ITS Security Policies and Procedures

In order to provide comprehensive general security to the Centre College technology environment, a number of security measures are employed. Each measure has its own target(s), and collectively they provide both an open climate of information exchange that supports the educational enterprise and a sanctuary of protection to users and sensitive data.

General Campus Network Security

The College's network requires each user to have an account which is accessed by the user entering an account name and password.

Passwords

  • Active Directory provides an encrypted central username and password database for most campus systems requiring authentication.
  • Passwords must be 7 characters long.
  • Username password combination can only be entered incorrectly 5 consecutive times before the account is locked out.
  • All logins are encrypted, including secure RPC, SSL and SIMAP access to Exchange – the College's mail client.
  • All shell access to servers or workstations running Linux/MacOS X/Solaris/HPUX is though SSH.


Firewall

  • The campus network is protected by a Cisco PIX Firewall serving as the border gateway which screens all potential traffic from outside the campus intranet.


Monitoring

  • Snort Intrusion Detection System provides monitoring of network attacks originating on the internet and directed at our local area network.
  • Bradford's Campus Manager is a Network Access Control system that requires students to register their computers before being given access the full functionality of the wired and wireless network. It also provides a database that correlates IP and MAC address information to individual users.
  • Nessus is a vulnerability scanning tool used to determine if a node on the network posses a security risk because of a potential trojan service, virus, or un-patched OS.
  • OpenNMS is used as a central monitoring and logging system. It gathers information from other monitoring systems and SNMP enabled network devices and provides a unified view of the current network status and threat level.


Other Security Measures

  • Wireless – To address wireless vulnerabilities as this service capability is added to the campus network arena, Bradford's Campus Manager requires that each user to enter a valid Centre username and password before being given access to our protected local area network. We use Bluesocket's wireless gateway solution to provide authenicated guest wireless access to campus.
  • Virus protection- Symantec Corporate Edition virus scanner is required on all campus computers, and is provide for all student machines. Virus signature files are updated every 60 minutes. Virus protection on our Exchange email server is also provided by Symantec Virus Scanner for Exchange and all virus vector attachments are dropped at the email gateway.

SPAM

  • Currently, the email gateway utilizes the Barracuda spam scoring and filtering system. This system scores and filters SPAM before it arrives at our main campus Exchange server. In addition to blocking all items with a threshold score of 3, individual users can implement a SPAM folder that captures potential spam based on the system score assigned.  Individual users are also encouraged to implement their own filters supported by the Exchange e-mail client.

   

Patch Management

  • Microsoft's WSUS server which, through the use of Active Directory and Global Policy Object, is employed to provide Windows OS updates to all Centre-owned machines on a regular schedule.
  • Students whose machines are not patched, as determined by Bradford's Campus Manager determined or a Nessus scan, will be notified and provided with assistance to bring there OS up to date. If swift action is not taken on the student's part, the machine can be denied access to the network at the switch port level.


Enterprise Database Security
General Measures

  • The administrative database runs on the UNIX Operating System version HP-UX B.11.11 U, and all security measures associated with UNIX user management are employed, including read, write, and execute permission at both the individual and group level.
  • Each user of the database has a designated login, encrypted password, and group membership that is associated with the specific role of that user.
  • The environment is a Trusted System, employing password aging, password expiration, and system audits.
  • Additional permissions and restrictions are imposed by the Informix database engine and the Jenzabar applications programs employed to manage, modify, and retrieve data.
  • Access to the enterprise database server is limited to on-campus networked computers using a secure SSH connection.


Information Access to Constituents

  • Access to appropriately protected information by constituents through CentreNet is password protected.
  • All CentreNet web pages are secured through SSL encryption.
  • Each process which provides constituent information is protected under the auspices of database and application program permissions set for the membership of the constituent group.