4-OP-H-25.04 IT Network Security Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. The purpose of this standard is to define requirements and responsibilities for the deployment, administration, support, and protection of FSU’s network from abuse, attacks, and inappropriate use.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.

II. Definitions

Access Point – any piece of equipment that allows wireless communication using transmitters and receivers to communicate. These devices act as hubs and allow communications to the campus network.

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Cryptography – the discipline that embodies the principles and methods for the transformation of data to hide semantic content, prevent unauthorized use, or prevent undetected modification. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”).

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Interference – the degradation of a wireless communication signal caused by electromagnetic radiation from another source. Such interference can either slow down a wireless transmission or completely eliminate it depending on the strength of the signal.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function	Category	Desired Outcome (Subcategory)
Protect (PR)	Identity Management and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.	PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
		PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
	Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.	PR.DS-2: Data-in-transit is protected
		PR.DS-5: Protections against data leaks are implemented
	Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.	PR.PT-4: Communications and control networks are protected
Detect (DE)	Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.	DE.CM-1: The network is monitored to detect potential cybersecurity events

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Information Technology Services (ITS)
ITS is the central IT organization for the university, providing technology and IT support for FSU’s educational, research and administrative functions. Services include email, network, voice and web services, specialized applications, etc. ITS is directed by the Chief Information Officer (CIO).

Network responsibilities include, but are not limited to:

Maintain and operate the FSU Enterprise Network and provide upstream external connectivity.
Provide all electronic communication resources and approve all installations of wireless access points used on the campus.
Authoritative and responsible unit for the registration and management of all University-owned public IPv4 and IPv6 address space, as well as private IP address space used within the FSU domain
Authoritative and responsible unit for the registration and management of all University-owned DNS domains
Operate the NTP servers for the University
Mitigate of network incidents such as Denial of Service (DoS) attacks
Coordinate with ISPO on network architectural changes to ensure ISPO has sufficient visibility of network traffic
Implement access and authorization controls to protect facilities that maintain university information resources from physical and environmental threats. Authorize credentials for facility access and enforce access, as defined by the 4-OP-H-25.08 IT Physical Access Standard.
Wireless Networks
- Manage and deploy wireless communication systems.
- Maintain all wireless networks and access points on campus.
- Resolve wireless communication interference problems.
- Monitor performance and security of all wireless networks within common areas and maintain network statistics as required to prevent unauthorized access to the campus network.
- Monitor the development of wireless network technologies, evaluate wireless network technology enhancements and, as appropriate, incorporate new wireless network technologies within FSU.
- Approve wireless communication hardware and software used by campus departments. Approve departmental installations of wireless communication systems/access points when allowed.

Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.

For more information, see IT Roles and Responsibilities.

Scope

This Standard applies to all members of the FSU community and all locations and operations of the University. In order to ensure the security of the network and infrastructure, ISPO may perform or authorize network security monitoring, intrusion detection/prevention, website scanning, network scanning, and other security procedures. To support public health and safety, and consistent with applicable privacy laws and policies, FSU may perform monitoring, including but not limited to, location data, wireless connections, and FSU card utilization. Use of FSU information technology resources constitutes consent to monitoring activities.

In the context of this Standard, network and infrastructure resources include, but are not limited to:

wired and wireless networks
cloud environments
communications equipment, such as cabling and infrastructure devices, including, but not limited to, the following:
- related physical networking infrastructure including cabling
- routers, switches, firewalls, load balancers
- wireless access points
- NTP, DHCP and DNS servers
- cellular, VoIP and cable TV

Network Requirements

In addition to legal and/or contractual obligations, University Unit ISMs are responsible for coordinating with their CUU ISM to ensure the following requirements are met:

Installation of all network devices must be approved and coordinated by ITS. This includes, but is not limited to hubs, routers, switches, remote access devices, IoT devices, modems, wireless access points or any other devices that allow access to the FSU network.
Appropriate baselines must be selected and maintained as defined by the 4-OP-H-25.03 IT Security Configuration Management Standard. All network devices and components must be inventoried, monitored, and managed appropriately to determine the susceptibility to risk or exploit and the required level of protection required to comply with policies and standards. This includes accurate and current documentation of network contact information within Rick’s Pages.
Network devices must be securely configured utilizing industry best practices, vendor documentation, and in coordination with ITS (where applicable). Configurations must also comply with the 4-OP-H-25.03 IT Security Configuration Management Standard.
- key connection points and network distinctions (subnets, VLANs, etc.)
- configurations of network devices such as firewalls, routers, switches, intrusion protection systems, modems, cloud, and other network-related equipment
- connectivity (if any) to support external vendor access
Administration of hardware, software, or applications performed over a network shall be encrypted.
A change management process must be implemented to ensure proposed modifications to configurations are reviewed, approved, tracked, and documented.
Default or vendor-supplied passwords distributed with hardware or software must be changed immediately
Installation of security patches must be managed appropriately based on susceptibility to risk and the required level of protection required by FSU Policies and Standards.
Insecure protocols (e.g., FTP, TELNET, etc.) must be blocked.
Wireless networks and virtual private networks will be configured to block access to prohibited applications in accordance with s.112.22, F.S .
Access to countries sanctioned by Office of Foreign Access Control (OFAC) will be restricted .
Must comply with Federal Acquisition Regulations (FAR 52.204-25).
Authentication must be implemented for routing protocols.
Network perimeter security measures must be in place to prevent unauthorized connections to university IT resources.
FSU security systems and safeguards must not be bypassed.
Public IP addresses should only be assigned where absolutely necessary. Minimize the threat surface by defaulting to RFC 1918 IP space when possible.

Boundary Protection

Boundary protection, typically and most efficiently provided by firewall appliances, are a critical component to a comprehensive security program and are often called out specifically in compliance regimes. Boundary protection responsibilities are distributed to either individual CUUs, Units, or ITS. Compliance requirements are based on data risk levels, as defined by the 4-OP-H-25.01 Data Security Standard. IT Asset Custodians are responsible ensuring network classification and communication with University Unit ISMs and CUU ISMs. The CISO, University Unit ISMs and CUU ISMs are responsible for ensuring compliance with the following:

		INFORMATION CLASSIFICATION
#	Boundary Control	High Risk Data	Moderate Risk Data	Low Risk Data
B.1	Deny all inbound network communication by default and allow only by exception	Required	Required	Recommended
B.2	Deny all outbound network communication by default and allow only by exception	Required	Required at host or network firewall level	Recommended
B.3	Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks (e.g. DMZ)	Required	Required	Recommended (strongly)
B.4	Implement subnetworks to physically or logically separate functionality	Required (where supported)	Required (where supported)	Recommended (where supported)
B.5	Permit inbound communication with FSU VPNs only if they are full tunnel (e.g. disallow split tunnel)	Required	Required	Recommended
B.6	Audit boundary protection rulesets, at least annually	Required	Required	Recommended
B.7	Continuous auditing of network traffic logs at the external boundaries and key internal boundaries	Required	Required	Recommended
B.8	Limit network access to only the resource(s) necessary to perform work (least privilege).	Required	Required	Recommended
B.9	Utilize next generation capabilities (e.g. deep packet inspection, Intrusion Detection, Intrusion Prevention) on each rule	Required	Required	Recommended

Wireless Networks

Security is particularly important in wireless networks because data is transmitted in a manner that can easily be intercepted. Wireless networks must be configured to use strong security protocols that provide sufficient protection. Wireless transmission of FSU data must be implemented using ITS-approved cryptography for authentication and transmission.

Information Technology Services (ITS) is responsible for providing all wireless services. ITS will respond to reports of specific devices that are suspected of causing interference and disrupting the campus network. When interference between the campus network and other devices cannot be resolved, ITS reserves the right to restrict the use of any or all wireless devices.

a) Wireless Access Points
ITS is responsible for providing all electronic communication resources and must approve all installations of wireless access points used on the campus.

The following general policies must be followed:

Wireless services are subject to the same rules and policies that govern other electronic communications services at FSU.
Abuse or interference with other activities is a violation of acceptable use.
Interference or disruption of other authorized communications or unauthorized interception of other traffic is a violation of policy.
Wireless access points must meet all applicable rules of regulatory agencies, such as the Federal Communications Commission and Public Utilities Commission.
Deployment and management of wireless access points is the responsibility of ITS. Wireless access point hardware, software, and deployment information must be registered for authorization by ITS.
Wireless access points must be installed to minimize interference with other radio frequency activities.
Monitoring for unauthorized wireless network access points must be performed. Upon detection, unauthorized wireless access points connected to the FSU network must be removed.
Ensure the FSU wireless environment does not use vendor defaults (e.g., encryption keys, passwords, SNMP community strings, etc.).
Inform wireless users of security, privacy policies and procedures related to the use of wireless communications.
Coordinate hardware and software purchases for wireless access points through ITS and the Procurement Office

CUUs/University Units are responsible for the installation costs of wireless access points within campus buildings used by the department, following ITS recommendations. Where more than one department shares a common building, the CUUs/University Units may jointly share financial responsibility for wireless access points in that building, but clear accountability for management of users by the departments must be maintained.

CUUs/University Units shall obtain prior approval of any deployment of wireless access points from ITS to ensure proper use of the wireless spectrum. Installation of Access Points will be the responsibility of the CUU which must comply with rules and regulations of the University. New installations must not interfere with existing installations. Coordination is required to ensure baseline levels of connection service quality. Installation of antennas must comply with all federal and state regulations for antennas. The installation of access points and bridging devices must be consistent with health, building, and fire codes.

b) Security and Access
General access to the network infrastructure, including wireless infrastructure, will be limited to individuals authorized to use campus and Internet resources. Users of campus and Internet resources shall be authenticated as defined by the 4-OP-H-25.07 IT Access, Authorization and Authentication Standard. All connections must be logged to comply with appropriate state and federal laws.

Physical Security of wireless access points will be maintained to protect the access point from theft or access to the data port. See 4-OP-H-25.08 IT Physical Security Standard.
Password and data protection functions are provided by applications. The wireless infrastructure does not provide specialized encryption or authentication that should be relied on by applications. Applications must not rely on IP address-based security or reusable clear text passwords. Service machines will expect/require their own general or applications authentication, authorization, and encryption mechanisms to be utilized by users entering from any unprotected network.
Access points or the security gateway shall provide user authentication and/or authorization to the network before access shall be given.

c) Network Reliability
Network reliability is determined by both: the level of user congestion (traffic loads) and service availability (interference and coverage). In efforts to provide an acceptable level of reliability, this policy establishes a method for resolving conflicts that may arise from the use of the wireless spectrum. The campus approaches the shared use of the wireless radio frequencies in the same way that it manages the shared use of the wired Network. ITS will respond to reports of specific devices that are suspected of causing interference and disrupting the campus Network. When interference between the campus Network and other devices cannot be resolved, ITS reserves the right to restrict the use of any or all wireless devices.

d) Interference
FSU is sole owner of the radio frequency spectrum on campus including the unlicensed frequencies. This prevents interference, safeguards University resources, and ensures service delivery. All equipment must be carefully installed, configured, and monitored to avoid physical and logical interference between components of different network segments and other equipment. If a wireless device interferes with other equipment, the interference must be resolved as determined by this Standard and enforced by ITS.

e) Suitability
Wireless networks should be viewed as an augmentation to the wired network to extend the network for general access to common and transient areas.

Wireless networks are appropriate for “common areas” where students, staff, and faculty gather. Common areas most appropriate for wireless use include but are not limited to, instructional labs, public areas, and research labs.
Wireless access points provide a shared bandwidth. As the number of users increase the available bandwidth per user diminishes.
New plans for buildings and gathering areas should consider the need for and use of wireless networks, similarly to the planning done currently for wired networks.
Users of wireless networks should consider all unencrypted communications to be insecure.

Enterprise Firewall Strategy

ITS shall consult with ISPO on the FSU Enterprise Firewall strategy for the purpose of consolidating and operating all boundary protection, inter-VRF and cloud (e.g., AWS, Azure, etc.) communication within the scope of this standard. This includes analysis and design to maintain a boundary protection strategy that ensures consistency, reliability, visibility, and security.

Use Of FSU Networks

Users must understand and comply with all FSU IT security policies, standards, and guidelines while on the campus network. Users are responsible for all activities on FSU networks that originate from their device(s) or from any network connectivity registered in their name.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.