IT Security Standard: Network Configuration Compliance
Brief Description:
This standard describes the requirements for ensuring that network control devices are confirmed to adhere to CSU best practices prior to placement of the device on the campus network. This standard also describes the requirement for confirming adherence to those best practices on an annual basis to ensure no network devices fall out of best practices.
Related Policy:
- Cal Poly Information Security Program (ISP)
- CSU Information Security Policy - ISO Domain 12: Operations Security
Introduction:
Network control devices make up the campus wired and wireless infrastructure. It is critical that those devices are secure and available at all times. By following the CSU Information Technology Resources Program (ITRP2) standard, campus network security and availability will be maximized. By auditing network control device configurations on a recurring basis, we are decreasing the chance that a device will be compromised or fail due to configuration error.
Scope:
For the purposes of this document, network control devices include but are not limited to: switches, routers, firewalls, and wireless networking equipment.
Standard:
Required:
- All network device configurations must adhere to ITRP2 required standards before being placed on the network as specified in the CSU configuration guide. Using this guide, a boilerplate configuration has been created that will be applied to all network devices before being placed on the network.
- Updates
- Updates to network device operating system and/or configuration settings that fall under ITRP2 standards are announced by the CSU Chancellor’s Office. Updates must be applied within the time frame identified by the Chancellor’s Office.
- Administrators of network devices that do not adhere to ITRP2 standards (as identified via a previous exception) must document and follow a review process of announced vendor updates to operating system and/or configuration settings. This process must include a review schedule, risk analysis method and update method.
- All network device configurations must be checked annually against the configuration boilerplate to ensure the configuration continues to meet required standards.
- Where possible, network configuration management software will be used to automate the process of confirming adherence to the boilerplate configuration.
- For other devices an audit will be performed quarterly to compare the boilerplate configuration to the configuration currently in place.
- All discrepancies will be evaluated and remediated by Network Administration.
Responsibilities:
It is the responsibility of ITS Network Administration to apply the standards based configuration and to ensure an annual audit is performed of all network control devices.
Non-Compliance and Exceptions:
Exceptions must be documented and approved through the IT Policy/Security Standard Exception Process, and should be recommended for modification to the baseline standard if desired. All device configurations not in compliance must be corrected immediately if an exception is not approved.
Related Procedures and Resources:
- CSU ITRP Baseline Network Standard Architecture [pdf]
- IT Security Standard: Computing Devices [pdf]
- IT Policy/Security Standard Exception Request Process
Implementation
| Effective Date: | 9/30/2010 |
|---|---|
| Review Frequency: | Annual |
| Responsible Officer: | Vice Provost/Chief Information Officer |
Revision History
| Date | Action | Pages |
|---|---|---|
| 9/30/2010 | Release of new document | All |
