SP 6-10q – Network Device Configuration
Colorado Community College System / System Procedure
SP 6-10q
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCE(S): Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents the minimum requirements by which Colorado Community College System and its Colleges’ (“CCCS”) Information Technology (“IT”) firewalls, routers and other network devices are configured, maintained, and secured to protect CCCS Information Systems and Assets.
This procedure covers how IT network devices are leveraged within CCCS and, specifically, how equipment must remain secure with respect to administration, access rules and logging.
APPLICATION
This procedure applies to Information Assets owned, leased, managed and maintained by the System Information Technology (“IT”) Department (“System IT”) or the College Information Technology Department (“College IT”) or by third parties on behalf of CCCS.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
System IT and College IT network Information Assets facilitate work efficiencies and should be hardened to prevent misuse, abuse, attack, and breach. IT network Information Assets act as boundaries of control whereby access to specific resources can be allowed based on business need or prevented in a manner which is both secure and reliable. Network diagrams should be created for any architectural network changes and the diagrams should be shared with CCCS Manager of Information Security to ensure the changes do not add unnecessary risk to the confidentiality, availability, or integrity of System IT and College IT Information Systems. Changes to network architecture should be implemented through the standard change control process. Keeping Information Systems and Assets secure from exploitation is crucial to CCCS’s ability to protect information access.
Network Documentation
- Devices, technologies and components on the CCCS network shall be documented and maintained in a network diagram or in a network device asset inventory and shared with the Manger of Information Security.
- Network diagrams and asset inventory documents are classified as Sensitive information and are to be shared on a need-to-know basis. A redacted version of the network diagram that can be shared with third parties shall also be maintained.
- The network diagram and network device asset inventory shall be reviewed annually and updated as needed.
Network Device Requirements
Communication flows between electronic devices are managed by CCCS’s firewalls to ensure appropriate levels of access are maintained.
- A network firewall must be deployed at internet connection points and the CCCS network.
- All firewalls that are deployed on the System IT production network or between the System IT production network and a College’s local area network shall be managed by System IT.
- A network device must be deployed at each network control point in situations where internal networks must be routed.
- The firewall must perform stateful packet inspection.
- Default user, guest and administrative account passwords should be modified and, if possible, administrative access should be centrally managed. If centralized management is not possible, named accounts should be implemented for administrative activities.
- Firewall rules shall be documented, including business reason for the rule.
- Unnecessary ports shall be disabled.
- Administration of networking devices should be performed with secure protocols (e.g., HTTPS, SSH).
- Changes to networking devices should be logged and changes should be made using a change management process.
- Firewall security rulesets and router access rules must be reviewed periodically, and the review will be documented.
- Inbound and outbound traffic should be restricted to only necessary communications, and the final rule processed on each interface within a firewall must be Deny All.
- Internal IP addresses should not be exposed to the internet.
Security Configuration
- Security configuration baselines are based on vendor-specific and/or industry standard best practices (e.g., Computer Information Systems Benchmarks) applied with consideration to CCCS’s business requirements.
- Compliance to the security configuration baselines will be periodically measured and reported upon.
- Deviations identified during reporting will be reviewed, prioritized for remediation and corrected per CCCS Change Management processes.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.