- Information Technology Services is responsible for ensuring the network, both wired and wireless, is ChSCC's first line of defense against viruses, worms, hackers, and individual misuse that can compromise the critical computer systems and data that support ChSCC's business.
- The standards described herein are those ITS intends to use in the normal operation of its network systems. This document does not waive any claim that the College may have ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems.
- This policy functions as network standards and specifies security requirements for the College network, both wired and wireless. It also specifies the requirements for using wireless technologies and for accessing ChSCC computer systems from off campus.
- In compliance with the guidelines referenced, these standards apply to all ChSCC faculty/staff, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data. It impacts all inside and outside networks, (e.g., LAN, WAN, WLAN, wired, wireless, etc.), wireless access points (i.e., WAPs), routers, bridges, hubs, modems and various peripheral equipment. All wireless network access devices and technologies that provide a bridge between the College's wireless and wired networks (hereafter "wireless access points"), or any device that is designed to communicate with such a device via the College's wireless network (i.e., wireless client) are covered within this policy.
Network Security Standards:
- Wired and wireless networks are viewed the same and, therefore, must comply with any and all ChSCC guidelines/standards related to College networks and computer systems. ChSCC ITS has the responsibility and authority to scan computers attached to the ChSCC networks to ensure appropriate security, and support network operations and performance. ChSCC ITS reserves the right to restrict access to services and resources that are disruptive to its networks, or pose a threat to the College information security, audit or accreditation status. No change to any wired/wireless network device, hub, router, switch, ports, firewall configurations, including changes to any device within Network closets throughout the campuses will be done without prior ITS Network approval. Requests should be made through the ITS Work Order System before a change is made. If required, updates to the ITS Change Log will be entered.
- Network connections are deployed to benefit the entire College and support its missions of education. These network connections are not to be used to provide commercial services not related to the College's missions nor shall they be used in any illegal activities. Network wiring, component, software and hardware requirements shall be documented for all ChSCC networks.
- College networks should be designed and implemented to the extent technically and reasonably possible so that:
- No single point of failure, such as a central switching center, could cause network services to be unavailable.
- Critical communications may immediately be sent via multiple long distance carriers over physically diverse routes.
- Peer to Peer ((P2P) File Sharing software/applications, such as Bit Torrent, are not permitted at ChSCC due to possibility of violation of copyright laws, negative impact to network load, and can provide a conduit for malware. For business needs that require this type of software/application, please submit a work order to ITS containing the business justification.
- All inbound dial-up lines (e.g. modems) and real-time external connections (e.g., Internet) connected to College networks carrying data that is considered to be either Red Flag or PCI restricted, or all administrative or research data must pass through an additional access control point (e.g., firewall) before authorized users reach the log-in banner. Firewall configurations must prohibit direct public access between the Internet and any system component in the cardholder data environment.
- All in-bound dial-up lines to administrative and research computer systems shall be protected with extended user authentication systems.
- Both ends of a dial-up connection shall be dropped when the access session is terminated.
- Direct network connections between any ChSCC network carrying administrative or research data and computers at external organizations via the Internet or any other public network, are prohibited unless specifically approved by the appropriate Dean, or their designee and Director of Network and Telecommunications.
- Adequate controls exist to restrict access to and use of network troubleshooting equipment, audit and network management software.
Wireless Networks/Technology Standards:
- Wireless networks do not offer the same performance, stability or security as wired networks. The wireless network should be thought of as an extension of the wired network to promote mobility. There are special concerns in the wireless environment that need to be addressed. This section outlines the processes, requirements and standards needed to implement a secure, reliable and usable wireless network at ChSCC.
- Wireless access points should be installed in physically secure areas accessible only by authorized ITS personnel to prevent unauthorized access and physical tampering. Devices should not be placed in easily accessible public locations. Wireless clients accessing the campus wired infrastructure must meet certain data networking and security standards to ensure that authorized and authenticated users are able to connect to the campus network and that College computing resources are not exposed to unauthorized users.
- Access control and security mechanisms such as gateways, firewalls and network-based intrusion-detection systems will be deployed.
Wireless Network Access and Use:
- All access via the wireless infrastructure requires user authentication. Wireless clients must not be used for connecting to campus business systems such as Human Resources and Financials, student information, or other systems that contain confidential data, or are critical to the mission of ChSCC unless using encryption protocols or other appropriate and equally secure methods. No portion of access to these systems, or saving/printing related data will be conducted on a wireless medium without appropriate security. Applications access via the wireless infrastructure shall include appropriate password and data protection controls.
- Research groups and labs should be aware that conditions of some federal grants include data confidentiality and protection. No data or network protection can be guaranteed on wireless networks.
1. Payment Card Industry (PCI) Compliance and Questionnaire
2. These standards comply with and are based on the laws of the United States, State of Tennessee, Tennessee Board of Regents, and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy, confidentiality, security and use of data, and the use and security of computer systems and data including: The State of Tennessee Department of Finance and Administration Office for Information Resources. If this Guideline conflicts with federal or state statute, the applicable statute shall apply.
3. Additionally, other College Policies, Guidelines, Standards and/or campus procedures may impose certain restrictions that are not specifically covered by state and federal statue or regulations.
- ChSCC ITS Policy 08:14 Responsible Use Policy
- ChSCC ITS Policy 08:22 Virtual Private Network Access
Implemented by: Information Technology Services, 3/27/09
Reviewed and Revised by: Information Technology Services, 12/1/2011 Rev 1 Reviewed and Revised by Information Technology Services, 12/1/2012 No changes required Reviewed and Revised by Information Technology Services, 12/19/2013 Rev 2 No changes required
Reviewed and Revised by Information Technology Services, 8/31/2015 Rev 3 Pages All. Computer Services was changed to Information Technology Services.
Reviewed and Revised by Information Technology Services, 1/30/2016 Rev 4 No changes required.