University information technology resources that connect directly to the Internet are considered part of a "De-Militarized zone" (DMZ) on the University Information Technology Network. These resources are particularly vulnerable to attack since they are directly accessible from the Internet.

The purpose of this policy is to articulate standards that govern the use of all University Information Technology Network information technology resources, which are located within a University DMZ Network. These standards are designed to minimize the exposure of the University from the loss of sensitive or confidential data, Intellectual Property, damage to the University’s public image, etc., which may result from Unauthorized Use of University Information Technology Network information technology resources.

The policy defines the following standards:

• Operational Group responsibility
• Secure configuration requirements
• Operational requirements
• Change control requirements

Ownership and Responsibilities

University Information Technology Network equipment and applications within the scope of this policy must be administered by the Information Technology Services department, and be approved by authorized Information Security personnel for DMZ-level management of the relevant system, application, or Network access.

The Information Technology Services department is responsible for the following:

• Documenting equipment in the University Security Management System, recording at least the following information:
• Host contacts and location
• Hardware and Operating System version numbers
• Main functions and applications
• Password groups for privileged passwords
• Assuring that University Information Technology Network interfaces have appropriate DNS records (minimum of A and PTR records).
• Assuring that password groups are maintained in accordance with the University Password Management System and the Password Policy.
• Assuring that immediate access to University Information Technology Network equipment and system Logs is granted to Information Security personnel upon demand, in accordance with the Audit Policy.
• Assuring that changes to University Information Technology Network existing equipment and deployment of new equipment comply with the University Change Management System and comply with the Change Management Policy.

To verify compliance with this policy, University Information Security personnel periodically perform an audit on DMZ equipment as set forth in the Audit Policy.

General Configuration Policy

All University Information Technology Network equipment must comply with the following configuration policy:

• Hardware, Operating Systems, Services and applications must be approved by University Information Security personnel, as part of the pre-deployment review phase.
• Operating System configuration must be done in accord with the secure server and Router installation and configuration standards, as defined in the Server Configuration and Workstation Configuration policy.
• All Patches and updates recommended by the equipment vendor and Information Security personnel must be installed. This applies to all Services installed, even though those Services may be temporarily or permanently disabled. Operational Groups must have processes in place to stay current on appropriate Patches and updates.
• Services and applications not serving business requirements must be disabled.
• Trust Relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by University Information Security personnel.
• Services and applications not for general access must be restricted by Access Control Lists.
• Insecure Services or Protocols (as determined by University Information Security personnel) must be replaced with more secure equivalents whenever such exist.
• Remote administration must be performed over Secure Channels (e.g. encrypted Network connections using Secure Shell) or Console Access independent from a DMZ Network.
• All server content updates must occur over Secure Channels.
• Security-related events must be logged and audit trails saved to Logs approved by University Information Security personnel. Security-related events include, but are not limited to, the following:
• User login failures
• Failure to obtain privileged access
• Access policy violations

New University Information Technology Network Installations and Change Management Procedures

All new installations and changes to the configuration of existing University Information Technology Network equipment and applications must comply with the following standards:

• New installations must be done in compliance with the DMZ Equipment Deployment Process.
• Configuration changes must comply with the University Change Management Policy.
• Information Security personnel must be notified to perform system or application audits prior to the deployment of new Services.
• Information Security personnel must be engaged, directly or in accordance with the University Change Management System, to approve all new deployments and configuration changes.

University Information Technology Network Equipment Outsourced to External Service Providers

The responsibility for the Security of University Information Technology Network information technology resources deployed by external service providers must be articulated in the contract with the service provider and must include Security contacts. Escalation procedures must also be documented. Contracting University departments are responsible for the third-party organization’s compliance with this policy.