Oklahoma State University: The STATE's University
Visit the OSU Home Page
Visit the OSU Home Page

Network Policy - Interim (Revised)
 
REVISED DRAFT January 10, 2002
 
*Note: Information Technology Policies are in the process of
review and will be updated throughout the year*
 
Editor's Note: This is considered an interim policy of the University, as of May 18, 2001, pending final revisions/approvals. Before it is approved in final, it will be sent through the appropriate review and adoption process.
 
Oklahoma State University
 
Network Security Policy
 
A. Introduction
 
The network of Oklahoma State University (OSU) exists to facilitate the research, education and outreach missions of the University. The network provides electronic capabilities that allow OSU faculty, staff, students or affiliates to access information, share data, collaborate, and communicate. Computing Information Services (CIS) manages the network and is responsible for its secure and effective operation. CIS is responsible for the maintenance, planning and implementation of network growth and to coordinate these efforts with units and departments.
 
B. Scope
 
This policy is applicable to all individuals using University owned or controlled computer and computer communication facilities or equipment. It is applicable to all University information resources whether individually controlled or shared, stand alone or networked. It applies to all computer and computer communication facilities owned, leased, operated, or contracted by the University. In addition, a user must be specifically authorized to use a particular computing or network resource by the campus unit responsible for operating the resource.
 
Individual units within the University may define "conditions of use" for information resources under their control. These statements must be consistent with this overall Policy but may provide additional detail, guidelines and/or restrictions. Such policies may not relax or subtract from, this policy. Where such "conditions of use" exist, enforcement mechanisms defined therein shall apply. These individual units are responsible for securing appropriate authorization (Per 2-0501 Administrative Information Systems policy) and to furnish Computing Information Services (CIS) with a copy of the approved document. Units must also publicize both the regulations they establish and their policies concerning the authorized and appropriate use of the equipment for which they are responsible. In such cases, the unit administrator shall provide the Executive Vice President with a copy of such supplementary policies prior to implementation thereof. Where use of external networks is involved, policies governing such use also are applicable and must be adhered to.
 
C. OSU Network Components
 
The network consists of the following:
 
  • Access-Layer Network Infrastructure - network wiring and electronics (network switches and/or hubs) in OSU buildings that interconnect OSU's computers and other devices.
  • Wireless Network Access "Air Space" - radio spectrum used for wireless network access at OSU.
  • Network Backbone and Building Switches - top-level network switches/routers in each building and the core OSU network backbone that connect OSU building networks together and to off-campus networks.
  • Wide Area Network Connections - Wide Area Network (WAN) that connects distributed portions of the OSU network.
  • Connections to Regional and National Networks (OneNet) - off-campus connections to the Internet. OneNet is Oklahoma's telecommunications and information network for education and government. OneNet is a division of the Oklahoma State Regents for Higher Education and is operated in cooperation with the Oklahoma Office of State Finance.
  • Core Network Services - services required for network operations (Domain Name Service, boot P, Wins, etc.)
  • OSU Network – the infrastructure to provide data and communication services and resources
  • Subordinate Departmental Network – an independent network whose development has been reviewed by CIS and approved by the responsible Vice President and is subject to approval by the OSU Executive Systems Council. (Per 2-0501 Administrative Information Systems policy)
  • OSU Research Network (non administrative) – an independent network that is logically and physically independent of the OSU Network whose development has been reviewed by CIS due to the potential risk to the administrative production environment.
 
D. General Provisions
 
  • OSU Network as a Principal Institutional System - The network is a critical campus principal institutional system, available to all faculty, staff, students or affiliates, at all campus locations. It provides end-to-end "wall plate to wall plate" service from any computer on campus to any other, as well as to off-campus computers and resources.
  • Subordinate Departmental Network – A departmental network is considered an independent system and shall not be directly interfaced with any institutional system (per 2-0501 Administrative Information Systems policy). Any deviation to this must be reviewed by CIS and approved by the Assistant Vice President, CIS.
  • Research Network (non administrative)– Research that requires a less restrictive environment than the OSU Network may be connected to the OSU Research Network, as the current infrastructure allows. It is possible funding may be required for such a connection.
  • Wireless Network - Wireless services are subject to the same rules and policies that govern other Information Technology at OSU (examples include: Appropriate Use Policy, Use of Electronic Mail, World Wide Web Publishing Policy).
 
  • Wireless equipment and users must follow general wireless communication protocols.
  • Wireless access will be provided for public access in some public areas, such as the Library.
  • Communication links will not be encrypted and will be restricted to selective services.
  • All other wireless access will be limited to authorized faculty, staff, students and affiliates.
  • Users will be required to authenticate before any connection will be allowed. Logs of all access and authorizations should be kept for a period of ninety days.
  • Standard wireless encryption is to be used on all devices as appropriate.
  • Anti-Virus Software is to be used on all devices as appropriate.
  • All wireless needs should be directed to CIS for review and coordination.
 
  • Extension of the Backbone into New Buildings - The extension of the network into new buildings on campus should be included and funded as part of building construction projects. Buildings should not be erected without the capability to communicate with the OSU network or without CIS approval or blueprints and CIS involvement during construction. Installatoin of any communications wiring and/or facilities shall be performed in accordance to industry standards and requirements set forth by CIS.
  • TCP/IP – OSU's Network Protocol - To facilitate interoperability among OSU systems, the network backbone supports only TCP/IP and other IP based protocols.
  • Involuntary Disconnection - To assure the integrity of the network, it may be necessary for CIS to disconnect a host, a group of hosts, or a network that is unsecured or disrupting network service to others. This includes hosts involved in network security problems, such as those used by unauthorized parties to attack other systems on the OSU Network or on the Internet. If the situation allows, CIS will make an attempt to contact the local network administrator or owner of the host or hosts involved. If those individuals are not available, the disconnection may proceed without notification. With regard to security issues, a disconnection might be a "partial" one that isolates the host from attacking hosts, or from off-campus access in general. A host that has been compromised by unauthorized parties may need to stay disconnected until the host's operating system can be updated and all changes made by the attacker reversed.
  • Physical Access to Wiring Closets - Only CIS is authorized to place equipment or cabling in wiring closets, equipment rooms, etc., unless special arrangements are made with CIS and approved by the Assistant Vice President for CIS. Departments maintaining their own networks must use other space for their equipment and cable. At no time shall any individual access CIS wiring closets or shall any wiring not belonging to CIS be located within a CIS wiring closet without expressed written approval from CIS.
  • Exceptions to Interim Network Policy Requirements and Guidelines - Requests for an exception to a requirement or guideline of this policy should be directed to CIS for coordination and approval.
  • Mediation - If mediation is required, issues will be presented to an appropriate advisory committee for review. All decisions will be communicated in writing and will include justification for the decision.
 
E. CIS Responsibilities
 
  • Network Maintenance - CIS maintains building and campus network wiring and fiber, local switches, building routers/switches, backbone routers/switches, and other network devices that comprise the OSU network. This includes troubleshooting problems, identifying their cause, and replacing or repairing defective equipment and wiring.
  • Network Documentation - CIS is responsible for creating and maintaining the detailed documentation of the network required for proper network maintenance, operation, and planning.
  • Administration of OSU Network Connections to Other Networks - CIS maintains relationships and agreements with OneNet and other service providers to keep the OSU Network well connected to the commercial Internet and academic networks. CIS administers all interfaces between networks and connections between the OSU Network and other networks.
  • Administration of OSU Network Name and Address Space - CIS manages the OSU network name space and the assignment of names and network addresses (IP numbers) for security and identity of users.
  • Administration of OSU Wireless Networking - CIS coordinates use of wireless networking at OSU to ensure compatible access to all OSU users.
  • Central Network Services - CIS provides central services required for operation of the network.
  • Network Devices - The Network is a mission critical strategic University resource. In order to protect the Data Communications Network, devices other than computers, servers, and workstations, must not be plugged into any network port. This includes, but is not limited to hubs, switches, repeaters, routers, network modems and wireless access points. These devices may be incorrectly configured or incompatible with the OSU Network causing outages and reliability problems to all or part of the network. Devices not approved for use on OSU's Data Communication Network will be disabled to ensure the stability and availability of the network.
  • Traffic Monitoring - CIS monitors traffic flow to optimize network usage, detect network problems, and ensure equitable access and other properly authorized investigations.
  • Security Monitoring - To the extent possible, CIS monitors incoming network traffic to detect the "signatures" of known network intrusion scenarios, viruses, or the like. CIS may periodically scan the OSU network hosts to assess the vulnerability to attack. It should be noted that there is no guarantee that CIS will be able to detect all potential system vulnerabilities.
  • Campus-wide Network Security Coordination - CIS promotes campus-wide network security and coordinates campus-wide response to unauthorized access. This also includes working with local supporters, computer users, and OneNet to protect the campus from network intrusions, denial of service attacks, and other unauthorized and/or inappropriate activities that impair network access and use.
  • Planning for Network Growth - CIS interacts with campus departments to ensure current and future communication needs are addressed.
  • Upgrades to Current Infrastructure - CIS performs upgrades to the current infrastructure to ensure current and future needs are addressed.
 
F. Coordination of Computer and Network Security
 
The Dean or Director in each college or major unit is the person in charge of coordinating computing and network use in that area. They should identify a network administrator who has the following responsibilities for the college or unit:
 
  • The Security Liaison:
 
  • Works with CIS staff to track down and correct excessive use of network resources, especially off-campus network usage. Encourages members of the unit to utilize network bandwidth and resources efficiently.
  • Acts as a liaison between CIS and network users for the purpose of scheduling maintenance periods, coordinating system changes, and disseminating information concerning the OSU network.
  • Network Security Maintenance - The security liaison implements and maintains sound network and computer security practices in the unit. This includes, but is not limited to, host-based security mechanisms such as password-protected logins, file protections, ensuring encryption is not used and security patch maintenance on all machines. System Administrators are also to encourage end-users to select secure passwords and change them regularly, and to use security-minded access tools.
  • Network Name and Address Coordination - The security liaison serves as the unit coordination point for the assignment of network name and addresses.
 
G. Systems Security Officer
 
The university's (SSO) or the person designated by the Assistant Vice President of CIS, shall be the primary contact to work in conjunction with appropriate university officials for the interpretation, enforcement and monitoring of this policy and the resolution of problems concerning it. Any issues concerning law shall be referred to OSU Legal Counsel for advice and action as applicable.
 
In situations that are an immediate threat to the security or operation of a computer or network, the SSO may require immediate intervention of access privileges and affected user files or messages. In such an emergency, the SSO will notify, as soon as possible, the appropriate university administrators and users affected by the situation.
 
H. User Responsibilities
 
The owners or primary users of computers connected to the OSU network are responsible for the following:
 
  • Abiding by OSU's Appropriate Computer Use Policy - Users should efficiently use network resources and follow OSU's Appropriate Computer Use Policy Computer and OSU's Network Security Policy. Users are personally responsible for all activities on their User ID or computer system and may be subjected to disciplinary action and/or loss of privileges for misuse of computers or computing systems under their control, even if not personally engaged in by the person controlling the computer or system.
  • Reporting Problems - Users should promptly report network problems to either the local network administrator or to the CIS HelpDesk, and cooperate with support staff in correcting malfunctions.
  • Taking Proper Security Precautions - Users should select secure passwords and change them regularly. Security-minded network access techniques should be used whenever practical.
  • Keeping the Operating System Secure - Users should make sure their computer's operating system is kept up-to-date with current security patches. This may be accomplished by the owner, local support staff, or central staff.
 
I. Special Notifications
 
The University's computing and network systems are a university owned resource and business tool only to be used by authorized individuals for business and academic purposes. Users should never distribute mailing lists owned by the University. The University owns everything stored in its systems unless it has agreed otherwise. The University has the right of access to the contents of stored computing information at any time for any purpose for which it has a legitimate "need to know." The University will make reasonable efforts to maintain the confidentiality of computing information storage contents and to safeguard the contents from loss, but is not liable for the inadvertent or unavoidable loss or disclosure of the contents.
 
Devices not approved for use on OSU's Data Communication Network will be disabled to ensure the stability and availability of the network
 
J. Notification
 
References to this policy will be on the CIS web site and in the OSU Policies and Procedures Letters.
 
K. Application and Enforcement
 
Each University campus shall be responsible for enforcing this Policy in a manner best suited to its own organization and in ensuring cooperation and coordination with CIS. It is expected that enforcement will require cooperation between departments such as computer systems administration, personnel, affirmative action, academic affairs and student affairs.
 
References
  OSU Administrative Policies & Procedures
 
  • Administrative Informatin Systems Policy
  • Appropriate Computer Use Policy
  • Family Educational Rights and Privacy Act-Buckley Amendment
  • CIS World Wide Web Publishing
  • Copyrightable Educational Material and Other Intellectual Property
  • Grievances and Appeals for Administrative/Professional and Classified Staff
  • Faculty Grievances
  • Handling Gifts to the University
  • Incident Reporting Of Computer Security Violations
  • Open Records
  • Microsoft Campus Agreement (MCA) Overview
  • Password Guidelines
  • Sexual Harassment
  • Use of Electronic Mail
  • Use of the University Name
 
  Other
 
  • Digital Millennium Copyright Act
  • Federal Computer Intrusion Laws
  • Federal Electronic Communication and Privacy Act of 1986
 
View other policies
 
The State's University
Oklahoma State University - Stillwater | Stillwater, OK 74078 | 405.744.5000
Contact Webmaster | En Español | Copyright © 2006 Oklahoma State University | All rights reserved
OSU-System | OSU-Stillwater | OSU-OKC | OSU-Tulsa | OSU-Okmulgee | OSU-CHS | Accessibility
Oklahoma State University - Stillwater | Stillwater, OK 74078 | 405.744.5000
Copyright © 2006 Oklahoma State University | All rights reserved