UCLA Policy 401 : Minimum Security Standards for Network Devices
I. INTRODUCTION AND PURPOSE
UCLA encourages the use of its electronic communications network in support of the University’s mission. However, this resource is limited and may be vulnerable to attack or improper use. It must be well-managed and protected, and UCLA reserves the right to deny access to its electronic communications network by Devices that do not meet its standards for security.
The purpose of this policy is to establish the Minimum Security Standards for all electronic Devices connecting to the UCLA Campus Network, in accordance with the principles endorsed by the UCLA Information Technology Planning Board March 31, 2005. Such standards serve to help protect not only the individual Device, but other Devices connected to the Campus Network. Portions of this policy are drawn from the UC Berkeley Minimum Security Standards for Networked Devices, issued January, 2004. This policy also identifies those with principal responsibility for compliance with the Minimum Security Standards, and for the enforcement of this policy, including taking corrective action.
For the purposes of this Policy:
Campus Network: All UCLA networks connected to the campus backbone network, directly or indirectly, and whether or not behind a firewall or Network Address Translation (NAT) device. (NAT is an Internet standard that enables a local area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic).
Connectivity Service Provider: A unit, organization, or person that enables access to the Campus Network by UCLA faculty, students and staff and including for visiting scholars, conference attendees or other temporary visitors to UCLA.
Network Device (Device): A computer, printer, wireless appliance or other piece of equipment that can connect to and communicate over the Campus Network.
System Administrator: An individual who installs, configures and/or maintains any Device in his or her area of responsibility that is connected to the Campus Network.
This policy applies to all faculty, staff, students and contractors who connect a Network Device to the Campus Network. (i.e., when a Network Device will be assigned an Internet Protocol (IP) address that is routable on the Campus Network and, can be used to send data to, or receive data from, the Campus Network). This policy is applicable:
- regardless of how the Device is connected to the Campus Network (e.g., directly from a campus office or indirectly from a faculty member’s home, for example using the UCLA wireless or the UCLA Virtual Private Network (VPN)); and
- whether or not the Device is owned by the University.
Whenever anyone is connected to the Campus Network, he or she is expected to comply with this Policy.
A. Compliance with Minimum Security Standards
All Devices connecting to the Campus Network, whether physically located on campus property or not, must comply with the Minimum Security Standards in Attachment A. A Device that does not meet these Minimum Security Standards is subject to disconnection or having its access blocked to the Campus Network until remediation has been performed. More restrictive standards may be adopted at the department or unit level.
Devices that host restricted data as defined in UC Business & Finance Bulletin IS-3 (PDF) may be required to conform to more rigorous security standards. Devices hosting specific types of data (e.g., as defined by UCLA Policy 420, the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI-DSS)) may be subject to additional constraints. See the “Protection of Personal Information” Web site for guidance.
B. Responsibilities for Compliance and Enforcement
System Administrators shall ensure that every Device for which they are responsible is in compliance with the Minimum Security Standards.
A System Administrator may be an IT staff member whose responsibilities include ongoing maintenance for all Devices in a department or computer lab. A faculty member functions as a System Administrator when his or her personally owned computer at home connects to the Campus Network (e.g., via the UCLA wireless or through the UCLA Virtual Private Network (VPN)).
Connectivity Service Providers (CSP)
Connectivity Service Providers shall take appropriate corrective action:
- when a Device connected to the Campus Network is causing disruption (e.g., sourcing a denial-of-service attack). In such situations, the CSP must have procedures in place to identify the problem Device and disconnect or block its access as appropriate. The Device may be reconnected only when the cause of the disruptive behavior has been addressed and provided it meets the Minimum Security Standards. Further, if the Device hosts personal information as defined in UCLA Policy 420, a potential security breach must be assumed and the procedures in that policy must be followed.
- if a Device connected to the Campus Network is found not to meet the Minimum Security Standards (e.g., through a vulnerability scan). In such situations, the Device is subject to disconnection or having its access to the Campus Network blocked by the CSP unless remediation is completed in a timely manner.
Under certain circumstances, a CSP may execute approved alternatives to the Minimum Security Standards, as listed in section C., below.
C. Exceptions to the Minimum Security Standards
A Device may connect to the Campus Network only if it meets the Minimum Security Standards. However, there may be various reasons why a Device does not meet these standards yet has a legitimate reason why it needs to connect to the Campus Network. In such cases, under the following circumstances, an exception may be made by employing alternate security measures.
- Many common Devices either do not meet these standards (e.g., printers with a built-in web server) or it would be impractical for critical usability reasons (e.g., grid computers, some high-volume servers). In such cases, standard alternate security measures can be employed, thereby satisfying the Minimum Security Standards (See Attachment B).
- Laptops and other Devices brought by visiting scholars, conference attendees and other temporary visitors to UCLA cannot be assumed to comply with these Minimum Security Standards. Therefore, a CSP must develop an appropriately secured environment in order to provide access to the Campus Network for such visitors.
- Any other Device that cannot meet the Minimum Security Standards may still be connected to the Campus Network if an alternate method of providing equal or greater security is documented by the System Administrator and this alternate method is approved by the Connectivity Service Provider.
All exceptions shall be documented in writing (electronically or otherwise) and kept on file by the Connectivity Service Provider. Such documentation shall be kept on file for as long as the Device associated with the exception is connected to the Campus Network.
Appeals concerning decisions made or actions taken by a Connectivity Service Provider may be made to the Administrative Vice Chancellor, who will consult with other campus officials, as appropriate, to make the final determination.
UC Business & Finance Bulletin IS-3 (PDF), Electronic Information Security;
UCLA Policy 420, Notification of Breaches of Computerized Personal Information;
UCLA Procedure 350.6, Campus Backbone Network (CBN);
/s/ Morabito, Sam
Administrative Vice Chancellor