MUSC Policy: Information Security - Network Access

 TITLE: Information Security - Network Access  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: Information Security Advisory Council  DATE: Feb 23, 2015
 APPROVED: Information Security Advisory Council  DATE: Feb 23, 2015
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 23, 2015

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(1)(i) Security management process
HIPAA Security: 164.310(b) Standard: Workstation use
HIPAA Security: 164.310(c) Standard: Workstation security
HIPAA Security: 164.312(a)(1) Standard: Access control

2. POLICY

MUSC faculty, staff and students are authorized to connect end-user devices to the MUSC network, provided they do not extend the MUSC network, or provide unauthorized third-party access to the MUSC network.

The MUSC network shall not be extended without authorization. No device that extends the MUSC network (including but not limited to routers, switches, hubs, and access points) may be connected to the MUSC network, except as authorized by the Office of the CIO.

No third-party connections to the MUSC network are permitted, except as authorized by the Office of the CIO.

Any device that is connected to MUSC's network must be configured, maintained and operated by its designated Owner in accordance with the minimum security and connectivity standards set by MUSC.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Authorized Users of the Network

The MUSC campus network is partitioned into an internal network, intended for authorized internal users, and a guest network, intended for use by authorized visitors and guests.

MUSC faculty, staff and students are the only persons authorized to connect computing and/or communication devices to MUSC's internal network. A device may be connected by one of these authorized users if and only if the device has been configured, and will be maintained and operated, in accordance with the minimum standards referenced in this document.

Visitors and guests on the MUSC campus, including vendors and contractors, may not connect any device to the MUSC internal network without documented authorization from a member of the MUSC faculty or staff.

3.3. Accountability for Each Device

No device may be connected to MUSC's internal network unless an Owner has been designated for the device. The device's designated Owner is responsible for ensuring that the device is configured, maintained and operated in accordance with the minimum standards referenced in this document.

For any device connected by an MUSC faculty or staff member, or by an MUSC student, the individual who connects the device is responsible for registering the device, and is held accountable as the Owner of the device, unless a different Owner has been designated.

For any authorized device connected to the internal network by a visitor or guest of MUSC, the MUSC faculty or staff member who authorizes the connection is held accountable as the Owner of the device.

For any authorized device connected to the internal network by a contractor, accountability for the device must be established by contractual terms.

3.4. Requirements for Each Device

MUSC may deny network connectivity to any device that does not meet the minimum standards referenced in this document. MUSC may remove (disconnect or quarantine) any device from the network, in the event that the device is interfering with other devices or resources on the network, or the device's presence on the network creates unacceptable security risks for MUSC.

Before any device may be connected to the network, the device's designated Owner must ensure that the device itself is protected against any reasonably anticipated security threats. In addition, the Owner is responsible for ensuring that adequate safeguards are in place to protect against any reasonably anticipated threats that the device, or any persons or agencies with access to the device, might pose to MUSC's network, or to any information resource accessible through MUSC's network. At a minimum, all applicable MUSC standards documents should be consulted prior to connecting any device to MUSC's network.

3.5. Applicable Standards

MUSC Information Security Standards: System Security
MUSC Network Connectivity Standards

3.6. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.7. See Also

MUSC Computer Use Policy
MUSC Policy: Information Security
MUSC Partner Connection Policy and Procedures

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.