Minimum Security Standards (DRAFT)

Introduction

Access to and use of the UCI campus and Medical Center networks (UCInet) is a privilege accorded at the discretion of the University of California, Irvine.  Any device connected to UCInet must comply with minimum security standards as set forth in this policy.  Devices that host restricted data as defined in University of California Business and Finance Bulletin IS-3 are required to conform to more rigorous security standards.  Campus and Medical Center departments, units, or service providers may develop stricter standards as needed.  Devices that do not meet the minimum standards for security may be disconnected from the network or have their network access restricted to minimize exposure to attacks.

UC Irvine staff, faculty, students and other affiliates are encouraged to use UCInet in the pursuit of education and research.  This resource is limited and vulnerable to attack.  UC Irvine therefore reserves the right to deny access to UCInet to devices that do not meet the minimum standards for security.  This policy is designed to not only protect individual devices, but other devices on UCInet that could be affected by a compromised or exploited device.

This policy applies to all devices connected to UCInet or using a uci.edu Internet Protocol (IP) address.  It applies regardless of how the device is connected to UCInet and to any and all devices.  Devices include computers, printers or other network appliances, network equipment,  firewalls, Network Address Translation (NAT) devices, and mobile computing devices (laptops, PDAs, tablet computers, etc), Connection types covered include wired, wireless (mobile access), dial in modems (including the Zotnet service provided by Znet), and VPN services.  Home systems using a VPN service, dial in modems, or any other connection arrangement that give the connecting device a UCI IP address must meet this standard.

Definitions

None?

Responsibilities

System Administrators:  Ensure all devices connected to UCInet in their care comply with the minimum standards for security.

School Computing Coordinators/Computing Support Coordinators:  Ensure that devices connected to UCInet from their school, department, or unit are supported by an administrator who can maintain minimum security standards.

Office of Information Technology (OIT):  Works with the UCI community to protect computers and UCInet from attack, and block devices from UCInet or Internet when the security of the device is compromised.

Minimum Standards

Minimum security standards for devices connected to UCInet are attached to this document as Appendix A: Minimum Standards for Security of Devices on UCInet.  These standards can change periodically, so network device users should consult the appendix to make sure they have the latest security standards before upgrading or changing devices connected to UCInet.  Information and references providing guidance in implementing the minimum security standards are attached as Appendix B: Implementation References for the Minimum Standards for Security of Devices on UCInet (not available at this time).

Exceptions

Devices that are unable to comply with this must not be connected to UCInet unless an exception is granted to the school, department, or unit operating the device.  Exceptions may be granted in circumstances where application of security patches may affect the operation of the device, application(s) running on the device, or operation of any attached instrument(s).  In cases where exceptions are granted, the device given the exception will have its network access limited to the parts of UCInet necessary for its operation.  Under no circumstances will off-campus network access be allowed for devices granted exceptions.

To request an exception, please contact (insert who to contact here) with details on what the device is and why it needs an exception to this standard.