ITS Security Policy 110 - Personal Network Devices

This policy strictly prohibits unauthorized personal network devices on Clackamas Community College’s network to prevent security risks and disruptions. Any approved Network Extension Devices (NEDs) require explicit authorization, compliance with IT standards, and documented justification.

Status: TDX Submitted Draft (Updated)
Last Revision Date: 13 July 2022

Statement of Purpose

Personal network devices are computing devices that create unauthorized network extensions or monitor network traffic. These include, but are not limited to, hubs, hot spots, packet sniffers, switches, routers, and wireless access points. Such devices interfere with the normal operation of Clackamas Community College’s enterprise network architecture and may introduce unmanaged security vulnerabilities. This policy strictly prohibits the use of unauthorized network devices within the Clackamas Community College network.

Policy Summary

Network Extension Devices (NEDs) may only be deployed on Clackamas Community College networks with prior written approval from the Director of Information Technology. Approved devices must comply with Clackamas Community College networking standards and all applicable information security policies.

This policy is subject to and superseded by all applicable regulations and laws.

Policy 

1. Individuals requesting the connection of a Network Extension Device must demonstrate a valid need for its use and why existing ITS resources cannot meet this requirement.

2. The Director of Information Technology must explicitly approve any use or deployment of Network Extension Devices. All requests and approvals must be documented through a change ticket.

3. Approvals shall be time-limited. If a use case justifies permanent installation, the Clackamas Community College ITS department shall explore a permanent resolution using college-owned devices.

4. Approved devices must comply with Clackamas Community College networking standards and be compatible with the institution's network architecture.

5. Devices with software management capabilities must support authentication mechanisms that comply with Clackamas Community College policies and procedures. Where possible, these devices must integrate with the College’s authentication systems. Authentication requirements for Network Extension Devices shall not be less strict than existing policies (e.g., complex passwords, password change intervals, etc.).

6. Remote access to Clackamas Community College networks using Network Extension Devices is strictly prohibited.

7. All approved NEDs must be inventoried, and all authorized users must be documented.

8. All Network Extension Devices must be labeled with the device owner’s name, contact information, and device purpose.

9. Acceptable use of Network Extension Devices is subject to the same guidelines and restrictions outlined in the Clackamas Community College Acceptable Use Policies.

10. Permitted Locations - The requestor must specify the intended location of use. Devices must not be relocated from their approved location without documented approval via a support request.

11. The use of these devices must be logged.

12. Session connectivity must adhere to Clackamas Community College’s System Configuration Policy.

13. The owner of the Network Extension Device assumes all associated risks. Clackamas Community College is not liable for theft, damage, or destruction of the device.

14. Repeat offenders may be subject to additional technical controls to prevent further violations, up to and including the permanent destruction of offending equipment.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).