Skip to Content

Information Security Office

Network is experiencing difficulties.

Policy Index
Information Technology Security
Supplemental Policy
Number: 8045.0 Revised: August 15, 2010

8045.100 Security of Servers and Network Attached Devices

The Information Security Officer is delegated all necessary authority to set and enforce information security standards for all servers and network attached devices, as well as to monitor, establish and enforce remediation timelines and sanctions for non-compliant systems campus-wide. The primary mechanism for addressing security will be the registration and management of all identified critical, business and vulnerable servers and network devices under campus-wide standards defined by the Information Security Officer.

All critical, business, and vulnerable servers and network attached systems and devices (as classified by the Information Security Officer) must be registered in writing with the Information Security Officer.  The registration process shall include categorization of the data used by such systems and devices according to the Sacramento State Data Classification Standard and shall also provide other information as required by the Information Security Officer adequate for a full assessment of information security risk on such systems. The Information Security Officer will review the registration data for each registered system or device and then define the risk level for each such system and device based on the following security categories: 


Critical
  • Regulatory requirements (i.e. FERPA, PCI, HIPAA)

  • Contains Level 1 data as defined by the Sacramento State Data Classification Standard

  • Provides campus-wide infrastructure (i.e. network/telecommunication equipment, HVAC, authentication services)

  • Provides mission-critical  service (i.e. Learning Management System, Email, Data Warehouse)

  • Provides health and safety services

  • System cannot be unavailable through unplanned maintenance for more than four (4) hours

Business

  • Contains Level 2 data as defined by the Sacramento State Data Classification Standard

  • Provides key program center or college specific service (i.e. systems used to meet key academic and administrative goals)

  • System cannot be unavailable through unplanned maintenance for more than one (1) day

Vulnerable

  • Systems that exhibit elevated vulnerabilities

  • Systems that have an elevated risk of compromise

  • Systems that have been compromised

Client

  • Provide service to a local user or user group but does not provide services to other systems (i.e. desktop, labstation, laptop)

  • Provides a local physical service that requires proximity (i.e. scanner, printers, copiers)

All Level 1 and Level 2 data stored on campus servers and other network attached devices must be identified to the Information Security Officer in a timely manner and such data must always be securely stored and protected, as defined by Information Security Office guidelines.

The Information Security Officer must define mandatory standards and management protocols for each information security category above that are appropriate for the assured protection of both privacy and confidentiality of data. These standards and protocols should, at a minimum, address a) proper handling and encryption of backups and sensitive information; b) physical security; c) access controls; d) configuration management; e) patching and malware protection; f) change management; g) risk management; h) vulnerability management; i) incident response; j) logging and monitoring  of security events; k) secure network zoning;  and k) application acquisition, development and deployment.

All network attached devices must be actively scanned and/or reviewed on an ongoing basis by the Information Security Office vulnerability program.  Proactive mitigation must be performed on identified critical and severe security vulnerabilities, under the direction of the Information Security Officer.
All required information security logs, as defined by the Information Security Officer, must be maintained, monitored, reviewed and retained following campus Log Management Guidelines.

8045.200 Protection Against Malicious Software

All desktop computers, laptop computers, servers and other identified network attached devices must be actively managed by a campus-wide patch and malware management system.  The Information Security Office will develop and implement mandatory, comprehensive, and timely patch management and malware protection standards and processes for all computer and network devices campus-wide. These standards and processes shall be designed to minimize adverse effects of patch and malware management on continued operations.

All campus desktops, laptops, computer lab stations, servers and other applicable devices must run current anti-malware software and must be configured according to campus Configuration Management Standards as detailed in Section 8050.0.  Any exceptions to the use of malware protection under campus guidelines must be approved through the exception process noted under Section 8000.200 above. Detection of a malware attack or compromise must be treated as a security event and reported and acted upon as required by Section 8075.0 of this policy.
All inbound and outbound email to/from the campus must be protected from malware through processing by the campus-wide email security process identified by the Information Security Officer.

8045.300 Network Security

All identified campus network devices handling or distributing critical, business, or vulnerable data must be compliant with all institutional information security policies and practices. All such devices must meet mandatory campus-wide Network Security Standards, as defined by the Information Security Officer.

The Information Security Officer shall define the process for mitigation of vulnerability from non compliant devices, including procedures for the possible removal of the device from the campus network and/or Internet. 

Network Topology

All campus network topology will be determined by the Information Security Officer, in consultation with the Vice President and Chief Information Officer. Network topology will be based on development of secure network zones that will allow all networked devices to be placed in protected zones based on approved access needs, data classification, data value and risk.  Special consideration will be given to the need for specialized instructional networks.

At a minimum, zones will be created to:

  • Separate Internet-accessible devices from non-Internet-accessible devices

  • Separate client systems from service systems

  • Separate critical systems

  • Separate business systems.

  • Allow instructional systems to run unimpeded

All such network devices must comply with baseline security standards defined by the Information Security Officer.  All new network devices handling or distributing critical, business, or vulnerable data must undergo a formal review and approval process prior to their attachment to the campus network, under the direction of the Information Security Officer.

Network bridging (i.e. the connection of a single computer to multiple networks) is not permitted unless the methodology used for such bridging is established using standards approved in writing by the Information Security Officer.

8045.400 Wireless and Remote Access

The Information Security Officer will set information security requirements for all wireless network deployment and use, as well as establish and enforce remediation timelines and sanctions for non-compliant systems campus-wide.
The Information Security Officer will oversee a periodic campus-wide wireless network audit to detect and eliminate rogue access points and rogue wireless activity.
All wireless network access must be implemented with mandatory time-outs for inactive wireless sessions, as defined by the Information Security Officer.

8045.500 Information Asset Monitoring

All Level 1 and Level 2 data found to be lost, stolen, or compromised must be reported immediately to the Information Security Officer, using the policies and procedures detailed in Section 8075.0, Information Security Incident Management.

All servers and other applicable network-attached devices must be scanned for vulnerabilities on at least an annual basis and applicable event logs recorded under the direction of the Information Security Officer.  The information security risk level of each applicable system, as defined by the Information Security Officer, will determine the frequency at which such logs must be kept and reviewed.  Risk factors to be considered include:

  • Criticality of business process.

  • Information classification associated with the system.

  • Past experience with system vulnerabilities.

  • System exposure (e.g., services offered to the Internet).

Proactive identification of Level 1 and Level 2 data stored on servers, desktops, and other devices during such scanning and logging must occur and must be reported to the Information Security Officer. All Level 1 and Level 2 data identified must besecurely stored, using risk mitigation methods defined by Information Security Officer.  

Back to to Sacramento State Information Security Policy Website

Feedback/Questions/Comments