Network Use and Vulnerability Assessment Policy: IM

PURPOSE:

The purpose of the Network Use and Vulnerability Assessment policy is to assure the reliability, security, integrity, and availability of the telecommunications network infrastructure. This policy documents practices and responsibilities associated with the administration, maintenance, expansion, and use of the College network in order to: 

  1. Provide reliable network communications for the efficient conduct of College business;
  2. Assure that network usage is authorized and consistent with the College’s mission; and
  3. Protect the confidentiality, integrity, and availability of College information that traverses the College network.

 

SCOPE:

The SPC Network Use and Vulnerability Assessment policy applies equally to all individuals utilizing any South Plains College information technology resources.

 

POLICY STATEMENT:

The Information Resources Manager (IRM) has central oversight and is responsible for the management of the SPC network infrastructure resources. All devices connected to the SPC network (wired or wireless) should support the College’s mission. The integrity, security, and proper operation of the College network require an orderly assignment of network addresses and the correct configuration of devices attached to the network. Network access, performance, and security are put at risk when devices are introduced into the network environment without appropriate coordination.

 

SPC-IS will perform periodic vulnerability assessments and network scans to determine if assets hosted on SPC’s network are vulnerable to any known flaws in the operating system, services or application.  The results are intended to assist server and application owners in securing their assets and any College related data that they may house.

Server or Application owners will be notified of any vulnerability present on their systems, and any servers whose vulnerabilities have not been remediated in a predetermined amount of time may be disconnected from SPC’s network.

 

SPC-IS manages College network connections with consideration for the College mission, accessibility, performance, privacy, and security in compliance with the following:

 

  1. No individual or College component may independently deploy network devices that extend the College network, or secure or isolate parts of the College network, except as stipulated under this policy’s provisions.
  2. SPC-IS is charged with overall responsibility for proper deployment and management of a fully-monitored and protected network communication service, including all infrastructure elements, network address assignments, and radio frequency (RF) spectrum usage.
  3. SPC-IS shall coordinate the connection and network address assignment of any and all devices on the College network. Other departments and individual users may not install, alter, extend or re-transmit network services in any way without prior proper approval.
  4. Departments and individual users are prohibited from attaching or contracting with a vendor to attach port assignable, hard-wired equipment such as routers, switches, hubs, firewall appliances, wireless access points, virtual private network (VPN) servers, network address translators, proxy servers, and dial-up servers to the College network without prior authorization from SPC-IS.
  5. SPC-IS may disconnect and remove any SPC-IS unauthorized network device, including wireless routers and access points.
  6. Personal software firewalls are permitted, as are printers, scanners, and similar peripheral devices if directly connected as a peripheral device to a desktop or notebook computer. SPC-IS reserves the right to monitor and audit individual devices, systems, and general network traffic to ensure compliance with this and other College policies.
  7. Use of devices connected to the College network is accompanied by certain responsibilities. Specifically, all users are required to ensure timely updates of applications, operating systems, and virus protection software to minimize risks of system compromise. (SPC-IS provides non-intrusive products and services for achieving such updates.)
  8. The College network is unencrypted. Server and application administrators that utilize this network to transmit sensitive, restricted and confidential information are responsible for information security on the network. Examples of available protections include encrypted protocols such as SSL, IPSec, SSH, etc. Contact SPC-IS for assistance in implementing the necessary protective measures.
  9. SPC-IS requires the registration of servers connected to the College network, which must be collocated in the SPC-IS data center. Following registration, SPC-IS will facilitate an information-technology risk assessment to ensure compliance with state and College standards and best practices. A department’s administrative head is responsible for designating a server administrator for each server. The server administrator shall collaborate with SPC-IS as necessary to:
  10. Register the server with the ISO;
  11. Protect the server against exploitation of known vulnerabilities.
  12. Address and resolve security problems identified with any device or application for which they are responsible.
  13. Utilize the protection benefits available through the College’s network edge protection mechanisms (e.g., firewall, intrusion prevention systems, etc.);
  14. Accommodate risk assessments, vulnerability scans, and penetration tests of their server by SPC-IS and take steps to mitigate the risks identified by these procedures;  and
  15. Immediately report system compromises and other security incidents to the ISO.

 

  1. Internet connectivity is ubiquitous across the campus. Virtually all rooms and meeting spaces at SPC are equipped with wired or wireless connectivity. Nevertheless, facility reservations do not necessarily include the right to use the College network for any and all purposes. Consistent with IT-01, Acceptable Use policy, the College cannot guarantee support of audio or video streaming by reserving parties.

 

  1. Departments that accept facility reservation requests from external parties will ascertain the party’s need for audio or video transmissions and consult with SPC-IS about that need. To assure compliance with this provision, departments that administer building or room reservations should include the following (or similar) statement on all reservation applications and request forms: “Streaming of audio or video is not permitted from this facility without advance notice and consultation. The reserving party declares that it – DOES / DOES NOT (circle one) – wish to stream audio or video from this facility.”

 

DEFINITIONS:

Application Owner: The individual or group that holds ultimate responsibility for a specific service or application. 

Dial-Up Server: Refers to connecting a device to a network via a modem and a public telephone network. 

Encryption: The conversion of data into a form called cipher text that cannot be easily understood by unauthorized people. 

Hub: A connection point for devices in a network to connect segments of a LAN. 

Firewall: A network security system that controls the incoming and outgoing network traffic based on applied rule sets. 

Information Resources Manager (IRM): Officer responsible to the State of Texas to manage SPC information technology resources. 

Network Address: A network address (Internet Protocol (IP) address) serves as a unique identifier for a computer on a network. 

Network Address Translator:  The translation of an Internet Protocol (IP) address used within one network to a different IP address known within another network. 

Network Scan: The procedure for identifying active hosts on a network for network security assessments.

Penetration Test: Security oriented probing of a computer system, network or web application to seek out vulnerabilities that an attacker could exploit. 

Personal Firewall: A software application used to protect a single internet-connected computer from intruders (sometimes called a desktop firewall). 

Proxy Server: A server that sits between a client and an external network to allow clients to make indirect network connections to other network services. 

Radio frequency (RF) spectrum: Any frequency within the electromagnetic spectrum associated with radio wave propagation. 

Risk Assessment: A systematic process of identifying, evaluating, and estimating the levels of risks involved in a process or system, their comparison against benchmarks or standards, determining appropriate ways to eliminate or control the hazard, and determining an acceptable level of risk. 

Router: A device, connected to at least two networks that forwards data packets from one network to another. 

Server Owner: The individual or group that is responsible for managing a specific application server on a day-to-day basis. 

Switch: A managed connection point for devices in a network to connect segments of a LAN. 

Virtual Private Network (VPN) Server: A server that extends a private network across a public network, like the internet, to provide remote offices or individuals with secure access to the SPC network using special hardware and software. 

Vulnerability:  A flaw or weakness in hardware, software or processes that exposes a system to compromise. 

Vulnerability Assessment: The process of identifying, quantifying, and prioritizing the vulnerabilities (weaknesses) in a system. 

Wireless Access Point:  A device that allows wireless devices to connect to a wired network using Wi-Fi. 

Wired Connectivity: A term used to describe any computer connection or network where the connection between sender and receiver involves cables, such as Ethernet. 

Wireless Connectivity: A term used to describe any computer connection or network where there is no physical wired connection between sender and receiver.

 

Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: CA-9, RA-3

 

Approved by:  Executive Council, April 4, 2019

Next Review: October 1, 2020

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Enrollment & Distance Education
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device Aquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GB. Crisis Management Plan
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct
HV. Data Governance Policy

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. User Account Credentials Eligibility Statement
IC. User Account Password
ID. Acceptable Use
IE. Virtual Private Network Access Policy
IF. Data Governance
IG. Data Classification
IH. Security Incident Response
IJ. Change Management
IK. Digital Encryption
IL. Data Backup
IM. Network Use and Vulnerability Assessment
IN. Technology Security Training
IO. Server Administration
IP. Media Sanitization Policy
IQ. NDA Requirement Policy
IR. Risk Assess Policy
IS. IT Administrator/Special Access
IT. Authorized Software Policy
IU. Communication Policy
IV. Firewall Policy
IW. Identification/Authentication
IX. Intrusion Detection Security Monitoring Policy
IY. Malicious Code
IZ. Physical Access Policy
I1. Portable Computing Policy
I2. Privacy Policy
I3. Third-Party Access
I4. Application Security Policy
I5. Technology Acquisition Oversight
I6-A. Website Disclaimer
I7. Merchant Card Policy