TSUS Policy Guideline: Network Management Policy Policy Guideline ID: TSUS IT.03.03 Approval Authority: TSUS Board of Regents Initial ITTF Approval Date: January 11, 2008 Effective BOR Date: May 16, 2008 Last Revised: August 13, 2015
The Texas State University System (TSUS) considers information technology to be a critical enabler in meeting its mission and has made significant investments in information technology assets and capabilities. The Texas State University System recognizes the inherent value of these information technology resources to the state, the TSUS, and their constituents. Likewise, Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C (TAC 202) underlines the importance of information technology resources residing in Texas public higher education institutions by requiring state institutions “to protect these assets against unauthorized access, disclosure, modification or destruction,” and “to assure the availability, integrity, utility, authenticity, and confidentiality of information.” TAC 202 also stipulates that “access to state information resources must be appropriately managed.” Compliance with this policy guideline contributes to the availability, protection, management and appropriate use of the data, voice, and video networks of the Texas State University System and its component institutions.
The Texas State University System and its component institutions must ensure the confidentiality, integrity, reliability, and availability of their data, voice, and video networks to fulfill their institutional missions and to assure compliance with the management and security standards for public institutions of higher education described in TAC 202. To guide institutional policies related to the management and use of institutional networks, the Texas State University System has set forth the following specific topics and provisions to be incorporated into each institution’s specific policy statement on network management. Thus, each component institution shall develop and disseminate an institutional policy statement on network management that is consistent with TAC 202 and the specific topics and provisions described below.
The following specific topics and objectives must be addressed by institutional network management policies:
1. Network Purpose
Objective: To affirm the purpose of the institutional network. The institutional network is a state information resource that exists to achieve the mission, goals, and objectives of the institution. Utilization of the network must be consistent with and in support of institutional initiatives.
2. Network Address and Device Management
Objective: To assure appropriate oversight over the connection of devices to the institutional network. The integrity, security, and proper operation of the network require an orderly assignment of network addresses and the correct configuration of devices attached to the network. Network access, performance and security are put at risk when devices are introduced into the network environment without appropriate planning and coordination. All devices acting in the role of a server (regardless of their specific function, hardware, or software) must have a designated device administrator and must be registered in a network device registry administered by the institution’s Information Resource Manager (IRM) or designee.
3. Network Management Roles and Responsibilities
Objective: To assign responsibility and accountability for management of the institutional network. A management framework should be defined that clearly delineates the roles and responsibilities for management of the institutional network. Institutional networks should be centrally administered by the institutional IRM (or designee) to assure consistency and compliance with the state’s network administration standards and best practices.
4. Network Usage Responsibilities
Objective: To delineate the responsibilities of network users and device administrators. Users and administrators of network-connected devices must understand their accountability for device management practices that might result in damage or harm to network operations, performance, or other network-connected devices.
5. Threat and Incident Response
Objective: To set expectations regarding the disconnection or isolation of threatening devices or networks. Devices or network addresses that pose an immediate threat to network operations, performance, or other network-connected devices must be disconnected or quarantined to minimize risk until the threat is removed. Sources of repeated threats should be isolated for longer periods of time as required to permanently eliminate the threat.
Scope and Applicability
This policy guideline applies to all persons and organizations that manage or utilize information technology resources belonging to the TSUS or any of its component institutions.
Device - Any hardware component involved with the processing, storage, or forwarding of information making use of the institutional information technology infrastructure or attached to the institutional network. These devices include, but are not limited to, laptop computers, desktop computers, servers, and network devices such as routers, switches, wireless access points, and printers.
Device Administrator - An individual with principal responsibility for the installation, configuration, registration, security, and ongoing maintenance of a network-connected device.
Device Owner – The department head charged with overall responsibility for the networking component in the university’s inventory records. The device owner must designate an individual to serve as the primary device administrator and may designate a backup device administrator. All network infrastructure devices, (e.g., network cabling, routers, switches, wireless access points, and in general, any non-endpoint device) shall be centrally owned and administered.
Information Technology Resources - any of the following that are owned, operated or supplied by the TSUS or one of its component institutions: usernames or computer accounts, hardware, software, communication networks and devices connected thereto, electronic storage media, related documentation in all forms, and professional and technical support services. Also included are data files resident on hardware or media owned or supplied by the
TSUS or a component, regardless of their size, source, author, or type of recording media, including e-mail messages, system logs, web pages and software.
Institution refers to any of the following seven components of the Texas State University System:
Sam Houston State University
Sul Ross State University
Texas State University
Lamar Institute of Technology
Lamar State College-Orange
Lamar State College-Port Arthur
Institutional Network - the data transport and communications infrastructure at the institution. It includes the campus backbone, local area networks, and all equipment connected to those networks (independent of ownership).
Network Address - A unique number associated with a device’s network connection used for the routing of traffic across the Internet or another network. Also known as Internet Protocol Address or IP Address.
User - An individual who uses an information technology resource, such as the institutional network or any network-connected device.
Authority and Responsibility
Questions related to this policy guideline or to the network management policy statement at any component institution should be addressed to the Chief Information Officer at the component institution.
Additional background, Related Policies, and other References
In addition to the general guidelines set forth in this document, network management policies may be affected by a number of other legal requirements and ethical principles. While it is not possible to list all potentially applicable laws and regulations, the most relevant to network management policies are listed in TSUS Policy Guideline TSUS IT.02.02, Information Security Policy, and are included in this policy guideline by reference.
Students, faculty and staff are responsible for understanding and observing these and all other applicable policies, regulations and laws in connection with their use of the institution’s information technology resources.