Minimum Security Standards for Networked Devices Policy

NOTE: This Policy is superseded by the updated version of the Minimum Security Standards for Networked Devices (MSSND) 


Responsible Executive: Chief Information Officer

Responsible Office: IT Policy

Contact: For questions about this policy, contact: security-policy@berkeley.edu.

Policy Summary

Access to and use of campus network services are privileges accorded at the discretion of the University of California, Berkeley. Devices connected to the UC Berkeley electronic communications network must comply with the minimum standards for security set by the Campus Information Security and Privacy Committee (CISPC). Campus departments, units, or service providers may develop stricter standards for themselves. Devices that do not meet minimum standards for networked host security configurations may be disconnected. Devices that host restricted data as defined in University of California Business and Finance Bulletin IS-3 are required to conform to more rigorous security standards. (See the Provisional Minimum Security Standards for Electronic Information.)

Who Should Read this Policy

  • Deans, Directors, and Department Heads
  • System Administrators
  • Individuals working with networks, computers, software, and data

Why We Have This Policy

The University of California, Berkeley encourages the use of its electronic communications network in support of education, research, and public service. However, this resource is limited and vulnerable to attack. UC Berkeley therefore reserves the right to deny access to its electronic communications network by devices that do not meet its standards for security.

This policy requires compliance with minimum security standards to help protect not only the individual device, but other devices connected to the electronic communications network. The policy is also intended to prevent exploitation of campus resources by unauthorized individuals.

The policy applies to all devices connected to the campus electronic communications network or using a Berkeley.edu Internet Protocol (IP) address* to originate electronic communication. Devices include computers, printers, or other network appliances, as well as hardware connected to the campus network from behind firewalls or Network Address Translation (NAT) systems.

Responsibilities

Campus Administrative Officials (see Glossary for definition)

  • Ensure that devices connected to the electronic communications network from their department or unit are supported by an administrator or user with the ability to maintain minimum security standards.

System Administrators, or anyone functioning as a system administrator (see Glossary for definition)

  • Ensure compliance with minimum standards for security as set forth in the Procedures section below.

Campus Information Security and Privacy Committee (CISPC)

  • Provides direction, planning, and guidance about information security.
  • Develops and reviews campuswide information security policy and procedures.
  • Writes minimum security standards for networked devices.
  • Approves exceptions to minimum security standards.

Information Security Office (ISO)

  • Works with the campus community to protect computers and the campus network infrastructure from electronic attack.
  • When necessary, blocks access to UC Berkeley's electronic communications network in accordance with "Guidelines and Procedures for Blocking Network Access."

Departments, Units, and Individuals

  • Use devices that comply with the minimum standards set forth in this policy.
  • Function as the system administrator in the absence of an assigned system administrator.

Procedures

Minimum Standards

Minimum security standards for devices attached to the UC Berkeley electronic communication network are linked to this document as Appendix A: (Minimum Standards for Security of Berkeley Campus Networked Devices). These standards change periodically. Network device users should consult the above link to make sure they have the latest security standards before upgrading or changing their equipment. Implementing guidelines that provide more information about complying with minimum security standards are attached to this document as Appendix B: (Implementing Guidelines for the Minimum Standards for Security of Berkeley Campus Networked Devices).

Exceptions

Departments, units, or individuals unable to comply with the minimum security standards for UC Berkeley networked devices but wishing to connect to the campus electronic communications network must identify resources that will assist them (on an ongoing basis) in becoming compliant. Devices that do not comply with the minimum standards are subject to exclusion from the campus network.

Departments, units, or individuals who believe their devices require configurations that do not comply with the minimum security standards for UC Berkeley networked devices may request connection to the campus electronic communications network on an exceptional basis.

Use the Request for Exception to the Campus Minimum Security Standards website to submit requests. Questions about the Minimum Security Standards or the exception process may be addressed to: security-policy@berkeley.edu.

The System and Network Security Office will process the request for final approval by the CISPC. If, after review, there is still disagreement over a decision, it may be appealed to the Executive Vice Chancellor and Provost. The Executive Vice Chancellor and Provost's decision will be final.

Revising the Minimum Standards

Changes to the minimum security standards for networked devices will be approved by the CISPC.

Website Address for this Policy:

http://security.berkeley.edu/MinStds/netdevices.html

Glossary

Account: The business record through which service providers authorize access to electronic communications networks under their control.

Administrative Official: A UC Berkeley employee to whom financial, administrative, or management responsibilities have been delegated, e.g. vice chancellor, provost, dean, department chair, principal investigator, director, or manager.

Authentication: Proof that someone or something is who he, she, or it claims to be.

Electronic Network: A group of two or more computerized communications devices linked together.

Encrypted: Translated into a secret code.

NAT (Network Address Translation): A standard that enables a local-area electronic network to use one set of Internet Protocol (IP) addresses for internal traffic and a second set of addresses for external traffic.

Networked Device: A computer, printer, wireless appliance, or other piece of equipment that can connect to and communicate over an electronic network.

Restricted Data: Data whose use is restricted by law, University of California, or UC Berkeley policy; or data that a Data Proprietor chooses to protect from general access or modification, even if such access may not be prohibited by law, University of California, or UC Berkeley policy. Types of restricted data include, but are not limited to, data that identifies or describes an individual and data to which unauthorized access, modification, or loss could seriously or adversely affect UC Berkeley, its partners, or the public.

Service Provider: A unit, organization, or staffperson with responsibility for allowing access to any part of UC Berkeley's electronic communications systems and services.

SMTP Service: Electronic communication service using "Simple Mail Transfer Protocol", a protocol for sending e-mail messages between devices.

System Administrator: An individual responsible for configuration and maintenance of any device connected to the campus network. This responsibility may occur at the level of a single device (e.g. for an individual using a campus network connection service, such as HIP, SHIPS, LIPS, or AirBears) or for groups of devices (e.g. devices within departments or units, including computer labs) and pertains to system administrators affiliated with the campus as well as to non-campus personnel serving the campus on an outsourced basis. In the absence of an assigned system administrator, the device user will be considered to be the system administrator.

Proxy Service: A networked computer that filters requests to other computers.

Keyword Index

Computer Security Computer Standards Configuration Devices Minimum Security Minimum Standards Network Security Standards

Appendices: