Title: Network Defense Policy
Approved by: Office of the President
Date approved by President or Board of Trustees: May 31, 2016
Effective Date: May 31, 2016
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 2.0
Related legislation and University policies:
Review Period: 3 Years
Date of Last Review: August 6, 2024
Related to: Faculty, Staff
Summary
This document is to define the policy governing availability of networked services to users on the public internet. The core objective is to reduce risk to the institution from internet-sourced attacks.
This policy applies to all CWRU managed or operated networks where institutional IT infrastructure is connected, on campus or at hosted locations.
Purpose
In order to reduce the security risk to campus networked systems, CWRU will align with the industry best practice of “Default Deny, Allow as Needed” through the implementation of this policy.
CWRU networked IT infrastructure will transition from a model of "default allow, block specific ports and protocols" to a model of "default deny, permit only vetted and approved ports and protocols."
CWRU will deny, by default, network communications from external networks to CWRU endpoints.
CWRU shall maintain an assessment and evaluation process to address user requests to allow a CWRU endpoint to be accessible from external networks (Internet facing services).
- On-campus users shall demonstrate a unique need for any exception to this policy
- Requesters shall demonstrate the ability and continuity of resources to manage cyber risk to their allowed service.
- Exceptions may be granted on a temporary basis, with a maximum time frame of 1 calendar year, after which time the exception request must be re-submitted for renewal.
- Users that would like to request external (from off-campus networks) access to a CWRU network endpoint must open a help desk ticket and submit a firewall access request. They will have their request evaluated in context of IT risk exposure to the university.
- Only minimum essential services and processes will be approved as exceptions, based upon device, IP address, service port, or application.
- Hosts granted firewall exceptions will be subjected to enhanced Vulnerability Management scrutiny. Owners of hosts granted firewall exceptions will be expected to comply with Vulnerability mitigation instructions provided by the Information Security office, or provide a business case justification for non-compliance.
- An Incident Response Plan document will be filled out and kept on file, to enable UTech to reach the host owner in case of an emergent security issue with the host exposed at the edge
- Acceptance of the risk of exposure via Firewall Exception
The Chief Information Security Officer will periodically direct the assessment of overall risk to the university's information technology infrastructure presented by networked systems available from off-campus.
- Exposed CWRU endpoints that are at risk may have their exception temporarily suspended until risks have been mitigated.
Consequences for non-compliance will be addressed as a violation of the policy for Acceptable Use of Information Technology Resources.
Definitions
Data Center - Restricted access facilities on campus where server and network infrastructure are housed.
Default Deny - A default deny rule in firewall management refers to the default blocking of all network services, where only selected, approved, and trusted services are allowed through the firewall with the implementation of an Access Control List.
External Networks - Any network that is not part of the CWRU IT infrastructure, and is therefore an untrusted network.
CWRU Endpoint - A networked device with a fixed IP address using CWRU networks where an IT service is provided.
Cyber Risk - In the context of this policy, management of cyber risk means that the CWRU business unit or administrator of the system is accountable to ensure their system is not creating unnecessary risk to the university IT infrastructure.
Internet Facing Services - Network based services or protocols that can be accessed directly from the Internet without the use of any VPN services (e.g. www.case.edu).
Minimum Essential - only the ports and services needed to accomplish the mission of the endpoint.
Unique Need - an academic or research focused service that cannot be fully supported or hosted in a data center or other university commodity IT service.