Policy J8
Policy Name: Devices Connected to the OCC Computer Systems and Communications Networks
Responsibility for Maintenance: Information Technology
I. Policy Statement
Devices connected to the OCC computer systems and communications networks must have adequate controls, security, and maintenance to protect the College, its computer systems and communications networks. Devices connected to the OCC computer systems and communications networks must be pre-approved by the Information Technology Department. OCC does not support the use of personal owned devices, equipment or software.
II. Reason for Policy
The College's ability to conduct its business is dependent on reliable and secure access to its computer systems and communications networks and to the Internet. The OCC computer systems and communications networks and Internet connectivity can be jeopardized by computers/workstations, servers, and other devices that are not adequately maintained or protected from virus, Trojan, worm and other malicious attacks.
III. Applicability of the Policy
This policy applies to all devices connected to the OCC computer systems and communications networks behind the OCC network firewall.
IV. Related Documents
V. Contacts
Subject
|
Office Name
|
Title or Position
|
Telephone Number
|
Email/URL
|
Entire policy
|
Information Technology
|
Director of Network Computing
|
(315)-498-2497
|
robinsos@sunyocc.edu
|
VI. Definitions
Term
|
Definition
|
Device
|
A Device can be a computer/workstation, laptop, server, printer, PDA (personal digital assistant), cellular/smart telephone, or any other instrument capable of connecting to and interacting with the OCC computer systems and communications networks and/or other devices on the computer systems and communications networks.
|
Principal User
|
A Principal User is an individual who is the primary user of, or the individual or group responsible for the administration of a device.
|
Compromised Device
|
For the purposes of this policy, a device is considered compromised once it has been substantiated:
1. That its security is breached and that unauthorized processes or
user(s) have access to and are able to control its data and/or
resources;
2. That it has been configured in a way that could threaten, harm, or
interfere with the operation, integrity, or network access of other
devices; or
3. That it is actively being used to threaten, harm, or interfere with
the operation, integrity, or network access of other devices.
|
Vulnerable Device
|
A Device is considered vulnerable once it has been substantiated that known actions necessary to prevent it from being compromised have not been taken - despite those actions having been recommended by the Office of the CIO or by entities charged by the CIO to secure the OCC computer systems and communications networks.
|
Connected Device
|
A Device is considered connected to the OCC computer systems and communications networks when it is attached:
1. To a trusted port (not requiring authentication for its use) on the network;
2. To a port in the Residence Halls;
3. To an open Ethernet port (requiring authentication to a firewall
for its use) on the network;
4. To a wireless access point (requiring authentication for its use) on the network;
5. Through an ISP via a VPN (virtual private network) session;
6. Via connections established at institutions affiliated with the
College, such as Onondaga County offices; or
7. By any means that enables its access to the College network.
|
Server
|
Any computer that delivers information and software to other computers linked by a network.
|
VII. Procedures
Connecting a Device to the College Network: A Principal User who connects a Device to the OCC computer systems and communications networks is responsible for assuring the Device is protected against compromise. Specifically, any Device connected to the OCC computer systems and communications networks must (when applicable):
- If a Server, be housed and maintained in OCC’s IT computer room.
- Have an authorized fixed IP address or be appropriately registered for DHCP;
- Be configured to run a supported version of an operating system for which patches for newly identified security breaches are developed and distributed in a timely manner;
- Be configured in such a way that known vulnerabilities - such as open FTP ports and open relays - are eliminated or minimized;
- Be maintained in such a way that patches which close known security breaches are applied as soon as they become available;
- Have antivirus software installed on it that runs continuously and is updated regularly;
- Be scanned and determined to be free of viruses and other known compromises that may have been introduced to its operating environment;
- Be used for appropriate purposes related to the educational and research mission of the College or to the conduct of its legitimate business activities; and
- The ID and password allowing the highest level of administrative access to a server must be escrowed with IT. That is, procedures for access to the administration ID/Password for a server must be made available to IT’s Network Computing management in the event of problems or emergency.
Violations: Any Principal User who violates this or other OCC Policies, procedures, contractual obligations, or applicable state or federal laws, will be subject to appropriate disciplinary and legal action, including, but not limited to, the limitation or denial of access to OCC’s computer systems and communications networks. Violators may also be subject to disciplinary action, up to and including termination.
Any device to be connected to the campus network requires the knowledge and authorization of the Information Technology department. Personal owned devices, equipment and/or software are not supported and may cause compatibility issues with the OCC computing environment. Unprotected or corrupted devices can cause outages to the entire campus network.
Approved by the President June 29, 2009