- Chattanooga State Community College relies heavily on its computer systems and the data stored in them to meet its educational, informational and operational needs. The network, both wired and wireless, is ChSCC's first line of defense against viruses, worms, hackers, and individual misuse that can comprise the critical computer systems and data that support ChSCC's business.
- The standards described herein are those ChSCC intends to use in the normal operation of its network systems. This document does not waive any claim that the College may have to ownership or control of any hardware, software, or data created on, stored on, or transmitted through College computing systems.
- This policy functions as network standards and specifies security requirements for the College network, both wired and wireless. It also specifies the requirements for using wireless technologies and for accessing ChSCC computer systems from off campus.
- In compliance with the guidelines referenced, these standards apply to all ChSCC staff, (including contractors and student workers), students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data. It impacts all networks (e.g., LAN, WAN, WLAN, wired, wireless, etc.), wireless access points (i.e., WAPs), routers, bridges, hubs, and various peripheral equipment including, but not limited to, modems. All wireless network access devices and technologies that provide a bridge between the College's wireless and wired networks (hereafter "wireless access points"), or any device that is designed to communicate with such a device via the College's wireless network (i.e., wireless client) are covered within this policy. All College wireless local area network (i.e., WLAN) technologies, both inside buildings and outside areas are also covered.
Network Security Standards:
- Wired and wireless networks are viewed the same and, therefore, must comply with any and all ChSCC guidelines/standards related to College networks and computer systems. ChSCC has the responsibility and authority to scan computers attached to the ChSCC networks to ensure appropriate security, and support network operations and performance. ChSCC reserves the right to restrict access to services and resources that are disruptive to its networks, or pose a threat to the College information security, audit or accreditation status.
1. Network connections are deployed to benefit the entire College and support its missions of education. These network connections are not to be used to provide commercial services not related to the College's missions nor shall they be used in any illegal activities. Network wiring, component, software and hardware requirements shall be documented for all ChSCC networks.
- College networks should be designed and implemented to the extent technically and reasonably possible so that:
- No single point of failure, such as a central switching center, could cause network services to be unavailable.
2. Critical communications may immediately be sent via multiple long distance carriers over physically diverse routes.
- Peer-to-Peer (P2P) File Sharing software/applications, such as Bit Torrent, are not permitted at ChSCC due to possibility of violation of copyright laws, negative impact to network load, and can provide a conduit for viruses. For business needs that requirement this type of software/applications, please submit a work order to CS containing the business justification.
- All inbound dial-up lines (e.g. modems) and real-time external connections (e.g., Internet) connected to College networks carrying data that is considered to be either Red Flag or PCI restricted, or all administrative or research data must pass through an additional access control point (e.g., firewall) before authorized users reach the log-in banner. Firewall configurations must prohibit direct public access between the Internet and any system component in the cardholder data environment.
- All in-bound dial-up lines to administrative and research computer systems shall be protected with extended user authentication systems as technically and reasonably possible.
- Both ends of a dial-up connection shall be dropped when the access session is terminated.
- Direct network connections (e.g., a tunnel) between any ChSCC network carrying administrative or research data and computers at external organizations via the Internet or any other public network, are prohibited unless specifically approved by the appropriate Dean, or their designee and Director of Network and Telecommunications.
- All user-initiated commands received from locations other than College administrative networks shall not be fulfilled unless a user has first logged in.
Adequate controls exist to restrict access to and use of network troubleshooting equipment , audit and network management software.
Wireless Networks/Technology Standards:
Wireless networks do not offer the same performance, stability or security as wired networks. Wireless networks are a convenience tool only. The wireless network should be thought of as an extension of the wired network to promote mobility. The requirements set forth in this as well as other ChSCC guidelines/standards, apply to the wired and wireless networks, however, there are special concerns in the wireless environment that need to be addressed. This section outlines the processes, requirements and standards needed to implement a secure, reliable and usable wireless network at ChSCC.
- Wireless Network Security Standards: Wireless access points should be installed in physically secure areas accessible only by authorized personnel to prevent unauthorized access and physical tampering. Devices should not be placed in easily accessible public locations. Wireless clients accessing the campus wired infrastructure must meet certain data networking and security standards to ensure that authorized and authenticated users are able to connect to the campus network and that College computing resources are not exposed to unauthorized users.
- Access control and security mechanisms such as gateways, firewalls and network-based intrusion-detection systems should be deployed. This will separate the wireless network from the internal wired network and detect system compromise if they occur.
Wireless Network Access and Use:
All access via the wireless infrastructure requires user authentication. Wireless clients must not be used for connecting to campus business systems such as Human Resources and Financials, student information, or other systems that contain confidential data, or are critical to the mission of ChSCC unless using encryption protocols or other appropriate and equally secure methods. No portion of access to these systems, or saving/printing related data will be conducted on a wireless medium without appropriate security. Applications access via the wireless infrastructure shall include appropriate password and data protection controls.
Research groups and labs should be aware that conditions of some federal grants include data confidentiality and protection. No data or network protection can be guaranteed on wireless networks.
1. Payment Card Industry (PCI) Compliance and Questionnaire
2. These standards comply with and are based on the laws of the United States, State of Tennessee, Tennessee Board of Regents, and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy, confidentiality, security and use of data, and the use and security of computer systems and data including: The State of Tennessee Department of Finance and Administration Office for Information Resources. If this Guideline conflicts with federal or state statute, the applicable statute shall apply.
3. Additionally, other College Policies, Guidelines, Standards and/or campus procedures may impose certain restrictions that are not specifically covered by state and federal statue or regulations.
- ChSCC IT Policy 08:14 Responsible Use Policy
President's Cabinet, 02/1/2012
Dr. James L. Catanzaro, President, 05/7/2012
Implemented by: Computer Services, 3/27/09 Reviewed and Revised by: Computer Services, 12/1/2011 Rev 1