Original Issuance Date: November 10, 2022
Last Revision Date: November 10, 2022
Effective Date: December 1, 2023
1. Policy Purpose
The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration. This policy identifies the requirements for the installation and use of network protection controls on all UW System managed networks, where technically feasible, that transport data used to accomplish University research, teaching, learning, operations, or administration.
The President of the University of Wisconsin System is empowered to establish IS polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission.
The network protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats that use the network to attack information technology resources.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- External Network: A network not controlled by the organization.
- Managed Interface: An interface that provides boundary protection capabilities using automated mechanisms or devices.
- Network Security Zone: A group of logical or physical network segments with a defined level of network security for the connected systems, users, and data within an overall network architecture.
- System Boundary: Defines the components of the information systems under the authority of the institution.
- Trusted Network Security Zone: A Network Security Zone with an institution-defined trust level based on the security services and standards for control and management commensurate with the risk and classification of the connected systems and data transmitted. Example controls include firewalls, access control lists, virtual private networks, intrusion detection systems, and network access control policy enforcement.
6. Policy Statement
A. Network Security Architecture Documentation
High-level network security architecture documentation must be maintained that identifies the security services and mechanisms for the Network Security Zones within the System Boundary and connections to External Networks. High-level network security architecture diagram(s) must accompany network security architecture documentation.
B. Network Access Controls
Employ network access controls to monitor and control communications at external boundaries and key Managed Interfaces between Network Security Zones within the System Boundary to restrict the flow of traffic and prevent unauthorized access commensurate with the classification of the data being transmitted. Network access controls must be aligned with the institution’s defined architecture.
C. Network Communication Protection Activities
Ensure network access controls protect the integrity and confidentiality of transmitted data in Trusted Network Security Zones and as defined by the institution’s network security architecture.
D. Network Configuration Management
Employ configuration change management processes and maintain documentation for security-related configuration changes to networking IT devices. Limit access rights to the minimal level necessary for administrators to perform their job duties.
E. Network Device Security
Network devices must be reasonably secured from unauthorized physical and logical access commensurate with the criticality of the device and its associated Network Security Zone.
7. Related Documents
8. Policy History
First approved: November 10, 2022
9. Scheduled Review