Goshen College Network Security Policy
Goshen College Network Security Policy outlines a framework for understanding the infrastructure, roles and responsibilities required to create and maintain a secure computing environment while honoring the college's core values and ethos of trust and openness.
- The campus internet connection provides access to a global network and provides a global population with access to Goshen College.
- A small but significant number of people are actively seeking to exploit security weaknesses on campus through viruses, worms, hacking, phishing and other malicious activity.
- Creating an adequately secure computing environment is a partnership between ITS and the user community. It requires both infrastructure, education and in some cases, changes in behavior and procedures.
- Security is often in tension with campus culture. Because GC is a Mennonite, Christian college, our security policies and infrastructure will be considerably different than a military base, a government lab, or a K-12 district.
- The campus wireless network is a low-security network by design. Key transactions such as authentication and purchasing should be done via SSL connections.
- All security measures must comply with federal and state laws, college rules and policies, and the terms of applicable contracts including software licenses.
- Requests for exceptions to this policy must be submitted in writing to the IT Director and may be processed by the Information Technology Committee (ITC) at the discretion of the IT Director.
ITS is ultimately responsible for providing the infrastructure, monitoring, education and policy enforcement necessary to provide a secure campus computing environment.
- Registration. ITS maintains and operates infrastructure for registering all computing devices connected to the campus wired network. All students will need to register their computers by providing their userID and ethernet (MAC) address, before using the campus wired network.
- Authentication. ITS provides campus authentication services through a central LDAP directory. Access to all enterprise network services is regulated by this directory for authentication. All college-owned computers will be configured to authenticate to this directory at start-up. Exceptions would include public kiosks in the Good Library and other public areas. Accounts will be maintained on an ongoing basis to reflect changes in status and ensure appropriate levels of access to data and services.
- Encryption. ITS will provide infrastructure for encrypting web portal services and key transactions such as authentication and financial transactions. When it is reasonable to do so, ITS will actively block insecure pathways to services.
- Firewall. ITS will maintain a campus firewall configured to protect the campus from common attacks. The need for security will be balanced against the college's academic mission and a general desire to have the least restrictive environment while maintaining an appropriate level of security. Firewall rules will be updated regularly to reflected changing realities the internet security climate.
- System Configuration. ITS will provide institutionally-owned systems with OS and network-capable software configured for secure, reliable operation. ITS will recommend procedures for how to secure student and home-use computers.
- Network Design. ITS will employ a network architecture which promotes security, reliability and manageability
- Backup. ITS will provide infrastructure and procedures for backing up campus data and services on a nightly basis. Mission critical administrative data backups will be rotated off-site on a regular basis. Data on local hard drives is not backed up. Users who store data on their local hard drive are responsible for backing up to a network drive.
- Archiving. ITS will provide infrastructure for archiving electronic data which is deemed by the college to be of historical significance or is otherwise set aside for archival purposes. GC File is currently used for this purpose, though it may be necessary or desirable to provide dedicated infrastructure for this task in the future.
- Redundancy. ITS will provide a 'yesterday server' for Jenzabar and GC File, [WWW?, Mail?] to facilitate rapid recovery from a major hardware failure or security event. ITS will provide hardware redundancy for campus servers, including RAID, redundant power supplies, network cards, and processors, as appropriate to the service.
- Physical Security. ITS is responsible for providing appropriate levels of security to deter theft of institutionally-owned equipment and data. Factors influencing the definition of 'appropriate' include cost to secure equipment, replacement cost of the equipment, programmatic considerations, and the nature and security history of the space.
- Anti-virus. ITS will provide the campus and home users with utilities to prevent and abate viruses, worms, trojans and other malware, along with infrastructure and procedures for maintaining those utilities. ITS will scan and disinfect incoming and outgoing email for viruses and other disallowed content. ITS will scan GC File weekly for viruses and malware.
- Server Room Security. ITS is responsible for ensuring the physical security of ITS Server Rooms. This includes limiting physical access to the server room (it is not accessible via a grand master key) as well as monitoring for fire, water, smoke, cooling and power issues.
II. Monitoring, Management and Compliance
ITS will maintain a suite of network monitoring and management tools that allow technical staff to:
- Assess network health
- Identify and address the source of attacks and problems
- Manage network bandwidth
- Be alerted to service outages and problems
- Fix problems remotely
- Assess patch-level of clients and servers
- Be alerted to intrusions/unauthorized access to campus servers
- Block systems which are not in compliance with security expectations from using the campus network and/or internet.
- The ITS Annual Report will include a section on security detailing incidents, improvements, identifying gaps and recommendations for the upcoming academic year.
- At the request of the ITC or the Provost, ITS will perform an internal or external security audit
- This policy will be reviewed and updated by the ITC as needed.
- ITS will notify the campus of imminent security threats along with information on appropriate counter-measures
- ITS will maintain appropriate end-user documentation to promote compliance with this policy.
End User Responsibilities
I. General Understandings. Campus computer users will:
- Read and comply with the Computing Code of Conduct.
- Become knowledgeable about relevant security requirements and guidelines
- Protect the resources under their control, such as access passwords, computers, and data they download.
- Comply with requests from IT staff to address security concerns.
II. Accounts. Campus computer users will:
- Refrain from sharing their password or account with friends, associates or family members
- Choose a secure password, five characters or greater, avoiding dictionary words, guessable personal information and including numbers, symbols and/or punctuation. You may be asked to change an insecure password.
- Refrain from storing ID & passwords in your computer or client software in a way that allows access to your computer or services without the use of a password.
III. Systems. Campus computer users will:
- Secure their systems against unauthorized use while unattended. Strategies for achieving this include setting a password protected screensaver, logging out, and locking your office door when you leave.
- Log out after using a public computer.
- Maintain their anti-virus software (PC) and keep their systems up-to-date with security patches and other system updates.
- Personal computers that cannot have their malware removed with standard tools must be verified as clean by the ITS Help Desk through either verification of the user's reformatting of the system or by having one of the ITS Student Technology Assistants reformat it.
IV. Data. Campus computer users will:
- Take responsibility for safeguarding institutional data. Strategies include physical security for your system, encryption, utilizing campus storage and backup systems, shredding paper documents before disposal, avoiding downloading confidential data to remote systems, and mobile devices when possible.
- Avoid treating email as a secure medium (since it isn't).
- Refrain from storing credit card information on GC servers and databases.
- Avoid storing sensitive data on laptops or find reasonable ways to encrypt or otherwise safeguard the data.
V. On Campus Wireless Access. Campus computer users will:
- Treat the campus wireless network as insecure (since it is), using SSL or a Virtual Private Network (VPN) for authenticated sessions and transmission of confidential data.
- Maintain their anti-virus software (PCs) and security patches on notebook computers.
VI. Personal Wireless Access Points. Campus computer users will:
- Acknowledge that they are wholly responsible for all traffic that originates from or behind a wireless access point that they have registered.
- Appropriately secure and restrict access to their wireless access point. This could include WEP, WPA, WPA2, and/or MAC address filtering.
VII. Remote Access. Campus computer users will:
- Understand that they are connected to the campus network when using GC dial-up services.
- Maintain their anti-virus software (PCs) and security patches on home computers.