(D102) Network Security
This policy applies to all users of any SUNY Polytechnic Institute network, communication system or computer resource.
To the fullest practical extent, the Information Technology department maintains an open network while ensuring that SUNY Polytechnic Institute resources remain protected from harm that could result from cyber threat or the misuse of SUNY Polytechnic Institute facilities.
To ensure the continued integrity of its information technology systems, SUNY Polytechnic Institute may scan any machine connected to the network and audit, inspect or monitor network usage, at any time.
- Protection of the Network: The following practices will be implemented to protect the campus network:
- All networks will implement appropriate security controls to protect the integrity of the data flowing over it. Additional precautions must be incorporated on network segments that contain critical information.
- The ISO will insure that measures are in place to mitigate any new security risks created by connecting the campus network to a third party network.
- All connections to the campus network must be authorized by the appropriate Network Manager and reviewed by the ISO or CIO as appropriate.
- Conditions for Access to the University Network: The Information Technology department has established the following basic conditions for user access to the SUNY Polytechnic Institute network.
- Unauthorized servers are prohibited. Personal machines (not SUNY Polytechnic Institute property) which are connected to the campus network may not be used as servers.
- Network jacks shall be secure. Active network jacks that do not require authentication shall be physically secured or activated only when needed for use. All "public" jacks or wireless access must use authentication and encryption.
- Limited network connectivity. Unless a user is specifically authorized to use a different IP address by Information Technology department, each device connecting to SUNY Polytechnic Institute network is limited to the IP address assigned to it.
- Scanning SUNY Polytechnic Institute network activity. The unauthorized installation or use of software that attempts to perform a port scan, sniff, or otherwise intercept network traffic, is strictly prohibited.
Recognized departmental network administrators may perform scans for diagnostic purposes on the address space assigned to them.
- Penetration and Intrusion Testing: All computing systems that provide information through a public network, either directly or through another service that provides information externally will be subjected to penetration analysis and intrusion testing. Such analysis will be used to determine if:
- An individual can make an unauthorized change to an application
- A user may access the application and cause it to perform unauthorized tasks.
- An unauthorized individual may access the application and cause it to take actions unintended by the application designer(s).
- Where the campus has outsourced a server, application, or network service to another campus, penetration testing must be coordinated by both campuses.
- Only individuals authorized, be it the campus ISO or delegate, will perform penetration testing. The ISO and NYS Cyber Security Operations Center must be notified 24 hours before penetration testing is begun. Any other attempt to perform penetration testing must be considered an unauthorized access attempt.
- Wireless Networks: No wireless network or wireless access point will be installed without the approval of the CIO or delegate. Approved wireless networks must have suitable security, including but not limited to, authentication and encryption of data traversing the wireless network.
- Removal from SUNY Polytechnic Institute Network: A machine or device may be immediately removed from the network if:
- The University receives a verified complaint indicating that it has been used to hack other machines or servers;
- A vulnerability scan reveals security issues that are not promptly corrected by the user or administrator, or
- Investigation reveals an actual or potential misuse of SUNY Polytechnic Institute resources or the violation of state or federal law. The Information Technology department may authorize reconnection of the machine or device to the SUNY Polytechnic Institute network after the deficiency or condition has been satisfactorily rectified.
Policy adopted from StonyBrook.edu as of March 1, 2017