University Rule 4-004I: Network Security Rule Rev. 0

  1. PURPOSE AND SCOPE
    1. The purpose of this Network Security Rule is to protect the University's Information Assets and Information Systems within its network, and to protect the supporting network infrastructure.
    2. This Rule supports section I, titled Network Security, of the University of Utah Information Security Policy 4-004.
  2. DEFINITIONS
    For the purposes of this Policy and any associated Regulations, these words and phrases have the following meanings:
    1. Confidential - Any Information Asset which is classified as Restricted or Sensitive per the Data Classification and Encryption Rule
    2. Electronic Resource - Any resource used for electronic communication, including but not limited to internet, Email, and social media.
    3. Information System - An Application or group of Servers used for the electronic storage, processing, or transmitting of any University data or Information Asset.
    4. IT Resource – A Server, Workstation, Mobile Device, medical device, networking device, web camera or other monitoring device, or other device/resource that is a) owned by the University or used to conduct University business regardless of ownership; b) connected to the University's network; and/or c) that is creating, accessing, maintaining, or transmitting Information Assets and used for electronic storage, processing or transmitting of any data or information.
    5. Server - Hardware and software and/or Workstation used to provide information and/or services to multiple Users.
    6. User – Any person, including students, staff, faculty, permanent and temporary employees, contractors, vendors, research collaborators, and third party agents, who accesses any University Electronic Resources, Information Systems, and/or IT Resources.
  3. RULE
    1. Network Controls
      1. To protect the University from threats and to maintain security for IT Resources, Information Systems, Electronic Resources, Users and applications utilizing the University network, the University's network will be adequately managed and controlled, taking into consideration the following:
        1. The operational responsibility for managing the University's network will be separated from computer operations where possible.
        2. Additional confidentiality and integrity controls will be implemented commensurate with risk to protect Confidential data passing over public networks or wireless networks, and to protect the connected Information Systems.
        3. Risk assessment and risk management activities will incorporate the business requirements of network availability as well as the security requirements to protect the University's network from threats. Risk remediation activities must be monitored periodically to ensure that control implementation is consistent across the University's network infrastructure.
    2. Network Services Agreements
      1. The University will identify and include required security features, service level expectations, and network security management requirements in all network services agreements.
      2. Network services include network connection provisioning, private network services, and managed network security solutions such as firewalls and intrusion detection and prevention systems.
      3. Both in-house and outsourced services must be captured in these agreements
    3. Network Segregation
      1. The University will segregate groups of Information Assets, IT Resources, Servers, Information Systems, and Users within its network. The University will consider the following strategies when implementing network segregation, defined by a risk assessment, and protected by a defined security perimeter:
        1. Logical network domains, such as:
          1. Internal network domains
          2. External network domains
          3. Publicly accessible systems
          4. Wireless networks
        2. Network device functionality, such as:
          1. IP switching
          2. Routing
          3. Information Assets stored or processed on the network
          4. Data classification
          5. Data value
          6. Business impact
        3. The network security perimeters will be implemented via an installed security gateway between interconnected networks, configured to:
          1. Control access and information flow between the domains
          2. Filter traffic between the domains
          3. Block unauthorized access
        4. Network Connection Controls
          1. Where technically feasible, the University will restrict the capability of Users to connect to the network in accordance with the minimum business requirements of each User's job function by utilizing role-based access.
          2. These network connections will be restricted by security gateways that filter traffic in accordance with pre-defined tables or rules.
        5. Network Routing Controls
          1. The University will implement routing controls for its network as defined by risk assessments.
      2. [Note: Parts IV-VII of this Rule (and all other University Regulations) are Regulations Resource Information--the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
    4. RULES, PROCEDURES, GUIDELINES, FORMS, and OTHER RELATED RESOURCES
      1. Rules
        1. TBD
      2. Procedures
        1. Policy 4-004 Procedures
      3. Guidelines
        1. TBD
      4. Forms
      5. Other Related Resources Material
    5. REFERENCES
        1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
        2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
        3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
        4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
        5. NIST 800 Series, Federal Information Security Standards
        6. Policy 3-070: Payment Card Acceptance
        7. Policy 4-001: University Institutional Data Management
        8. Policy 4-003: World Wide Web Resources Policy
        9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
        10. Policy 6-400: Code of Student Rights and Responsibilities
        11. Policy 6-316: Code of Faculty Rights and Responsibilities
        12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
        13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
    6. CONTACTS
      1. The designated contact Officials for this Policy are:
        1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
        2. Policy Officer; Chief Information Officer, 801-581-3100
      2. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
      3. A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases...."
      4. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library.... [and] bears the responsibility for determining -requirements of particular Policies...." University Rule 1-001-III-B & E
    7. HISTORY
      1. Current version: Revision 1, effective date: April 4, 2016
        1. Approved by Academic Senate: May 4, 2015
        2. Approved by Board of Trustees: May 12, 2015
        3. Background information for this version

Rule: 4-004I Rev: 0
Date: April 4, 2016