1. Introduction

1.1 Purpose

Hamurlabs resources, such as Internet/Intranet/Extranet-related systems, are to be used for Howard business purposes in serving the interests of the Hamurlabs.

The participation and support of every student, faculty, employee and affiliate who deals with information and/or information systems is necessary to achieve effective security. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

The purpose of this policy is to delineate acceptable use of Hamurlabs technology resources. These rules are in place to protect the user of these resources and the Hamurlabs. Inappropriate use exposes Hamurlabs to risks including virus attacks, compromise of network systems and services, and legal issues.

1.2 Scope

This policy applies to all Hamurlabs networks, both the perimeter and the infrastructure, and the parties with which we do businesses.

1.3 Maintenance

This Policy will be reviewed by the Hamurlabs’s Information Security Office annually or as deemed appropriate based on changes in technology or regulatory requirements.

1.4 Enforcement

Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Hamurlabs-owned Information Systems. Additional administrative sanctions may apply; up to and including termination of employment or contractor status with the Hamurlabs, or expulsion of student workers. Civil, criminal and equitable remedies may also apply.

1.5 Exceptions

Exceptions to this Policy must be approved by the Information Security Office, under the guidance of the Hamurlabs’s Provost, or Chief Operations Officer. All exceptions will be formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness.

2. Policy

The data network is a shared resource used by the entire Hamurlabs community and its affiliates in support of the business processes and academic missions. Business units and community members must cooperate to protect the network by securing computers and network devices in order to secure access. In addition, they must certify that the devices connecting to the business unit’s network are in compliance with the policies and procedures as established by Enterprise Technology Services (ETS).

Concurrently, academic, administrative and support units are responsible for the efficient, effective and secure operation of their local networks. This policy is designed to help protect the Hamurlabs’s central and distributed telecommunications and computing environment from accidental, or intentional damage, and from alteration or theft of data while preserving appropriate access and use.

This policy is established under the provisions of Hamurlabs’s Information Security Policy Program.

The following rules define the ETS’s policy regarding access to the Hamurlabs network:

• Only authorized people can gain access to Hamurlabs’s networks. Positive identification is required for system usage. All users must have their identities positively identified with user-IDs and secure passwords--or by other means that provide equal or greater security--prior to being permitted to use Hamurlabs-owned computers.
• User-IDs must each uniquely identify a single user. Each computer user-ID must uniquely identify only one user, so as to ensure individual accountability in system logs. Shared or group user-IDs are not permitted.
• Use of service accounts for local log-ins by any individual is prohibited. This rule is designed to prevent unauthorized changes to production data by accounts that allow groups of users to employ the same password. In cases where users require authorities inherent in service accounts, the user’s manager must obtain approval from ETS. Those privileges may be assigned to individual users on as-needed basis and must be revoked when they are no longer necessary.
• Access controls required for remote systems connecting to production systems. All computers that have remote real-time dialogs with Hamurlabs’s IT production systems must run an access control package approved by ETS.
• Multiple simultaneous remote external network connections prohibited. Unless special permission has been granted by the Director of Information Security, (CIO/CISO/ISM), computer systems must not allow any user to conduct multiple simultaneous remote network connections.
• All log-in banners must include security notice. Every log-in screen for multi-user computers must include a special notice. This notice must state: (1) the system may only be accessed by authorized users, (2) users who log-in represent that they are authorized to do so, (3) unauthorized system usage or abuse is subject to penalties, and (4) system usage will be monitored and logged.
• Security notice in log-in banner must not disclose system information. All log-in banners on network-connected Hamurlabs computer systems must simply ask the user to log-in, providing terse prompts only where essential. Identifying information about the organization, operating system, system configuration, or other internal matters must not be provided until a user's identity has been successfully authenticated.
• Users must log off before leaving sensitive systems unattended. If the computer system to which users are connected or which they are currently using contains sensitive information, and especially if they have special access rights, such as domain admin or system administrator privileges, users must not leave their computer, workstation, or terminal unattended without first logging-out, locking the workstation, or invoking a password-protected screen saver.
• Academic, Administrative, and Supporting Enterprise Technology Services’ staff must:
  • Follow policies and procedures, as established by ETS, to validate firewall activation, operating system installation, application software security patches and virus protection updates for all devices in the unit’s areas of physical or administrative control that are to be, or are configured to utilize network resources that are controlled and managed by ETS.
  • Follow policies and procedures, as established by ETS, for using automated tools to test devices connected to the business unit’s local wired or wireless data network for compliance. Noncompliant devices are to be disconnected, disabled or quarantined until the device is brought into compliance. When devices are not compliant, operating units, or individuals and their information technology staff must employ compensating controls. Units must document compensating controls and/or any exceptions. These must be reviewed, tested, and approved by Information Security.
  • The operating business unit or individual must retain the approved documentation for audits as long as the device is in operation. Any connection to the Internet, or to a national or regional network from a private network operated by an academic, administrative, or support unit, must be made via Hamurlabs network resources. The Executive Director of Enterprise Technology Services must approve any exceptions to this requirement.
• All network access attempts (success or failure) must be logged and retained for auditing.

11. Server

Hamurlabs embraces an open information technology environment to encourage the use of technology in pursuit of the Hamurlabs’s teaching, learning, and research missions and supporting administrative functions. However, within this open environment, the Hamurlabs must also preserve and safeguard its electronic information resources and comply with applicable laws and regulations, while facilitating activities the support the Hamurlabs’s missions. In a highly distributed technological environment, operation and management of electronic information resources is broadly distributed.

This policy applies to all servers that Hamurlabs ETS is responsible to manage. This explicitly includes any system for which Hamurlabs ETS has an obligation to administer. This also includes all server systems setup for internal use by Hamurlabs regardless of whether ETS retains administrative obligation or not.

Policy

Hamurlabs ETS operational group responsible for system administration and must manage all internal servers. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by ETS. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by ETS.

11.1 Servers must be registered within the Enterprise Management System. At a minimum, the following information is required to positively identify the point of contact:

• Server contact(s) and location, and a backup contact
• Hardware and Operating System/Version
• Main functions and applications, if applicable
• Information in the Enterprise Management System must be kept up-to-date.

11.2 Each device must meet the following minimum standards prior to, and after connecting to the data network or support infrastructure:

• The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.
• Current operating system and application software with current security patches must be installed.
• The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
• Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.
• The device must be certified and registered by ETS as equipment that has met all security criteria, prior to connecting to the network.

11.3 SERVER GENERAL CONFIGURATION GUIDELINES

The following items serve as provisioning configuration guidelines for the servers that are managed by ETS staff:

• Operating System configuration should be in accordance with ETS-approved guidelines.
• Services and applications that will not be used must be disabled where practical.
• Access to services should be logged and/or protected through access-control methods such as Transmission Control Protocol (TCP) Wrappers.
• The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
• Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is available.
• Do not use root account when a non-privileged account can performed the task.
• If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPsec).
• Servers should be physically located in an access-controlled environment.
• Servers are specifically prohibited from being operated in uncontrolled cubicle areas.

11.4 Internal network addresses must not be publicly released.

The internal system addresses, configurations, and related system design information systems and users outside the ETS internal network cannot access this information.

11.5 All Internet Web servers must be firewall protected.

All connections between Hamurlabs’s internal networks and the Internet (or any other publicly-accessible computer network) must be protected by a router, firewall, or related access controls approved by ETS.

11.6 Public servers on Internet must be placed on separate subnets.

Public Internet servers must be placed on subnets separate from internal ETS networks. Routers or firewalls must be employed to restrict traffic from the public servers to internal networks.

12. Malware Protection

Hamurlabs ETS is entrusted with the responsibility to provide professional management of the Hamurlabs’s servers as outlined in this policy. Inherent in this responsibility is an obligation to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover.

This policy applies to all servers that Hamurlabs ETS is responsible to manage. This explicitly includes any system for which ETS has an obligation to administer. This also includes all server systems setup for internal use by Hamurlabs, regardless of whether ETS retains administrative obligation or not.

Policy

Hamurlabs ETS operations staff will adhere to this policy to determine which servers will have anti-virus and/or anti-spyware applications installed on them and to deploy such applications as appropriate.

12.1. ANTI-VIRUS

All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

• Non-administrative users have remote access capability
• The system is a file server
• NBT/Microsoft Share access is open to the server from systems used by non-administrative users
• HTTP/FTP access is open from the Internet
• Other “risky” protocols/applications are available to this system from the Internet at the discretion of the Hamurlabs IT Security Administration

All servers SHOULD have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

• Outbound web access is available from the system

12.2 MAIL SERVER ANTI-VIRUS

If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound emails while the backup is being performed.

12.3 ANTI-SPYWARE

All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions:

• Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet
• Any system where non-technical or non-administrative users have the ability to install software on their own

12.4 NOTABLE EXCEPTIONS

An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions applies to this system:

• The system is a SQL server
• The system is used as a dedicated mail server
• The system is not a Windows based platform

12.5 Enforcement:

The responsibility for implementing this policy belongs to all operational staff at Hamurlabs. Responsibility for ensuring that new and existing systems remain in compliance with this policy resides with the Hamurlabs ETS Information Security Officer. Any employee, student, faculty, guest, or contractors found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

13. Router

This policy describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Hamurlabs ETS.

All routers and switches connected to Hamurlabs IT production networks are affected. Routers and switches within internal, secured labs are not affected. Routers and switches within DMZ areas fall under the Internet DMZ Equipment Policy.

Policy

13.1. All routers within Hamurlabs IT Enterprise must meet the following configuration standards:

• No local user accounts are configured on routers. Routers must use TACACS+ for all user authentications.
• The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router’s support organization.

13.2. All routers within Hamurlabs IT Enterprise must disallow the following:

• IP directed broadcast
• Incoming packets at the router sourced with invalid addresses such as RFC1918 address
• TCP small services
• UDP small services
• All source routing
• All web services running on router

13.3. Any external network connections, inbound or outbound, must be authenticated or secured via approved standards.

Before dial-up users reach a log-in banner, all inbound dial-up lines connected to Hamurlabs IT internal networks and/or computer systems must pass through an additional access control point, such as a firewall, which has been approved by ETS. Unless ETS has first approved the action in writing, Hamurlabs staff must not enable any trusted host relationships between computers connected to the Hamurlabs internal network.

13.4. Use Enterprise standardized SNMP (Simple Network Management Protocol).

Routers must be included in the Enterprise Management System with a designated point of contact. Users must have explicit permission by ETS to access or configure any router. All activities performed on these devices may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on these devices.

13.5 Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH is the preferred management protocol.

14. Firewall

The firewall policy dictates how the firewall should handle application traffic such as web, email, or telnet. The policy describes how the firewall is to be managed and updated.

14.1 Real-time external network connections require firewalls.

Before reaching a log-in banner, all in-bound real-time external connections to Hamurlabs IT internal networks and/or multi-user computer systems must pass through an additional access control point such as a firewall, gateway, or access server.

• The functionality of firewalls will be setup to ensure secure Internet connections and the connections to other networks.
• Firewall rule-sets must be created for implementing security controls as they pertain to the handling of applications traffic such as web, email and other business processing.
• Users, who are at remote locations, must verify that firewall appliances are in place to secure their connections to the Internet and Internet Service Providers before establishing the connection with the Hamurlabs network.

14.2 Firewall configuration change requires ETS permission.

Firewall configuration rules and permissible service rules established by IT Security and Disaster Recovery have been reached after evaluation. These rules must not be changed without first obtaining the permission of ETS Information Security Management.

• The Hamurlabs must monitor incident response team reports and security websites for information about current attacks and vulnerabilities.
• The firewall policy should be updated as necessary.
• A formal process must be used for managing the addition and deletion of firewall rules.
• The Hamurlabs must ensure that administrators receive regular training in order to stay current with threats and vulnerabilities.

15. Internet DMZ Equipment

This Policy defines the standards to be met by all equipment owned and/or operated by Hamurlabs ETS that is located outside the Hamurlabs's Internet firewalls (the demilitarized zone or DMZ). These standards are designed to minimize the potential exposure to Hamurlabs from the loss of sensitive or Hamurlabs confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of IT resources.

Devices that are Internet facing and outside the Hamurlabs’s firewall are considered part of the "de-militarized zone" (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the Hamurlabs’s firewalls.

The policy defines the following standards:

• Ownership responsibility
• Secure configuration requirements
• Operational requirements
• Change control requirement

All equipment or devices deployed in a DMZ owned and/or operated by Hamurlabs (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by Hamurlabs must follow this policy. This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the "howard.edu" domain or appears to be owned by Hamurlabs.

All new equipment that falls under the scope of this policy must be configured according to the referenced configuration documents, unless a waiver is obtained from ETS. All existing and future equipment deployed on Hamurlabs's un-trusted networks must comply with this policy.

Policy

Ownership and Responsibilities

Equipment and applications within the scope of this policy must be administered by support groups approved by Information Security for DMZ systems, application, and/or network management.

Support groups will be responsible for the following:

• Equipment must be documented in the Hamurlabs-wide enterprise management system. At a minimum, the following information is required:
  • Host contacts and location.
  • Hardware and operating system/version.
  • Main functions and applications.
  • Password groups for privileged passwords.
• Network interfaces must have appropriate Domain Name Server records (minimum of A and PTR records).
• Password groups must be maintained in accordance with the Hamurlabs-wide password management system/process.
• Immediate access to equipment and system logs must be granted to members of Information Security upon demand, per the Audit Policy.
• Changes to existing equipment and deployment of new equipment must follow and Hamurlabs change management processes/procedures.

To verify compliance with this policy, the Information Security team will periodically audit DMZ equipment per the Audit Policy.

16. General Configuration Policy

All equipment must comply with the following configuration policy:

• Hardware, operating systems, services, and applications must be approved by ETS as part of the pre-deployment review phase.
• Operating system configuration must be done according to the secure host and router installation and configuration standards.
• All patches/hot-fixes recommended by equipment vendor and ETS must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
• Services and applications not serving business requirements must be disabled.
• Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by ETS.
• Services and applications not for general access must be restricted by access control lists.
• Insecure services or protocols (as determined by ETS) must be replaced with more secure equivalents whenever such exist.
• Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords (DES/SofToken) must be used for all access levels.
• All host content updates must occur over secure channels.
• Security-related events must be logged and audit trails saved to ETS approved logs. Security-related events include (but are not limited to) the following:
  • User login failures.
  • Failure to obtain privileged access.
  • Access policy violations.

17. New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

• New installations must be done via the DMZ Equipment Deployment Process.
• Configuration changes must follow the Hamurlabs Change Management (CM) Procedures.
• ETS must be invited to perform system/application audits prior to the deployment of new services.
• ETS must be engaged, either directly or via CM, to approve all new deployments and configuration changes.

18. Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

19. Network Management/Access Requirements

• All networks on the Hamurlabs campus are installed and maintained by Enterprise Technology Services.
• To assure the integrity and availability of network services, no other network communications (with the exception of commercial cellular telephony networks) shall be permitted on Hamurlabs facilities.
• No networking equipment (routers, managed switches, DHCP servers, DNS servers, WINS servers, VPN servers, remote access dial-in servers/RADIUS, wireless access points, hardware firewalls) shall be permitted without a written exception from ETS (ETS Infrastructure group).
• All devices connected to Hamurlabs networks shall be registered with ETS when initially attached to the network. This applies to printers, computing systems, laboratory equipment, and communications devices that use TCP/IP network protocols. The registrant must be a current faculty, staff, student, or affiliate account user with a valid and active Network ID. Information on how to register a network device can be obtained by contacting the ETS Help Desk. Unregistered devices are subject to disconnection from the Hamurlabs Network, without notice, whether or not they are disrupting network service.
• Currently, devices connected to the Hamurlabs Guest (Hamurlabs-Visitors) wireless network are unregistered. As wireless registration services become available, all Hamurlabs-purchased or owned hosts shall be registered in a similar manner to wired network registration. Hamurlabs users accessing the Hamurlabs IT resources.
• No device or program that has the potential to disrupt network service to others is permitted on the Hamurlabs Network without prior arrangement with ETS.

20. Protocol Standards

The management of network protocols shall be performed by information systems administrators and network administrators to assure the efficiency, availability, and security of the common resources, in accordance with the governing Hamurlabs Acceptable Use Policy.

Simple Mail Transfer Protocol (SMTP):

• All email protocol traffic shall utilize the centralized mail gateways (smtp.howard.edu). Inbound mail traffic with destination addresses for servers other than those operated by ETS shall utilize a DNS MX record to relay that traffic through the centralized mail gateways. All outbound traffic shall utilize the SMTP gateway.
• The use of SSL or TLS-based communication standards for email client to email server communication is preferred such that the authentication session is the protected transaction.

Domain Name Services Protocol (DNS):

• All hosts on Hamurlabs networks shall utilize the Howard DNS systems. All hosts connected to Hamurlabs networks receive a howard.edu domain name extension. No host connected to Howard networks shall be addressable by any DNS name other than that provided by Howard.
• No host with a howard.edu domain name (and an IP address within the Howard network spaces) will use an IP address outside the Hamurlabs's registered namespace without a written exemption from Enterprise Technology Services.

Dynamic Host Configuration Protocol (DHCP):

• All hosts on Howard networks shall either obtain and use a static IP address or use the Howard DHCP service to obtain an assigned IP address. Users shall not use a self-assigned IP address, or operate a DHCP server. The use of bootstrap (BOOTP) shall be governed in the same manner as DCHP.

Banned Protocols:

Enterprise Technology Services keeps a listing of banned protocols which have shown to interfere with the architecture and management of the Hamurlabs network environment.

21. Remote Access

Approved employees and authorized third parties (customers, vendors, etc.) may utilize the benefit of VPN, which is a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy.