it is not possible to catalogue every conceivable security risk. The threats to information assets are continually changing. For additional information or clarification on information security issues, you are encouraged to contact the Office of Information Technology. 

Preventing security breaches is where this policy comes to the forefront. The most important function of the policy is to make all aware of Internet security issues and College Internet policies and to secure our equipment to prevent security breaches. Students, staff and faculty must be instructed to report any security weaknesses that they become aware of, either internally or from external sources. 

Scope
This policy applies to all students, staff, faculty, contractors, temporaries who use the Internet or Intranet with College of Staten Island computing or networking resources, as well as those who represent themselves as being connected -- in one way or another -- with College of Staten Island. All Internet and Intranet users are expected to be familiar with and comply with these security policies as well as the CUNY Computer User's Responsibilities. Questions should be directed to the Office of Information Technology. Violations of these policies will be subject to penalties as outlined in the CUNY Computer Users Responsibilities which can lead to revocation of system privileges, disciplinary action including dismissal, termination and criminal prosecution. This policy defines acceptable use, user responsibilities and procedures for using existing network devices and installing new devices requiring network access. The vigorous enforcement of this policy is essential to ensure reliable, secure network access to CSI's shared resources. Since a network is a shared resource that permits distributed interaction amongst disparate users, the activities of one user affects others.

General
Section 1: Network Access 
Section 2: College User Resources and Responsibilities 
Section 3: Network Server Access Policy 
Section 4: External Access to Campus Services 
Section 5: Campus Access to External Services

Section 1: Network Access Section
Any device that requires network access must be connected to CSI's LAN directly with a category 5 cable that runs from the device to the closet where a switch is housed. It is a violation to use hubs or any other device that shares network access amongst devices unless installed by the Office of Information Technology. This may require the installation of cabling and telecommunications equipment to terminate as per category 5 specifications. All such installation of cables and network equipment is to be directed by the Office of Information Technology and funded by the department housing the device. The Office of Information Technology reserves the right to disable any unauthorized hubs or other devices on its LAN at the network switch or port as appropriate to ensure the orderly administration and security of the LAN.

The following are procedural requirements for acquisition of new runs for network connectivity:

  • The Office of Information Technology must approve requests for new or additional network connections. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
  • Any purchase of equipment that requires network connection must have approval from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
  • A network port (jack) must exist in the room for any device requiring network access. If no port exists in the room, the device cannot be purchased without authorization from the Office of Information Technology. The Vice President to whom the department reports must make the request in writing to the Vice President of the Office of Information Technology Services.
  • Hubs and/or switches will not be permitted to connect more than one device per jack. If a hub or switch is used, the Office of Information Technology reserves the right to immediately disconnect the device from the network. Each device must have its own port to connect to the network. This requirement is essential for effective network administration to ensure a secure network environment for authorized users.
  • If a department's space is changed whether by expanding, renovating or relocating, the Office of Information Technology and the Director of Telecommunications must be consulted in the early stages of the design phase of the project. A survey of the space must be conducted for telephone and data connections required ensuring continued access to campus telephones and network resources. The Office of Information Technology will coordinate any network-related work. The department doing the project is responsible for covering all the cost associated with the network configuration including but not limited to network switches, network media connectors and other devices, jacks, and cable runs. 

 

Section 2: College User Resources and Responsibilities Account Information 

  • User accou