1. Purpose

    To ensure the protection of University assets that are accessible by users, suppliers and vendors and to maintain the security of information transferred within network infrastructures manage by on behalf of the University and with any external entity.
  2. Network security management
    1. Network Controls

      Networks should be managed and controlled to protect information in systems and applications.
    2. Security of Network Services

      Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
    3. Segregation in Networks

      All enterprise network architectures operated by, or on behalf of, the University should be designed to support, at a minimum, separate public, “demilitarized” and private security zones based on role, risk, and sensitivity. Bridging between separate security zones is strictly prohibited. All access between separate security zones should be controlled by a security mechanism configured to deny all access by default unless explicitly authorized and approved by the Office of Information Technology’s Information Security Management Team.
  3. Information transfer
    1. Information Transfer Policies and Procedures

      Formal transfer policies, procedures, and controls should be in place to protect the transfer of information through the use of all types of communication facilities.
    2. Agreements on Data Transfer Policies

      Agreements should address the secure transfer of business information between the University and external parties.
    3. Electronic Messaging
    4. Data involved in electronic messaging should be appropriately protected.
      1. Internal Electronic Messages Control
      2. Email and instant messages internal to the University’s domain containing confidential data should be encrypted during transmission. Confidential information should not be placed on the subject line of the email or as any part of instant messages.
      3. External Electronic Messages Control
        E-mail sent through the public Internet must be encrypted if it contains confidential information in the body or attachment of the email. Confidential information should not be placed on the subject line of the message.
      4. Electronic Messaging Management
        All electronic messages created, sent or received in conjunction with the transaction of official business should use the University approved gateway(s) to communicate via the Internet.
    5. Confidentiality or Non-Disclosure Agreements

      When exchanging or sharing information classified as Sensitive or Confidential with external parties that are not already bound by the contract confidentiality clause, a non-disclosure agreement should be established between the owner of the data and the external party.