Important information from the university about the Ferguson grand jury announcement. Learn more

About WUSTL

Compliance & Policies

Network Security Guideline

This guideline covers the security of the network on the Danforth Campus.

Washington University in St. Louis (WUSTL) is committed to conducting business in compliance with all applicable laws, regulations, and WUSTL policies. The university has adopted this guideline to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Objective

This guideline and associated guidance are meant to provide to the computing community of WUSTL directives to help ensure the protection and the privacy of information, protection of information against unauthorized modification or disclosure, protection of systems against denial of service, and protection of systems against unauthorized access. It is intended to protect the integrity of the private network and mitigate the risks and losses associated with external and internal threats.
Specifically:

  • To ensure the Washington University network has appropriate security and capability.
  • To ensure applicable federal and organizational policies, mandates, etc. are applied and adhered to.
  • Security controls are effective, based on a cost benefit assessment, and meet the intent of applicable regulations and university policies.
  • To provide accountability within the network and other computing resources in which individuals have access.
  • To give network managers, engineers, and technicians guidance for implementing, maintaining, and operating the University’s network in a secure manner.
  • Ensure that all critical functions of the University’s network have documented operational processes and disaster recovery plans to provide continuity of operation.
  • To maintain Confidentiality, Integrity and Availability (CIA) of the information at Washington University.

Scope

All network assets, service, and operating personnel that comprise the Network. This includes network infrastructure components, network management and service systems, and employees.

Guideline

The network shall, with exceptions noted and approved by the Network Security Office (NSO), follow the guidance outlined in WUSTL Information Security Policy.

External Connections
External connections provide authenticated and authorized access into the university network through the NSO approved remote access technologies. These connections shall follow best practices for implementation. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected then the confidentiality and integrity of the information shall also be in place. Controls shall also be implemented to restrict network access to those who have affiliations with the university only.

Backdoor Connections
Backdoors circumvent/bypass external connections and are often unauthorized. These connections shall be approved by the NSO and have a legitimate business purpose. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected, and occurs over unprotected or public networks, then the confidentiality and integrity of the information needs to be protected with encryption.

Architecture and Design
Network design shall incorporate technologies that facilitate the addition of security controls. It should ensure, or enhance, the CIA of electronic information.

Network Management
The core network shall be centrally managed to ensure the CIA of electronic information. Network managers and operators shall be given the authority to remove, revoke, and implement measures to protect the network from unacceptable use.

Risk Management
Auditing by internal and /or external organizations along with network vulnerability assessments will periodically be conducted to determine risk of: availability, unauthorized access, exposure of protected information, and regulatory violations.

Acceptable Uses
Users of the network shall abide by both the university’s Acceptable Use Policy (AUP). Abuses of these policies will result in disciplinary measures and/or discontinued use of the network.

Malicious Activities
Controls shall be put in place to prohibit network activities that threaten business use and put protected information at risk.

Operation, Administration, Maintenance and Provisioning (OAM&P)
The network shall have an Operations Center for Operation, Administration, Maintenance and Provisioning (OAM&P) of the network. Capabilities of the operations center shall include monitoring of network and security events, a call and support center, and industry best Standard Operating Procedures (SOP) and processes.

Change Control
There shall be a change control process in place to manage OAM&P tasks within the network.

Updated April 1, 2013.