Body
Security Policy Goals [Link will go here]
Statement of purpose
There are many components that make up the cyber-security defenses at CCC. However, at the core is the protection the perimeter of our network from external attacks and intrusions using firewall and supporting network technologies. This policy documents the core principles for the configuration and maintenance of our firewall infrastructure.
Scope statement
This policy applies to CCC firewall installations and all CCC network infrastructure components. Accountable and responsible individuals are the Information Security team, ITS operational support personnel, and network support management and staff.
Policy summary
Each connectivity path and service to and from the Clackamas Community College (CCC) network shall be managed and protected by firewalls. Firewalls, routers, and switches are configured and administered according to defined and documented procedures.
Changes to firewall hardware, software, or security rules shall be reviewed, approved, logged, and implemented using documented change control procedures.
This policy shall be subject to and superseded by applicable regulations and laws.
Policy
- Every connectivity path and service shall be managed by CCC firewalls, unless specifically permitted by exception by the Chief Information Officer (CIO). Exceptions to this policy shall include supporting documentation showing the path and its interconnections to the CCC Network.
- All externally initiated inbound traffic shall only be permitted into a firewall segmented demilitarized zone (DMZ) network. In all cases, this traffic shall be limited only to ports necessary for CCC’s business requirements.
- At least every six months, the Network Manager shall ensure a thorough review occurs for each firewall rule set and record results of the review.
- All mobile and employee-owned computers with direct connectivity to the Internet (e.g. laptops used by employees) that are used to access the CCC network shall have host-based firewall software installed and activated.
- Internal IP addresses shall be hidden utilizing Network Address Translation (NAT) or Port Address Translation (PAT).
- Anti-spoofing technologies shall be configured on perimeter devices.
- Outbound traffic from internal production systems shall be restricted to only required protocols and services.
- On-premise enterprise databases shall be segmented from the larger CCC network.
- Specially regulated services (e.g. HIPAA, PCI) shall be configured on dedicated, isolated network segments that conform to regulatory standards.
- Internet and wireless access to the core CCC network shall be regulated using next generation firewalls.
- Where VLANs are used for segmentation, appropriate network security principles (e.g. ACLs) shall be implemented.
- Network hardware devices and operating systems shall be upgraded, patched and maintained to manufacturer recommendations and standards.
Exemptions
Emergency actions (such as implementation of a firewall block rule), needed to mitigate ongoing cyberattacks may be implemented immediately without prior consideration of the change control authority. Such emergency changes shall be recorded and later subjected to follow-up reviews.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).
Policy violation [Link]
Complaint procedures [Link]
Governing standards, policies, and guidelines [Link]
Definitions [Link]
Responsible executive
Chief Information Officer
Last revision date
02-24-2022 srw (Final Draft)