This guideline covers the security of the network on the Danforth Campus.
Washington University in St. Louis (WUSTL) is committed to conducting business in compliance with all applicable laws, regulations, and WUSTL policies. The university has adopted this guideline to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
This guideline and associated guidance are meant to provide to the computing community of WUSTL directives to help ensure the protection and the privacy of information, protection of information against unauthorized modification or disclosure, protection of systems against denial of service, and protection of systems against unauthorized access. It is intended to protect the integrity of the private network and mitigate the risks and losses associated with external and internal threats.
All network assets, service, and operating personnel that comprise the Network. This includes network infrastructure components, network management and service systems, and employees.
The network shall, with exceptions noted and approved by the Network Security Office (NSO), follow the guidance outlined in WUSTL Information Security Policy.
External connections provide authenticated and authorized access into the university network through the NSO approved remote access technologies. These connections shall follow best practices for implementation. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected then the confidentiality and integrity of the information shall also be in place. Controls shall also be implemented to restrict network access to those who have affiliations with the university only.
Backdoors circumvent/bypass external connections and are often unauthorized. These connections shall be approved by the NSO and have a legitimate business purpose. The appropriate security controls shall be put in place based on a risk assessment. If information using these connections is classified as protected, and occurs over unprotected or public networks, then the confidentiality and integrity of the information needs to be protected with encryption.
Architecture and Design
Network design shall incorporate technologies that facilitate the addition of security controls. It should ensure, or enhance, the CIA of electronic information.
The core network shall be centrally managed to ensure the CIA of electronic information. Network managers and operators shall be given the authority to remove, revoke, and implement measures to protect the network from unacceptable use.
Auditing by internal and /or external organizations along with network vulnerability assessments will periodically be conducted to determine risk of: availability, unauthorized access, exposure of protected information, and regulatory violations.
Users of the network shall abide by both the university’s Acceptable Use Policy (AUP). Abuses of these policies will result in disciplinary measures and/or discontinued use of the network.
Controls shall be put in place to prohibit network activities that threaten business use and put protected information at risk.
Operation, Administration, Maintenance and Provisioning (OAM&P)
The network shall have an Operations Center for Operation, Administration, Maintenance and Provisioning (OAM&P) of the network. Capabilities of the operations center shall include monitoring of network and security events, a call and support center, and industry best Standard Operating Procedures (SOP) and processes.
There shall be a change control process in place to manage OAM&P tasks within the network.
Updated April 1, 2013.