Ñý¼§Ö±²¥

student working on a laptop sitting outside leaning against a tree

Information Technology

UM Network Security Standard

UM Information Security Office - Area: Information SECURITY POLICY

Document History

date, document version, revision description and author
Date Document Version Revision Description Author
1/8/2024 1.1 Rebuilt in new template Neff, CISO

Approvals

approval date, version and role as well as approver
Approval Date Approved Version Approver Role Approver
1/8/2024 1.1 CISO Neff, CISO

Introduction

This standard provides structures and guidance for the deployment and management of Information Technology (IT) network controls used to mitigate cybersecurity threats throughout the Ñý¼§Ö±²¥ (UM) System.

All University units will use due diligence and best faith efforts based on current available resources and funding to meet the control requirements identified in this standard. If the requirements in this standard cannot be met, the institution should consider establishing a process to document if and what compensating controls are being implemented, and if unable to meet the requirements, the reason(s) why.

POLICY or STANDARD

Secure Configuration

Network devices must be configured using Center for Internet Security (CIS) Level 1 benchmarks. Any exceptions to the CIS benchmark (or industry standard used) must be documented. If a CIS benchmark is unavailable for a specific network device, then another industry standard secure configuration may be used. Industry standard configurations include security configuration checklists, lockdown and hardening guides, and security reference guides that are provided by a variety of resources.

Secure Configuration Verification

Secure configuration of network devices according to the applicable CIS benchmark or industry standard must be verified. Secure configurations must be verified annually or after major organizational or technological changes.

Minimum Configuration

Organizations must configure network devices and components to provide only those capabilities and features that are necessary for the organization’s business functions.

Port Disabling

Organizations must prevent the unauthorized use of unused ports on network devices. Unused ports must be disabled if required by regulation.

Change Management

Changes must be managed and controlled through the UM Change Advisory Board.

Patch Management

Organizations must ensure that security patches are applied to the software and firmware of network devices. Organizations must:

  • Be aware of network security flaws and vulnerabilities announced by network device vendors;
  • Identify which network devices require security patches;
  • Test security patches;
  • Install security patches on network devices that require patches;
  • Maintain a list of network devices and the security patches they have received; and
  • Document any exceptions to the patch management process, including a list of unpatched devices.

Software and firmware support verification

Organizations must replace network devices and components when security patches and support for device software and firmware are no longer available from the developer, vendor, or manufacturer.

Logging

Network devices must log network and security events, including but not limited to the following:

  • Configuration change notices;
  • Device startup and shutdown;
  • Device date/time modifications;
  • Device alert, critical, error, and warning condition messages;
  • Device authentication and authorization attempts;
  • VPN and remote access authentication and authorization attempts; and
  • Logging turned off or logs being cleared/deleted.

Network audit events must be sufficient to determine attribution and support security incident response and investigation activities including date/time, source and destination address, port and protocol.

Centralized administration of logging

Organizations must employ a centralized logging system capable of integrating security logs for review, analysis, and reporting processes and supporting automated mechanisms to facilitate these processes. The centralized logging system must protect log and security events from unauthorized access, modification, and deletion.

Log review

Organizations must review log data weekly and/or employ automated analysis and notification of abnormal/suspicious events, alerts, and those not common to baseline normal behavior to responsible staff on a continual basis, invoking incident response procedures to respond to potential security incidents.

Time synchronization

Organizations must synchronize network device system clocks using Network Time Protocol, or equivalent.

Secure remote access

Organizations must perform the following to enforce secure remote access to internal information systems communicating through an untrusted network;

  • Employ an encrypted virtual private network (VPN), supported and managed by IT Staff, to secure direct access to internal information systems or devices;
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions;
  • Implement a single-factor or multi-factor authentication method for remote users’ access to internal information system or devices;
  • Implement a multi-factor authentication method for administrative/privileged accounts access to internal information systems or devices;
  • Employ a mechanism to limit remote access to only those users that have a business need based on their current role or function.

Network documentation

Organizations must develop and maintain network documentation and diagrams depicting network access and control points, zones, logical networks, network devices contained within, and interconnections between logical networks.

Default deny rule

The boundary control device must deny inbound network communication traffic by default and allow network communications traffic by business justification.

Rule review

Organizations must formally review firewall and other boundary device access control rules. A firewall/ACL rule review must be conducted and documented annually or upon a significant network upgrade or configuration change that has security implications. Review of firewall/ACL review must be documented and approved by management. PCI DSS environments must adhere to firewall/ACL review every 6 months, per PCI DSS regulations, if appropriate.

Segmentation between restricted and unrestricted networks

Organizations must implement network segmentation to isolate information. The organization employs boundary control devices to logically segment and isolate systems storing, processing, or transmitting restricted data from untrusted networks and other internal networks that support devices with different business and operational functions.

  • Systems must be segmented based on their role and/or based on their business function/application;
  • Internal servers must be segmented from desktop/workstation device environments and from other servers with different business and operational functions;
  • Internal servers must be segmented from printers and other specialty devices, such as scientific equipment, industrial controls, and building access controls.

Vulnerability scanning

Organizations must:

  • Mitigate (through patching or through disabling the services/features) legitimate vulnerabilities with a CVSS value of 7.0 or more within 30 days of detection or register an exception for the vulnerability;
  • Re-execute scan(s) to verify remediation was successful.

Perimeter intrusion detection

An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) must be employed at the perimeter network to:

  • Analyze traffic and event patterns for malicious intent;
  • Use the traffic/event baselines to tune system-monitoring devices to reduce the number of false positives and the number of false negatives;
  • Heighten the level of information system monitoring activity for imminent threats to organizational operations and for the institution’s most critical systems and servers.

Denial of service protection

Network devices must protect themselves against, or limit the effects of, denial of service attacks, including:

  • Packet flooding;
  • Asymmetric attacks;
  • Processor overload;
  • TCP timer exploitation; and
  • Stack overrun and other device data structure corruption.

Secure wireless networks

Organizations must protect 802.11 wireless access to internal systems, by:

  • Requiring secure authentication and encryption;
  • Ensuring wireless access points are physically secured or otherwise protected from tampering.

Secure wireless network administration

Organizations must prohibit the use of ad-hoc, unmanaged, or consumer grade 802.11 wireless access points in environments that store, process, or transmit Restricted data.

Procedures

The UM IT Network Security Standard will be reviewed every two years or as required and will be revised based on, but not limited to, updated industry regulations or standards; organizational changes; and/or newly identified risks and threats.

References

  • MUS Security of Data and Information Technology Resources Policy 1300.1
  • UM Information Security Policy