Network Security Policy

The policies detailed in this document are designed to achieve the following goals:

1. Ensure availability of and reliable access to USF network resources and network-based services, especially mission-critical applications.
2. Preserve integrity of the data stored on USF computing systems, and prevent unauthorized access to confidential information.
3. Preserve the privacy of users to the greatest extent possible.
4. Promote an efficient, standards-based approach to providing and managing network-based services, servers, and user systems.
5. Foster awareness of security issues among the members of the USF community who access network resources and services.
6. Protect University computing systems from unauthorized access and unlawful uses.
7. Facilitate prompt, effective, and consistent institutional responses to security threats, attacks, and violations.
8. Identify authority and responsibilities associated with enforcing security policies and procedures, responding to security threats, attacks, and violations.
9. Establish processes evaluating exception requests and periodic assessment and revision of policies and standards to ensure timely adaptation to changing network security requirements.

Policies Governing Management of the Network

1. Only authorized network equipment may reside on the USF network. See Standards for Network Equipment.
2. Access to USF network equipment and network equipment rooms is restricted to authorized USF personnel. See Standards for Network Management.
3. USF policy is not to police content, but to monitor resource usage and authenticate users. USF may log and trace basic identifying information (such as Mac address) for all desktops, servers, and other devices connected to the USF network.
4. Individual users should* be required to authenticate to access the USF network.
5. Entry points into the USF network must* be configured in accordance with Standards for Network Access.
6. USF personnel with network management responsibilities must adhere to
   Standards for Network Management.

Policies Governing Management of Servers

1. Servers connected to the USF network should meet Standards for Server Equipment, be authorized and registered, and be supported in compliance with Standards for System Administration.
2. Unauthorized servers or non-compliant servers connected to the network may be disconnected upon discovery.
3. Compromised systems or systems interfering with the functioning of the network will be immediately disconnected and will remain disconnected until the system has been appropriately secured or the problem resolved.
4. A server must not be used as a user system.

Policies Governing Management of User Systems

1. Each user is responsible for the network security of any device he or she connects to the network.
2. User accounts are for individual use only. Users must not share their account information.
3. User systems must not allow unauthorized access to University information, whether stored locally or gained through connection to other systems.
4. User systems must not be used to launch attacks on USF network services or systems/services outside the USF network.
5. User systems interfering with the functioning or security of the network may be immediately disconnected and remain disconnected until the system has been appropriately secured and the problem resolved.
6. USF reserves the right to ban any software or hardware, which USF deems a security threat, from user systems connected to the USF network.
7. File Sharing on the USF Network:

   7.1 File sharing will be disabled by default on USF-owned systems.

   7.2 USF recommends network file sharing through its centralized file server

8. USF-owned and/or supported user system hardware and software should meet the standards detailed on the following web pages:

   8.1 Hardware Standards

   8.2 Software Standards

9. All user systems connected to the network must have up-to-date virus protection software with the latest virus definitions and operating system critical vulnerability updates. Subsequently, adequate protection against network-based vulnerabilities must be maintained on a regular basis.
   
   Computers not conforming to this policy will be allowed limited network connectivity to the University's network for only the period required to install the necessary software and updates to conform to this policy. At the end of this time, the computer must meet these requirements or it will not be allowed to connect to the network.
10. All users accessing the USF network are expected to act in accordance with the Technology Resources Appropriate Use Policy.

For further information, please see:

• Security Policy FAQ 
  
• Policies Definitions Page
• Standards
• Access Levels
• Network Zones
• Policy Development and Enforcement Responsibilities
• Technology Resources Appropriate Use Policy

*Distinction between "must" and "should"

In some policy statements within this document, the word "must" is used and in other instances, the word "should" is used. The use of "must" indicates that compliance is both feasible and expected. "Should" is used in those instances where compliance is highly desirable, but may not be technically feasible within the University's current network and technology infrastructure. In these cases, the policy statements represent goals that the University expects to achieve as its network and technology infrastructure advances.