CVM Security Policies

Justification 

• We must demonstrate diligence in system and network security. CVM must implement security to protect its technology resources and ensure privacy for patients, faculty, staff, research, students, grantors, and affiliates.
• We must protect our investments and operations. The cost of not doing so would far outweigh the investment in security should privacy of our technology and information resources be breeched.
• These policies are in addition to all existing policies of The Ohio State University. This includes university policies from the Office of Information Technology.
• The existing policies of The Ohio State University prohibit anonymous access to network resources. In addition to the policy, CVM requires the use password authentication to any network-connected device. Anonymous access to any network-connected system/device is strictly prohibited. CVM also requires the use of strong passwords and will enforce the use of strong password filtering when possible.

Internal Security

• All computing systems and network-connected equipment residing on CVM's network, which are intended to provide external access/services, must be approved. The presence of a firewall makes this necessary. Establishing computer systems and network-connected devices to operate internally can be done independently but are subject to audit (see below). Setup of a server/service that will require access through the firewall must be requested.
• A formal letter of request to the director of Veterinary Information Systems is required. It will be reviewed and granted on the basis of introduced risk and capacity of existing security technologies.
• Service charges may apply to requested changes from OIT since they retain control over certain aspects of our network. Payment of any incurred charges is the responsibility of the requestor.
• The cost of additional equipment and/or software necessary to provide secure communications is the responsibility of the requestor.
• Only network protocols necessary to facilitate operations will be permitted on CVM local network(s). Other protocols will be blocked to prevent alternate means of access. The base network protocols supported/provided are:
  • AppleTalk/EtherTalk
  • TCP/IP
  • All protocols required by Ethernet
• All outbound connections established internally will be permitted with the exclusion of Windows networking. Outbound Windows networking connections are blocked given significant risks associated.
• The presence of a firewall may prevent the operation of some Internet utilities and software. This is due to their nature and how they utilize the TCP/IP protocol. CVM is not responsible for supporting the operation of applications, which are not directly related to college operations, and it's affiliates through security mechanisms.
• CVM retains the right to monitor network traffic but not content. It is illegal to capture or view content. Monitoring will be done for the purposes of maintenance, diagnostics and intrusion detection as needed.
• CVM retains the right to scan and audit all computer systems and network-connected equipment on its network. CVM will request removal of software/services from systems that may pose unnecessary operational and/or security risks to its infrastructure. In cases of significant risk, CVM retains the right to disconnect systems from the network until appropriate changes can be made.
• Although access to the outside may not be intended, remote access could be provided inadvertently. CVM retains the right to request removal of software/services, change of configurations, or disconnection of network-connected equipment if cannot be made compliant.
• Anti-Virus software is required on all computer systems, which are connected to the CVM networks. The user(s) of computer systems also share in the responsibility of ensuring proper update and operation of their virus software. As it is infeasible for technical staff to monitor all systems and their functions, it is the responsibility of the user to assist in virus protection maintenance.
• To prevent the spread of viruses/worms through network storage systems, CVM will maintain file screening on shared/public storage areas. Files are screened by file extension of known/common file types used for propagation. Given the frequency of newly discovered viruses, the current list of screened files is subject to frequent change. CVM retains the right to implement additional file screening on all network storage systems in response to an outbreak.
• Any network connected device, including printers, network electronics, cameras, and specialized equipment, must be secured internally. These systems must be maintained with current firmware/software. All non-essential protocols/services must be disabled. All must be configured with an access control list to limit non-essential access. Any specialized devices which provide external access are subject to section 2.1. Proof of audit and results is required for operation of all specialized network-connected systems.
• UNIX operating systems require special attention and may require additional effort/knowledge to maintain. Given minor differences in UNIX operating systems and focus of technical staff expertise, proof of audit and results is required for operation of UNIX workstations on the CVM network. Assistance with the maintenance and audit of UNIX systems can be obtained through the OIT UNIX Workstation Support Group (http://8help.osu.edu/wks/).

Remote Access

• Remote access is restricted to specific methods and must meet certain requirements to be operated securely. The following methods are approved for remote access:
• Virtual Private Networking (VPN)
• VPN access is provided to only faculty and staff of the College of Veterinary Medicine. VPN access will provide a local connection into our network.
• VPN access requires additional permissions and account configuration to enable access. Access must be requested through the director of Veterinary Technology Services.
• VPN clients will be required to use specific configurations.
• Some operating systems include the necessary software components for access through VPN. Students, faculty and staff can purchase additional VPN software necessary for access through established VPN services.
• Some Internet Service Providers (ISPs) do not allow VPN connections over their networks. CVM will not be responsible for accommodating ISP limitations and/or restrictions.
• Timbuktu connections are passed to all hosts on the CVM networks. This is to accommodate access to specific Mac systems remotely. Timbuktu may be purchased for use by faculty, staff and students.
• Timbuktu must be installed and/or audited by the CVM technical staff.
• Periodic checks will be completed on the CVM network for Timbuktu installations which have not been audited.
• SSH (UNIX and supported platforms)
• SSH connections are passed to all hosts on the CVM networks. This is to accommodate access to specific UNIX systems remotely. SSH will allow the "tunneling" of FTP, telnet and just about any service needed. The source code for the server and client are available via ftp://ftp.ssh.com/pub/ssh/.
• SSH must be installed by the owner/user. Assistance is available through OIT for UNIX workstations.
• Periodic checks will be completed on the CVM network for SSH installations, per security policy, the administrators of UNIX systems will be required to show proof of audit and results.
• Remote access technologies can be used to gain unauthorized access to our network. Users of remote access will be required to use a personal firewall (software and/or hardware).
• CVM retains the right to audit all systems used for remote access. Systems must be brought in to CVM facilities for audit. Failure to comply with the audit will result in loss of remote access privileges and/or local network connections supporting remote access hosts residing on the CVM networks.
• The CVM technical staff is available to assist with the setup and troubleshooting of remote access. They cannot provide off-site services on an individual basis. CVM will not provide full support of workstation-based remote access software (pcAnywhere, Timbuktu, and SSH). The CVM technical staff is not responsible for operational constraints due to software on individual systems.
• Connection instability and malfunction is possible due to Internet Service Provider's quality of service. Loss of functionality through accepted remote access methods will not be accommodated for applications that are not directly related to college operations, and its affiliates.

Affiliate Organizations

The college must work with affiliate organizations. The college will work with its affiliate organizations to provide the best possible security for networking needs internally and remotely. Since these organizations have separate technical support staff and administer their systems independently, CVM can only assist with their security needs.

• CVM must secure its infrastructure while striving to accommodate the individual needs of its affiliates. However, CVM cannot serve as sole consultant, designer nor provide long-term administration for the security needs. This includes but is not limited to remote access.
• CVM affiliate organizations are subject to all internal security policies established, including audits and conditions where loss of connectivity may be enforced.
• Affiliates will be responsible for all additional equipment, software and service charges incurred to provide secure access to their networked hosts.
• If desired, affiliates may seek WAN (SONNET) connectivity services directly from OIT. CVM will work with them to establish separate WAN connections to service their needs. This includes planning and installation since CVM houses building entry points. Monitoring and support of these separate WAN connectivity will be the affiliates responsibility.

Enforcement

It is the role of the VIS staff to enforce security policies. It is their responsibility to ensure that all network-connected equipment is compliant and are charged with the task of enforcement.

• The Dean of the CVM or designees retain the right to make exceptions to the CVM security policy.
• Network-connected equipment found to not be compliant could be refused connectivity immediately in the cases of significant operational/security risks. It will be preferable to extend the opportunity and allow time for compliance to be achieved avoiding disruptions in service.
• Disputes regarding the security policies and/or their enforcement are to be addressed through the Director of VIS. A formal letter outlining the disputed incident/policy is required.

Change and Amendment

• The Dean of the College of Veterinary Medicine or designees retain the right to amend or change the CVM security policy.
• The maintenance of a security policy is difficult and often a point of internal debate. To accommodate the college's changing needs, an application and review process is necessary. A formal letter of request to the director of Veterinary Information Systems is required. It will be reviewed and granted on the basis of introduced risk and capacity of existing security technologies.
• Service charges may apply to requested changes from OIT since they retain control over certain aspects of our network. Payment of any incurred charges is the responsibility of the requestor.