SECURE NETWORK INFRASTRUCTURE GUIDE

Transcription

1 2017 SECURE NETWORK INFRASTRUCTURE GUIDE UTC IT0120-G UTC Information Technology Michael Dinkins, CISO 4/28/2017

2 CONTENTS 1. SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY APPLICABILITY RESPONSIBILITIES IT SECURITY OFFICE

3 1. Scope This Guide applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Chattanooga. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC. 3. Revisions Date Action Name 4/28/2017 Version 1.0 Michael Dinkins 4. Objective This document provides guidance for developing, maintaining and documenting a Secure Network Infrastructure Program for the University of Tennessee at Chattanooga. 5. Policy This guide is a supplement to published University of Tennessee Policy IT0120, Secure Network Infrastructure. Click here for more information. Policy IT0120 requires UTC to protect its network infrastructure using appropriate controls in the following areas: 2

4 Network wiring Monitoring and maintenance System Security Plan 6. Applicability This guide is applicable to all networks, devices, and services connected to the University of Tennessee at Chattanooga (UTC) network. A formal documented Secure Network Infrastructure plan must be applied to the following mission-essential (a.k.a. critical) systems/subsystems: Banner Banner Banner MISSION-ESSENTIAL SYSTEMS System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Enterprise Applications & Data Center Enterprise Applications & Data Center Enterprise Applications & Data Center Director, Banner Systems Support Services Banner Systems DBA Executive Director, Enterprise Applications & Data Center Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments Department Head Department Head 7. Responsibilities ROLE Associate Vice- Chancellor & CIO (AV/CIO) RESPONSIBILITY As Position of Authority (POA), the AVC/CIO has overall responsibility of the network infrastructure program at UTC. The AVC/CIO must be consulted for all construction and renovation projects involving network infrastructure. The AVC/CIO ensures: 3

5 1) A Secure Network Infrastructure program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy. 2) The Secure Network Infrastructure program is reviewed and updated annually. 3) Critical business systems and mission-essential functions are identified for Secure Network Infrastructure program inclusion. Deputy CIO Deputy CIO, Senior Network Engineer or designee is responsible for disseminating network status to appropriate management and stakeholders, and ensuring: 1) Network Wiring a. The installation, connectivity to, and the maintenance of the infrastructur0e, wired and wireless. b. Limiting access to the infrastructure to appropriate and approved personnel only. c. Housing communications equipment in dedicated enclosures. Appropriate physical and logical access controls must be enforced. d. Ensuring new construction and renovation of data enclosures meet design and space requirements. e. Ensuring 24x7x365 access to data communications enclosures and infrastructure by authorized personnel. 2) Monitoring & Maintenance a. Maintaining the network infrastructure components at a reasonable operational and security level. Special security controls must be in place and networks appropriately isolated (VLAN) to protect compliance-regulated FERPA, PCI, HIPAA, and PII. b. Developing or adopting a technology refresh cycle program for maintaining the hardware and software currency of infrastructure components. Infrastructure components must not reach end-of-life timeframes and lack vendor support. c. Monitoring and maintaining high availability and integrity of the network infrastructure. d. Developing and/or adopting a network event logging and management strategy. The Network Architect must identify and document critical network components and ensure significant events are logged. e. Developing or adopting a critical component sparing strategy. f. Ensuring administrative access to network components utilize secure access methods (e.g. ssh, https). In cases where insecure protocols must be used, compensating controls must be in place and documented. 4

6 g. Establishing and maintaining a program to control UTC s network address space and Domain Name System (DNS). h. Ensuring all back-ups of network infrastructure devices must be secured at the same level as the primary device. 3) A Network System Security Plan(SSP) a. The concept of a Network SSP is simply to have a central location for documentation that can be stored, maintained and reviewed annually. An SSP can be a folder of documents that reflect Networking best practices. Ideally, the SSP should include (but not be limited to) the following: i. Identifying network system owner(s) with contact information. ii. Classification of systems. (ref: University Policy IT0115, Classification). At UTC, all systems that support network communications of sensitive information (FERPA, PCI, HIPAA, etc.) should be identified and classified as MODERATE. All other system should be classified as LOW. iii. System Description. Essentially a Visio drawing depicting system topology and highlighting components that support MODERATE classified systems. iv. Hardware and Software Inventory (with baseline and change records) v. Patch Management procedure. vi. List of external system interconnections (to identify communications paths for compliance data) vii. Staff Information Security Awareness & Training Log viii. Personnel Security procedure to define onboarding and exiting of personnel. ix. Any other system documentation subject to audit (system configuration, procedures, etc.) Chief Information Security Officer Subsystem Owner / Administrator (or assignee) The CISO is responsible for overseeing the implementation of the UTC Secure Network Infrastructure program. CISO and IT Security Team consults and assists the CIO and systems owners of business-critical systems to ensure: 1) Secure Network Infrastructure program compliance. 2) Applicable/appropriate procedures are developed, maintained and reviewed/updated annually. System owners are responsible for developing, maintaining and disseminating procedures for their respective system(s) to ensure adherence to the Secure Network Infrastructure Program. 5

7 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423) Larry Prince IT Security Analyst (423)