Standard number: DS-14
Date issued: 7/1/2018
Date last reviewed: 11/15/2022
Date of next review: 6/30/2024
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
Higher education institutions are challenged to concurrently permit an open, unrestricted access network, expected in a very diverse academic environment, while also protecting their business assets and sensitive institutional data from the same threats that affect the commercial and government sectors.
Similar to other critical infrastructure, U-M network backbones and networks are vital to the the university. This Standard describes the requirements that help to ensure the confidentiality, integrity and availability of network resources. It is essential to:
- Monitor and protect the university’s networks, and its associated systems, services, and applications, from abuse, attacks, and inappropriate use;
- Take prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
- Implement safeguards to identify and mitigate threats to the network as a resource, and as a platform of attack against U-M resources, property, or data;
- Effectively balance academic operational concerns and security challenges.
This Standard applies to the Ann Arbor, Dearborn, and Flint campuses, as well as all schools, colleges, institutes, and Michigan Medicine. It further applies to:
- All university computer and telecommunications systems, including externally hosted systems;
- Employees, workforce members, contractors, and other delegated agents of the university who manage, administer, and use such systems;
- Any third-party provider with a contractual relationship with the university that has been provided access to the U-M network.
In the context of this Standard, network infrastructure resources include but are not limited to:
- Wired and wireless networks;
- Communications equipment including but not limited to the following:
- Physical networking infrastructure including cabling, routers, switches, firewalls and other network protection devices, load balancers, wireless access points, and DHCP and DNS servers, cellular, VoIP and cable TV.
III. Roles and Responsibilities
The following role-specific responsibilities are intended to help ensure that the confidentiality, integrity and availability of U-M network resources are maintained.
Information Assurance (IA)
- Establishes the network security technical standards that meet the information security requirements of the university, particularly those mandated by laws and regulations;
- Establishes appropriate operational controls necessary to mitigate the risks associated with the unauthorized disclosure, loss, or theft of university information;
- Collaborates with campus network administrators to troubleshoot and resolve network problems and to optimize overall network security;
- Monitors the network to identify and mitigate internal and external intrusions and threats to the network both as a resource and as a platform of attack against university resources, property, or data; IA, acting on behalf of the university, reserves the right to take whatever steps are necessary to investigate possible network security threats and suspected violations of university policies and federal regulations, and to assist appropriate authorities to investigate suspected illegal activities.
- Coordinates the response to IT security incidents, including those involving U-M network breaches, and assists U-M units in their response; IA provides a single institutional point of contact for serious IT security incident communication and response.
Authorized Campus Network Administrators
Operational network security responsibilities are authorized based on campus location. Authorized campus network administrators for the Ann Arbor, Dearborn, and Flint campuses and Michigan Medicine are primarily responsible for the day-to-day operation of the campus network and backbones.
Campus network administrators will:
- Support network and system administrators across the institution; coordinate, manage, and maintain the networking infrastructure, campus backbones, and related services for the university; and administer firewalls and intrusion prevention and detection systems;
- Be responsible for ensuring that all IA-identified network security Standards (both policy and technical) are applied to hosted services;
- Provide ongoing security monitoring for all installed wireless access points;
- Serve as the authoritative and responsible staff for the registration and management of all university-owned DNS domains;
- Serve as the authoritative and responsible staff for the registration and management of all university-owned public IPv4 and IPv6 address space, as well as all private IP address space used on U-M campuses.
Users are responsible for all activities on U-M networks that originate from their U-M computing account and devices registered to be on the network. In addition, users are required to consult with, and receive approval from, their local IT unit and ITS Engineering prior to any extension of the campus network, both wired and wireless.
U-M Faculty, Staff, and Workforce Members
- Must adhere to all established network security standards and Responsible Use of Information Resources (SPG 601.07);
- Must not provide network access to unauthorized individuals;
- Must not attempt to cause harm or do anything that can be reasonably perceived as malicious while on a campus network.
Access to U-M networks is provided in support of students’ academic and research activities, as well as reasonable and appropriate personal use. Students that connect to the U-M network must adhere to the same provisions as faculty and staff. In addition, students that live in on-campus housing must adhere to the U-M Network Responsible Use Agreement.
U-M deploys a variety of network monitoring and protection mechanisms that are critical to network security and early threat detection. These mechanisms are designed to: 1) prevent exfiltration or the unauthorized transfer of data; 2) restrict network access to specific hosts and services; and 3) limit the attack surface of networked devices.
Network Access Controls
Network access controls, typically and most efficiently provided by firewalls, are a critical component to a comprehensive security program and are often called out specifically in compliance regimes. To ensure proper placement, configuration and benefit, a firewall should:
- Be configured with a default deny ruleset, which explicitly denies all traffic unless permitted by previous rulesets;
- Appropriately isolate sensitive data from non-trusted networks based on risk level;
- Follow the principle of least privilege;
- Log notable activities related to firewall availability and tracking as defined in DS-19: Security Log Collection, Analysis, and Retention;
- For additional guidance, see Network Protection on the ITS website.
Wired and Wireless Networks
University network and system administrators have the individual and collective responsibility to manage U-M networks—wired and wireless—according to the following requirements:
- Wired Networks
- Network connectivity devices such as routers, wireless access points, switches and firewalls are securely configured as appropriate to reduce risks to confidentiality, availability, and integrity of U-M information;
- Network is properly documented including security contact information and an up-to-date network map;
- Network interconnects such as virtual private networks (VPN) to external, non-UM third parties must be documented as outlined in Network Security, based on NIST 800-47, Security Guide for Interconnecting Information Technology Systems;
- Network-connected devices with services not requiring exposure to the Internet (e.g., printers) should be protected by use of access control lists or by configuring them with private IP addresses.
- Where feasible and appropriate and to limit the damage that can be done if a vendor is compromised, third party vendors handling U-M data classified as Restricted or High should get remote access to only a specific segment of the network;
- U-M reserves the right to quarantine or disconnect any system or device from the campus network at any time.
- Wireless Networks
- Security is particularly important in wireless networks because data is transmitted using radio signals that, without implementation of specific data encryption mechanisms, can easily be intercepted. Wireless traffic is encrypted between the user’s device and the wireless access point. Once the data is on the wired network, it is no longer encrypted by the network. However, higher level protocols such as https do perform end-to-end encryption.
- The university operates multiple WiFi networks that meet current industry standards for providing advanced security for wireless users, and permit processing, maintaining, transmitting, or storing sensitive institutional data within the campus environment; the university’s guest network service does not meet these standards and should not be considered secure.
Extensions to Network
To ensure secure, efficient and proper management of U-M network resources, unit IT staff must consider how changes to one area of the network can impact the security of university systems, applications, and data, including the confidentiality, integrity, and availability of university information in transit.
Extensions of the university network must be reviewed and approved prior to installation by authorized campus network administrators and ITS Engineering. Extensions include, but are not limited to, firewall appliances, routers, switches, hubs, and wireless access points. Controlling extensions in this manner provides the best possible quality of wireless network service, ensure wired and wireless network security and integrity, and minimize the interference between the campus network and other products deployed throughout campus.
V. Violations and Sanctions
Any device found to be in violation of this policy, or found to be causing problems that may impair or disable the network or systems connected to it, is subject to immediate disconnection from the U-M network. The university may require specific security improvements to address identified problems before the device may be connected.
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.
Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.
Information Assurance is responsible for the implementation, maintenance, and interpretation of this Standard.
- Responsible Use of Information Resources (SPG 601.07)
- Information Security Policy (SPG 601.27)
- U-M Network Responsible Use Agreement
- ITS Wi-Fi and Networks, Network Security
- NIST 800-47, Security Guide for Interconnecting Information Technology Systems
VIII. Related NIST Security Controls
- NIST SP 800-53 Revision 4
- AC-06 Least Privilege
- AC-18 Wireless Access
- SC-07 Boundary Protection
- SC-08 Transmission Confidentiality and Integrity