Protection of the network infrastructure at the University of Tennessee is necessary in order to assist the university in effectively achieving its mission of teaching, learning, research, and public service. This policy provides the definitions for creation and maintenance of a secure systems infrastructure, including both wired and wireless technologies. These definitions include technical, administrative, maintenance, computer systems refresh, and operations solutions for information technology network infrastructure security.
This policy applies to all students, staff, and others, referred to as users throughout this policy, while accessing, using, or handling the University of Tennessee's information technology resources. In this policy, "users" include but are not limited to subcontractors, visitors, visiting scholars, potential students, research associates, grant and contract support personnel, media representatives, guest speakers, and non-university entities granted access. All "users" are required to be familiar with and comply with this policy.
The entire infrastructure of each campus or institute will be the responsibility of the position of authority for information technology at each respective campus or institute.
All network infrastructure components shall be maintained at a reasonable operational and secure level. Components that are older and have out-of-date revision levels are a high security risk and operate at a suboptimal level. The position of authority for information technology at the respective campus or institute shall develop a plan that meets the needs of each respective campus or institute for maintaining a reasonably modern level of these components. An equipment refresh cycle shall be developed by the position of authority for information technology in conjunction with the lead financial entity at the respective campus or institute that is in accordance with industry standards related to the end-of-life timeframes of network infrastructure components.
This policy will cover all wiring and electronic devices from the wall outlet inward to the campus or institute core network. In addition, certain devices outside the wall-outlet-to-core region including all university subscribed services (e.g., dial-in servers, DSL, and cable modems for example) are also subject to this policy.
Wireless networks are an important part of the network infrastructure and have specific security requirements. These requirements are to be defined in the UNIVERSITY OF TENNESSEE INFORMATION TECHNOLOGY SECURE WIRELESS POLICY.
A customized network infrastructure plan that defines technical, operational, and security elements will be presented, maintained, and updated prior to each major upgrade of the network infrastructure. This plan will serve as the blueprint for planning and budget purposes.
A disaster recovery and emergency response plan shall be in place for all critical elements of the network infrastructure for each campus or institute. The development of the plan shall include input from the information custodians and the lead financial entities at each campus or institute.
This policy applies to all planning for facility construction projects involving network infrastructure components, whether new facilities or remodeling of existing facilities. The position of authority for information technology at the respective campus or institute shall be consulted concerning specific network infrastructure requirements in all cases.
Due to the sensitive nature of the wiring required for information technology, installation and maintenance of all wiring is the sole responsibility of the information technology entity at each respective campus or institute. Wiring will not be installed by divisional faculty, staff, or students. Wiring will not be installed by third party contractors hired by a unit without the express consent of, and under the direct supervision of, the position of authority for information technology at each respective campus or institute.
For all existing data communication closets, use of this space must be dedicated to data communications, monitoring, telephone equipment, and electrical panels (when they are already installed) given the critical nature and physical security protection requirements of the equipment located in this space. The space must not be used for housekeeping, storage space, or for any other use. Dedicated, secure communications closets are critical to the physical security of the campus or institute network.
Locks will be unique for data communications closets to discourage other use of this space and to discourage unauthorized personnel from making wiring changes.
It is the responsibility of the campus or institute, college, or department to provide appropriate space for the data communications closet in the design for any new building and renovations of existing facilities.
All new wiring installations, including those involved in renovation of building(s), must adhere to low voltage industry standards as specified in the BUILDING INDUSTRY CONSULTING SERVICE INTERNATIONAL (BICSI) practices including, but not limited to, those shown in the attached reference information.
The position of authority for information technology at each respective campus or institute will monitor all active network infrastructure components. This will allow for quick problem detection and repair or replacement of failing devices as well as review of potential security incidents.
After-hours access to data communications closets must be provided to selected information technology personnel so that failing components can be quickly repaired or replaced and/or resolution of security incidents can be expedited.
A defined plan created by the position of authority for information technology at each respective campus or institute for spare components shall be in place for all critical components of the network infrastructure.
All network infrastructure devices shall be maintained at the most recent stable code levels that provide the highest required level of security. The position of authority for information technology at the respective campus or institute shall be consulted if assistance is required to determine the appropriate code level for infrastructure devices.
There shall be a pre-determined maintenance window established for all network infrastructure devices that provides sufficient time on a regular basis to maintain the hardware and software updates.
The position of authority for information technology at the respective campus or institute will control IP address management at each respective campus or institute. This will be done via a Dynamic Host Configuration Protocol (DHCP) with static Internet Protocol (IP) addresses assigned as necessary.
The position of authority for information technology at the respective campus or institute will control Domain Name System (DNS) management at each respective campus or institute.
The position of authority for information technology at the respective campus or institute will try to accommodate all requests for special network topologies that are needed for research, teaching, or service.
All network infrastructure devices shall have logging capabilities enabled to record all access attempts, both successful and unsuccessful.
All network infrastructure devices shall have a secure password methodology for access. All network infrastructure devices must be designed, tested, and controlled to prevent the retrieval of stored passwords.
All network infrastructure devices shall be restricted to secure communications protocols for administrative and/or maintenance access. In cases where insecure protocols must be used, compensating controls must be in place and documented. The position of authority for information technology at the respective campus or institute or the Information Security Officer shall be consulted if assistance is required to determine the appropriate compensating controls for access to infrastructure devices.
All back-ups for network infrastructure devices must be secured at the same level as the primary device.