Security Policy Goals [Link]
Statement of purpose
Personal network devices are computing devices that create unauthorized network extensions or provide monitoring of network traffic and includes, but is not limited to hubs, hot spots, packet sniffers, switches, routers, and wireless access points. These devices interfere with the normal functioning of CCC’s enterprise network architecture and have the potential to introduce unmanaged security vulnerabilities into the network. This policy strictly prohibits the insertion of unauthorized network devices into the CCC network.
Scope statement
This policy excludes personal computing devices such as laptops, tablets, and smart phones.
This policy applies to connectivity to any part of the CCC network, whether wired, wireless, and includes public access networks for guest access. All Clackamas Community College (CCC) employees, students, affiliates, and visitors that interact with CCC ITS resources are subject to this policy. Accountable and responsible individuals are the ITS operational support personnel.
Policy summary
Network Extension Devices (NED) shall only be deployed on Clackamas Community College (CCC) networks with prior written approval of the Director of Information Technology. Approved devices shall comply with CCC networking standards and all applicable information security policies.
This policy shall be subject to and superseded by applicable regulations and laws.
Policy
- The individual requesting the connection of a NED shall be required to provide a demonstrable need for this connection and why this need cannot currently be met with existing ITS resources.
- The Director of Information Technology shall explicitly approve any use or deployment of NEDs. Requests and approvals must be documented on a change ticket.
- All approvals shall be limited in duration. If the use case justifies permanent installation, then the CCC ITS department shall investigate a permanent resolution with college-owned devices.
- Approved devices shall comply with CCC networking standards and shall be compatible with CCC network architecture.
- Devices with software management capabilities shall support authentication mechanisms that comply with currently defined policies and procedures for CCC devices. Where possible, such devices shall be integrated into the current CCC authentication systems. User authentication requirements for NEDs shall not be less strict than currently defined policies and procedures (e.g., complex passwords, password change interval, etc.).
- All remote access to the CCC networks using NEDs shall be prohibited.
- All approved NEDs shall be inventoried. All approved users of these technologies shall be recorded.
- All NEDs shall be labeled to include the device owner, the owner’s contact information, and the device’s purpose.
- Acceptable use of NEDs is subject to the same guidelines and restrictions put forth in the CCC Acceptable Use Policies.
- Permitted Locations – The requestor shall indicate the location of use for the NED. The device shall not be relocated from an approved location without approval documented in a support request.
- The use of these devices must be logged.
- Session Connectivity shall be in accordance with CCC System Configuration policy.
- The owner of the NED assumes all risk, CCC will not be liable for theft, damage, or destruction of the NED.
- Violators of this policy may be subjected to disciplinary action per applicable collective bargaining agreement.
- Repeat offenders may be subjected to additional technical controls to prevent abuse up to and including permanent destruction of the offending equipment.
Exemptions
None
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).
Policy violation [Link]
Complaint procedures [Link]
Governing standards, policies, and guidelines [Link]
Definitions [Link]
Responsible executive
Chief Information Officer
Last revision date
3-16-2022 srw (Final Draft)