November 5, 2010
Network Infrastructure Use
The University of Southern California provides its faculty, staff and students with a network infrastructure to facilitate the missions of the university, including instruction, research, service and administration. The purpose of this policy is to confirm the ownership of the USC Network Infrastructure, defined below, and establish the responsibilities of faculty, staff, students and other employees in protecting and securing the network infrastructure.
This policy applies to all university faculty members (including part time and visiting faculty), staff and other employees (such as postdoctoral scholars) and students (including postdoctoral fellows and graduate students) as well as any other users of the network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to university systems.
3.1 Ownership of network infrastructure
The USC Network Infrastructure is owned by and is the property of USC. The Information Technology Services (ITS) department is primarily responsible for overseeing the operations of the network infrastructure. There is no expectation of a right to privacy when using the network infrastructure, which includes, but is not limited to, the following:
- USC network connections (wired and wireless) and other network equipment including jacks, wiring, switches, panels, hubs and routers;
- USC network-based communication services, such as e-mail and instant messaging;
- computers and electronic devices (such as desktops, laptops, servers, PDAs and other handheld or mobile equipment, wireless technologies, copiers, faxes, pagers, IP phones) that are purchased or leased using university funds; and
- USC purchased, licensed or developed software.
3.2 User responsibilities
“User” is defined as anyone who has access to or is otherwise connected to the network infrastructure (see section Scope, above, and the Information Security policy for additional information about users).
Users are expected to comply with information security policies to ensure the security of the network infrastructure, which includes ensuring that the devices they use that are connected to the network infrastructure are in compliance with this policy.
Users are responsible for utilizing appropriate measures (including passwords, virus protection and current patch management software, and other measures as described below and in the appendices to this document) to protect the security of those components of the network infrastructure that they access and/or use.
3.3 System administrator responsibilities
“System administrator” is defined as any faculty, staff, or other employee who has been designated by the USC Information Steward or Owner, as defined in information security policy, as the individual responsible for maintaining the security of the network infrastructure for that particular school, unit, division or department. (AIS and ITS are considered departments or units covered under this policy.) In many cases, the system administrator may be that department or unit’s Information Security Liaison, as described in the Information Security policy.
The system administrator is responsible for overseeing the security of the network infrastructure for his or her school, unit, division or department, which includes monitoring and oversight of user compliance with this policy.
3.4 Private networks (a.k.a. local area networks, subnets, non-standard and specialized networks)
Private networks are defined as any network segment or subnet behind a router, firewall, or Network Address Translation (NAT) device, behind which ITS does not have administrative control of the switches or routers to which the end-systems (PCs, servers, etc.) connect.
- All private networks must have a system administrator assigned to oversee and maintain security, who will liaison with ITS and the Information Security Office (ISO).
- System administrators must promptly register any departmental servers on a private network (as defined in this section) with the Director of ITS Systems Security in accordance with ITS registration procedures. (“Departmental server” is defined as any server administered or managed within a particular department or unit, including those maintained by ITS and AIS.)
- System administrators should document the network infrastructure which includes, but is not limited to, hardware inventory, network diagram, physical location, IP addresses, description and related information about the system. This documentation shall be made available to the ISO and ITS upon request.
- All private networks must comply with all information security policies.
3.5 Access and authorization procedures
System administrators must establish written procedures to grant, modify, and terminate access to the information systems within the administrator’s department, school, or unit. Refer to Appendix A for further information about access and authorization procedures.
3.6 Virus protection and patch management
Desktops, laptops, and servers must have up-to-date virus protection and patch management. This is a shared responsibility between the user and system administrator. Refer to Appendix B for further information about computer security maintenance procedures, including how to obtain and maintain current virus protection and patch updates.
3.7 Audit logs
System administrators are responsible for implementing and monitoring audit logs on desktops containing information requiring enhanced protections (as defined by the Information Security policy) and departmental servers.
3.8 Physical security
System administrators are responsible for establishing procedures to secure the physical environment of departmental servers, including, at minimum: (a) locked or otherwise restricted access to server rooms, and (b) current inventory of all individuals with access to server rooms.
3.9 Unauthorized access to network infrastructure
Unauthorized access to, or tampering and interference with, the network infrastructure is prohibited. The responsibility to implement access control mechanisms to prevent unauthorized access or use of the network infrastructure is shared between ITS and the system administrators for private networks.
4. System monitoring and auditing
ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain operation and security. The ISO is authorized to conduct monitoring and auditing of ITS, users, and system administrators to ensure compliance with this and other information security policies, in coordination with Audit Services, as appropriate. The university reserves the right to access any computer or electronic device connecting to the USC Network Infrastructure in order to verify compliance with this and other applicable information security policies.
Compliance with information security policies shall be monitored regularly in conjunction with the university’s monitoring of its information security program. Audit Services will conduct periodic internal audits to ensure compliance with federal and state laws and regulations as well as university policy.
Individuals who do not comply with these policies shall be subject to remedial action in accordance with the Faculty Handbook, staff employment policies and procedures, and SCampus, as appropriate.
Any disciplinary action under this policy shall take into account the severity of the offense and the individual’s intent. Disciplinary action can include revocation of privileges to use or access any or all components of the network infrastructure, up to and including termination or dismissal from USC.
Appendix A—Access Authorization Procedures
This appendix A describes the procedures for establishing, modifying, and terminating access to USC information systems.
Establishing and Modifying Access
- System administrators shall have documented procedures for establishing and modifying user access to information systems and applications within the department/school/unit.
- The procedure will document the process for obtaining supervisor approval to establish or modify access.
- System administrators will perform an annual review of their access procedures and will update and revise accordingly.
- System administrators shall determine to which systems and applications these procedures apply, and will document the justification for their determinations.
- System administrators shall have documented procedures for terminating user access to information systems and applications within the department/school/unit.
- System administrators must promptly delete user access upon notification by Human Resources that access should be terminated.
- Users shall not give their passwords to other individuals to use on their behalf.
- Users shall not post or otherwise display their passwords where they can be seen by others.
- Where applicable, users shall create strong passwords. For example:
- Passwords should consist of a minimum of 6 alphanumeric characters.
- Passwords should contain a combination of alpha-characters, numbers and/or special characters.
- Passwords should be selected with the intention of not allowing other people to guess them easily.
- Passwords must never be the same as or resemble the logon-ID. Passwords such as “password”, “administrator”, “user”, “guest”, “123456”, etc. should not be used. Repeating passwords such as “111111” or “z1z1z1” should not be used.
System administrator responsibilities
- Where possible, system administrators should enforce user responsibilities as outlined above.
- Where possible, passwords should use an expiration policy requiring passwords to expire.
- Where possible, systems should be configured to disallow re-use of passwords for 3 generations.
- Where possible, systems should be configured to “lock-out the account” after 5 incorrect password attempts.
- Where possible, the use of single sign-on (shibboleth) logins and passwords for applications through the Global Directory Services (GDS) should be encouraged.
- Passwords should be stored in an encrypted format only, not in plain text format.
- Where possible, system administrators should implement password protected screensaver controls after a specified idle time, to be determined by the system administrator and unit.
- System administrators have the discretion to implement stricter guidelines; the above are minimum standards.
- Those systems that operate in an environment that does not allow for the use of passwords (i.e. sub-systems and systems without a user interface), must be appropriately secured by other security means by system administrator.
- Systems that do not currently allow for these requirements to be implemented must be able to comply when that system is replaced or substantially upgraded.
Appendix B—Virus Protection and Patch Management Procedures
This Appendix B describes USC’s requirements for anti-virus protection and patch management.
System administrator responsibilities
- System administrators must ensure that all departmental servers and workstations have current and updated anti-virus software installed.
- With the exception of troubleshooting or special installation activities, system administrators shall ensure that anti-virus software is not modified or disabled on servers or workstations.
- Any virus with potential harmful impact on the network infrastructure should be reported to ITS.
- Users must contact their system administrator for assistance if they become aware that they do not have current up to date anti-virus software installed on their workstation or laptop.
- Once the anti-virus software is installed, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS.
- Users should report virus incidents to system administrator or ITS.
System administrator responsibilities
System administrators must ensure that all departmental servers and workstations have automated patch management software or are updated by regularly scheduled update procedures.
Once the automated patch management is configured on the computer, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS.
- ITS is responsible for providing an enterprise anti-virus solution for university computers.
- ITS is responsible for providing guidelines on installing and maintaining the anti-virus software and updates on university computers.
System Monitoring and Auditing
ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain the operation and security of the network infrastructure (refer to section 3.6 of this policy).
Those systems that operate in an isolated environment (i.e. sub-systems, systems without a user interface, systems with no external or internet connectivity), may be exempted from virus protection and patch management procedures (this appendix) if appropriate, but they must be identified and secured with other security means.
Information Security Office
Elizabeth Garrett, Provost and Senior Vice President, Academic Affairs
Todd R. Dickey, Senior Vice President, Administration
University of Southern California