Network Security Policy
Today, the university is highly dependent upon networking and computing technologies. Our infrastructure must continue to be protected in order to ensure continuity of services for our core functions-research, education, and business processes required to run the university. It is crucial that we state and enforce a clear network security policy to protect our students, faculty, and staff from internal and external threats inherent in network usage. This document states the policy we currently practice which successfully protects our network, information resources, and users. We accomplish this by looking for anomalies in network use patterns and looking for security vulnerabilities on the devices connected to our network.
A prior version of this policy was reviewed and approved by the president, the president's cabinet, and the Trustee Technology Committee in May 2004. This policy was endorsed by the Faculty on January 20, 2005 and approved by the Board of Trustees in February 2005.
This policy statement covers all systems and devices of any kind that connect to the WPI network regardless of device ownership. The WPI network is defined to be any WPI network infrastructure (e.g. wired, wireless, residential, fraternity/sorority, etc.) on which systems can connect to each other or to the Internet.
The goals of this network security policy are:
- Protect the university's networks, connected systems, and services from abuse and inappropriate use.
- Describe how we will identify threats and breaches of university networks and computer systems.
- Provide an effective mechanism for responding to complaints and queries about real or perceived abuses of university networks and computer systems.
- Establish a structure to protect the reputation of the university regarding information technology issues.
- Satisfy WPI's legal and ethical responsibilities relating to our networks and computers and their connectivity to worldwide networks.
- Integrate with existing and developing policies, e.g.,
This policy establishes measures to prevent or minimize the number of security incidents experienced by the WPI campus network and associated off-campus networks without impacting the university mission or the integrity of the university computing environment and user communities.
Roles & Responsibilities
In support of the WPI mission, the WPI Information Technology Division (IT) will be the sole provider of network resources for the entire WPI community. Special academic networks, not connected to the WPI network, may be designed and constructed by faculty members in pursuit of their educational or research mission. Before a network connection is made, the faculty must involve the WPI Network Operations group (NetOps) in the design to be sure that the WPI network is not adversely affected by such networks. Third party network providers may, from time-to-time, be engaged to support special circumstances; all such third-party relationships must be approved and managed by the IT Division.
The responsibility for the security of university computing resources rests with the individual system administrators who manage these resources. NetOps will support and advise system administrators who carry out these responsibilities in accordance with this policy.
The Vice President for Information Technology / Chief Information Officer leads the development of the network policy. The president, provost, the Vice President for Student Affairs, and other divisional vice presidents agree to support this policy and be responsible for holding their respective constituent groups (their staffs, the students, and the faculty) accountable for behavior that is consistent with this policy.
The Director of Network Operations and Security is in charge of enforcement of the policy. The director will review and respond to all formal complaints resulting from the implementation and enforcement of this policy. Violations will be resolved as stated in the Acceptable Use Policy and Campus Code of Conduct. If necessary, complaints may be escalated to the Campus Hearing Board, appropriate vice presidents, or the president.
All network users shall abide by this policy and the WPI Acceptable Use Policy or risk loss of network privileges and referral to the proper campus authorities for further action
1. Network Operations (NetOps)
To accomplish the goals of this policy, the WPI NetOps group will perform the following functions.
Monitor network traffic, as necessary and appropriate, for the detection of network problems, intrusions, and policy violations.
- When a security problem is identified, NetOps will seek the cooperation of the appropriate contacts for the systems and networks involved in order to resolve such problems. If necessary, NetOps will act unilaterally to contain the problem by isolating systems and their services from the network, and promptly notify the responsible system administrator when this is done.
- Publish security alerts, vulnerability notices, patches, and other pertinent information in an effort to prevent security breaches.
Execute and review the results of automated network-based security scans of the systems and devices on university networks in order to detect vulnerabilities or compromised hosts.
- NetOps will inform the departmental system administrators of planned scan activity. They will also provide detailed information about the scans, including time of scan, originating machine, tests performed and vulnerabilities tested. The security, operation, or functionality of the scanned machines should not be endangered by the scan.
- NetOps will report the results of scans that identify security vulnerabilities only to the departmental system administrator contact responsible for those systems.
- NetOps will help individual system administrators improve their skill sets if recurring vulnerabilities over multiple scans appear.
- If identified security vulnerabilities, deemed to be a significant risk to others, are not addressed in a timely manner, NetOps may take steps to disable network access to those systems and/or devices until the problems have been rectified.
- Prepare summary reports of NetOps network security activities on a quarterly basis.
- Prepare recommendations and guidelines for network and system administrators, to be posted on the NetOps web page of the WPI website at http://www.wpi.edu/+netops.
- Provide security assistance and advice to system administrators.
- Coordinate all WPI network security efforts and act as the primary administrative contact for all related activities. To ensure that this coordination is effective, security compromises should be reported to NetOps via e-mail at firstname.lastname@example.org or telephone 508-831-6666.
- Cooperate with WPI (e.g., Campus Hearing Board, Police, Human Resources), state, and federal investigations into any alleged computer or network security incidents.
- Cooperate in the identification and prosecution of activities contrary to university policies and the law. Actions will be taken in accordance with relevant university policies, codes, and procedures with, as appropriate, the involvement of the Campus Police and/or other law enforcement agencies.
- Abide by the Code of Conduct for IT Administrators.
2. Academic and Administrative Departments
In support of this policy all academic and administrative department heads will provide the Information Technology Division (IT) with the following information and keep it up to date:
- The names of all system administrators and e-mail addresses for these contacts.
- Registration of all departmental networked devices with full information provided at the network registration Web page.
If no contact person exists, or is provided to IT, NetOps will assume responsibility for system security.
3. System Administrators
System Administrators will perform the functions listed below:
- Protect the systems and services for which they are responsible.
- Employ recommended practices and guidelines where appropriate and practical.
- Cooperate with NetOps in addressing security problems identified by network monitoring.
- Address security vulnerabilities identified by NetOps scans deemed to be a significant risk to others.
- Report significant computer security compromises to NetOps for assistance in tracking and containing intrusions.
- Abide by the Code of Conduct for IT Administrators.
4. Network Users
All network users will abide by this policy and the WPI Acceptable Use Policy.
For more information or clarification of any of the provisions of this policy, please contact the Director of Network Operations and Security at email@example.com or 508-831-5115.
This policy will be reviewed by the IT Division on a yearly basis and updated as needed. When changes are required, IT will consult with faculty governance, department heads, and vice presidents.