Original Issuance Date: November 10, 2022
Last Revision Date: January 19, 2023
Effective Date: December 1, 2023
1. Policy Purpose
The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration. This policy identifies the requirements for the installation and use of network protection controls on all UW System managed networks, where technically feasible, that transport data used to accomplish University research, teaching, learning, operations, or administration.
The President of the University of Wisconsin System is empowered to establish IS polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission.
The network protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats that use the network to attack information technology resources.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- External Network
- Managed Interface
- Network Security Zone
- System Boundary
- Trusted Network Security Zone
6. Policy Statement
A. Network Security Architecture Documentation
High-level network security architecture documentation must be maintained that identifies the security services and mechanisms for the Network Security Zones within the System Boundary and connections to External Networks. High-level network security architecture diagram(s) must accompany network security architecture documentation.
B. Network Access Controls
Employ network access controls to monitor and control communications at external boundaries and key Managed Interfaces between Network Security Zones within the System Boundary to restrict the flow of traffic and prevent unauthorized access commensurate with the classification of the data being transmitted. Network access controls must be aligned with the institution’s defined architecture.
C. Network Communication Protection Activities
Ensure network access controls protect the integrity and confidentiality of transmitted data in Trusted Network Security Zones and as defined by the institution’s network security architecture.
D. Network Configuration Management
Employ configuration change management processes and maintain documentation for security-related configuration changes to networking IT devices. Limit access rights to the minimal level necessary for administrators to perform their job duties.
E. Network Device Security
Network devices must be reasonably secured from unauthorized physical and logical access commensurate with the criticality of the device and its associated Network Security Zone.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Administrative Procedure 1038.A, Information Security: Network Protection Standard
NIST Special Publication 800-53 Rev. 5
8. Policy History
Revision 1: January 19, 2023
First approved: November 10, 2022
9. Scheduled Review