9.8.2 Guidelines for LAN Coordinators for a Secure Environment

I. Introduction

Information Security for Local Area Network (LAN)

Information Systems (IS) is responsible for ensuring the confidentiality, integrity, and availability of all administrative information that it processes and stores, whether on the University mainframe, on minis, on micro- computers or on LAN servers. The Illinois State University Information Resource Access and Security Policy, written by IS, was written to assist the University in accomplishing these objectives. The following LAN standards and guidelines govern information security on the ISUnet LAN so that the designated LAN Coordinators will have the guidance to support the Policy. IS and the departmental LAN's are subject to security audits by internal and external auditors for compliance with standard computing practices.

As information processing is more widely distributed, and as network integration with the campus backbone progresses, administrative information becomes more accessible and, therefore, more vulnerable to unauthorized access, modification, or deletion. In this environment, every department that connects to the administrative mainframe or stores and processes computerized information locally shares with IS the responsibility for security of such information on local computers or networks.

It is an IS objective to implement a security architecture and to set standards and guidelines that will ensure the security of the administrative information assets of the University, and will also maintain an environment that has flexibility, integrity, audibility, ease of administration and interoperability. There are circumstances where the standards may not be cost effective or possible to implement (i.e., existing systems with embedded security), or where more stringent recommendations (mandatory access control based upon security domains) can be cost justified. Determining whether an Illinois State University LAN environment is "secure enough" is an analytical exercise in identifying risks and counterbalancing those risks against the cost of protection mechanisms.

II. LAN Coordinators Responsibilities

As stated in the Illinois State University Information Resource Access and Security Policy, departmental LAN Coordinators are delegated, by University management, the responsibility for coordinating LAN access within their departments. Their responsibilities include the following:

1. Provide training for departmental LAN users by maintaining manuals and offering training sessions
2. Develop policies and procedures for the operation and use of the departmental LAN
3. Act as a liaison between departmental management, LAN users and Information Systems
4. Install file servers, workstations, and application software as required by departmental users

In addition, the following functions support the above responsibilities:

1. Maintaining security (IDs/passwords and access profiles) on the departmental LAN
2. Maintenance, administration, and usage of software on the departmental LAN
3. Documenting plans for backup and recovery of data and programs on the departmental LAN.
4. Documenting policies and procedures for users, systems administrators, and operators
5. Trouble-shooting problems with the software
6.  Physical security issues (section 4)

III. LAN Standards and Guidelines

Section 1. LAN Coordinator

1.1 The implementation of a LAN must include the naming of a LAN Coordinator who will fulfill the responsibilities listed on the previous page. Depending on the size of the LAN (number of workstations, etc.), this may be either a part-time or full-time position. In smaller units with smaller LANs, the responsibilities may be combined with other duties or departments may be consolidated and the responsibilities assigned to a single LAN Coordinator. This responsibility, however, must be clearly assigned to a specific staff member.

1.2 For every administrative LAN, IS will require that a LAN Coordinator be designated.

1.3 If business functions on the LAN are critical to the department's operation, designation of a backup to the LAN Coordinator is strongly recommended. To evaluate a LAN environment, use the form in Appendix A.

1.4 The LAN Coordinator is responsible for continuity of processing and should implement whatever hardware and/or system maintenance schedules are necessary to ensure continuous operation.

Section 2. Access Security

Security controls must be provided at three levels of access control: Server, Directory, and File. These levels must be enforced.

2.1 Server

1. Security for logon access to the network, access to files, and applications on the server will be implemented via a unique user ID and password. A remote user who does not know a correct ID/password pair should not be able to access the network.
2. New IDs should consist of 7 characters. These characters will be the first initial, middle initial and the first 5 letters of the last name. In case of duplicates, the last character will be a value of 1 through 9.
3. ID/Password control is the strongest element of network security. Passwords should be a minimum length of 5 characters, and should be chosen by and known only to the individual user. Passwords must be non-trivial and users should be given guidelines for choosing passwords. The password should not be equal to the ID or the user's name. Common names, dictionary words, months of the year, etc., should not be used as passwords. There are password checkers for validation.
4. The system should require that all users periodically change passwords, at least every sixty days. Password selected should not be the same within one year. Most network operating systems provide this option.
5. Default passwords shipped with servers, operating systems software, or applications must be changed when the hardware or application is installed or implemented.
6. ID/Password files on the server must be encrypted. If possible, passwords should not be transmitted over the network in clear text.
7. It is important to maintain the ID/Password directory with current data. LAN access for terminating or transferring employees must be removed at the time of termination or transfer.
8. Access should be allowed to only those individuals defined in the Illinois State University Information Resource Access and Security Policy.
9. IDs/Passwords should not be shared or revealed to anyone by the authorized user. If someone other than the authorized user should obtain an ID/Password, for illegal or unethical use, the authorized user would be left to deal with the consequences.
10. To have the ability to trace activities, one or more records tracing security relevant activities to specific users must be securely maintained for a reasonable period of time, a minimum of three months.
11. If a user has not provided a correct password after three (3) consecutive logon attempts, the ID should be deactivated. This is especially important with dial- up connections.
12. If the operating system supports logon banners, during the logon procedure before access is granted, a logon banner should be displayed. The logon banner display should notify users of the system they are trying to access, that the system is to be used only by authorized users, and, by continuing to use the system, the user acknowledges that he/she is an authorized user.
13. Each user should only be allowed to log on to one workstation on the LAN at any given time.
14. Intruder detection settings should be activated.

2.2 Directory

1. Directory and file security is accomplished via access control rights. The LAN Coordinator administers these rights for their LAN.

2.3 File

1. There are several levels of file access: Read, Write, Execute, Delete, and Add. They should be administered appropriately for users or groups of users depending on what application is being invoked.

Section 3. Remote (Dial-In) Access

3.1 Dial-in access to the LAN or to individual workstations on the LAN presents a higher risk for unauthorized remote access. Dial-in capability must be limited to those individuals with a clear business need for such access.

3.2 Dial-back systems, or an extra layer of password control, are recommended for dial-in access protection.

3.3 Dial-in connections to the LAN must be auditable.

3.4 Dial-in access should not answer until after the 4th ring. This discourages automatic dialers; they may assume the number is a voice line.

Section 4. Physical Security

4.1 The LAN Coordinator is responsible for the physical security of the LAN hardware. Secure all equipment. In low security office areas, install lockdown or other security devices.

4.2 The LAN server/communication center should be located in a physically secure area such as a locked closet. It should be enclosed in an area not likely to experience natural disasters (tornadoes, floods, fire, etc.), or serious human error (chemical spills, storage calamities, etc.).

4.3 The server should not be used as a workstation except by the LAN Coordinator for purposes of server administration.

4.4 All cable connections and the cable itself, if possible, should be in a secure location to lower the risk of inadvertent or mischievous damage to the physical equipment.

4.5 Critical hardware on the LAN (such as servers) should be connected to an Uninterruptible Power Supply (UPS), both to protect hardware and data files from damage or loss due to power fluctuations or outages, and to provide for continued service in the event of a power outage.

4.6 Security awareness should be an important facet in administering a LAN environment. It is important to remember that the most vulnerable security risk in any office could be in leaving confidential papers, clearly named diskettes, and listings in full view in an empty office. Also, walking away from a logged on workstation invites trouble. Use the automatic logoff or locking screensaver features should be encouraged to prevent a workstation from being logged on unprotected.

4.7 Most operating systems provide power-on and screensaver passwords on workstations where access to the workstation itself requires control. Where workstations are used by more than one staff member, however, only the manager or supervisor responsible for the area should set or change a power-on password.

Section 5. Data Security

5.1 It is the LAN Coordinator's responsibility to monitor access to the data on the network, based on the relative risk and the user's "need to know." Authorization ("who" can see and use "what") requires careful thought. To maintain the "need to know", an annual review of data access is strongly recommended to clear unnecessary accesses.

5.2 The appropriate level of security should be provided for departmental LAN file servers that may contain information with varying sensitivity classifications. Less sensitive files, such as mailing lists, may be shared among the department, while the more sensitive files, such as those used with application programs, should have more stringent access restrictions. Access restrictions for applications should be addressed to the Data Base Administrator or Data Custodian.

5.3 Critical or sensitive data should not be stored on individual workstations or microcomputer hard-disk drives unless the LAN Coordinator is certain that adequate information security measures are being followed.

5.4 All LAN users who have access to confidential records should be made aware of the Code of Responsibility for Security and Confidentiality of Data annually. A copy is located on the Illinois State gopher, under Computing and Telecommunications, Security Policies and Guidelines.

Section 6. Backups

6.1 Servers (which contain software, data files, and/or backup data for workstations on the LAN) must be backed up on a regularly scheduled basis. The frequency of file modifications will determine the required schedule of the backup. To determine the backup schedule, consider what point in time would be practical to return to in case of power failure or other cause of interruption. The files modified daily should be backed up at least once a day.

6.2 Departmental LAN Coordinators are responsible for backing up their LAN servers and workstations and are required to implement a tested and auditable process. This is crucial for recovery from power or hardware failure, data and/or network problems, and physical disasters.

6.3 To the extent possible, procedures used for backup should not require departmental assistance; they should be automatic. If backup procedures are automated, verification logs should be checked daily for incomplete backups.

6.4 Backups should be stored on-site for quick recovery from data or network problems. LAN backups for critical business functions must be stored off-site in an environmentally protected and access controlled area. IS has an automated backup process which will provide an off-site backup and maintain a backup retention period of three months. This software can be obtained by requesting an application for HARBOR backup through the IS Data Security Administrator.

6.5 Recovery procedures for power failures and major disasters must be documented and tested at least once a year. A documented plan to follow is imperative to critical business functions on the LAN environment.

Section 7. File Transfer

7.1 The transfer of executable files through electronic mail should be restricted or controlled. Electronic messaging systems are generally not secure, and are a common source of malicious code attack.

Section 8. Hardware

8.1 Wiring and physical connections must adhere to University standards issued by IS Network Services.

8.2 Network servers should use standard, widely-available components to ensure that hardware can be replaced easily. When departments or groups of people depend on the server for access to their documents and data, ease of replacement is crucial.

8.3 Purchases for the LAN environment must follow the procedures described in the Policies and Procedures Manual, which can be found in the Illinois State University gopher under General Information about the University, Policies of Illinois State University.

Section 9. Software

9.1 The LAN Coordinator is responsible for maintaining detailed and accurate records of software on the server. (How do you access these records; who are they available to; how about if I want to see them?) All software should be installed and recorded according to licensing terms and restrictions. Versions (releases), dates of installation, upgrades, etc., should all be recorded for audit and recovery purposes.

9.2 The installation of new software on a server/workstation, or of a new version of existing software, always carries some risks, including the potential for crashing the hard drive of the server/workstation. Software installation and upgrade must be done by the LAN Coordinator. A complete backup prior to installation is recommended.

9.3 The Governors of Virginia and Illinois have made public statements regarding their intentions to assure taxpayers that state employees playing games on state government workstations is a practice that will not be allowed. Games must be removed from servers and workstations of administrative employees.

Section 10. Prohibition of Pirated Software

10.1 University policies regarding the prohibition of pirated software must be followed. Licensing terms for software must be met and LAN users must be fully aware of license restrictions. The LAN Coordinator and the University can be held legally liable if restrictions are violated.

Section 11. Printing

11.1 Security controls over print queues and the print server are required, if confidential or sensitive information cannot be printed on a locally attached printer.

11.2 Printed output containing confidential or sensitive information must be treated with the same care as confidential data files. Confidential or sensitive reports should be recycled, shredded, or disposed of through a process of restrictive access.

Section 12. Viruses

12.1 To protect a LAN from viruses, shareware or freeware must be processed through a virus checker prior to being installed on any Illinois State University server or workstation.

12.2 A virus scanner is provided for the University via a site license, which is available through the Software Support Office

Section 13. Business Continuation and Disaster Recovery

LAN environments that are critical to the University's business operation, must have a Business Continuation and Disaster Recovery plan documented and tested. To determine if your LAN is critical use the form in Appendix A. The plan must be tested, and revised if necessary, at least annually, in order to maintain an up-to-date version. Each documented plan should include, but not be limited to, the following:

13.1 An introduction stating its purpose, goals, objectives and benefits.

13.2 The scope which the plan will encompass, the type of disruptions, which departments will be included, and the policies affected.

13.3 The responsibilities defined for each individual and where they will be instrumental in the plan. This should include phone numbers along with the responsibilities.

13.4 Damage assessment checklist that would consist of the following:

• determine the extent of damage
• action to repair or replace the items
• who will perform the actions
• estimated completion date, time and cost.

13.5 Recovery priority list, listing the items that need to be restored in priority order. For each item on the list, provide system, database and application recovery procedures.

13.6 Inventory list of necessary equipment and supplies, and the person responsible for obtaining them.

13.7 Description of the testing procedures, which would include a schedule, scenario, and monitoring.

13.8 Plan revisions and updates describing the environmental changes, test results and review schedule.

Appendix A: Critical LAN Environment Evaluation

Expanding to a Distributed Computing Environment has placed more power in the users' hands. With that power comes added responsibility. While efficiency and effectiveness has greatly improved with this expanded technology, it has also created a new greater challenge, maintaining adequate security access to our information resources and data. While total security is difficult to accomplish, we can attempt to decrease the risk by balancing the risks with the costs. A LAN environment that has flexibility, integrity, audibility, ease of administration and interoperability is the goal for the University.

To determine which LAN environments are critical, there are some necessary questions to ask:

What are you trying to protect and how important is it?
A. Department relies on file server for data and/or application software.
B. Department unable to function if LAN or File Server unavailable for more than a day, three hours.

What is the cost of losing or compromising the information?
A. Data and/or software on File Server cannot be recreated if lost or destroyed.
B. Department/University liable for data confidentiality.
C. Department responsibility to laws and regulations.
D. Data integrity.

What is the cost of protecting the data?
A. Data manipulation by authorized individuals only.
B. Separate authoritative levels of data access on File Server.

Once the critical LAN environments have been evaluated and identified, the guidelines, policies and procedures for adequate resource security should meet these basic goals: reducing the risk; complying with applicable laws, regulations, and policies; and assuring operational continuity, integrity, and confidentiality. You may contact Connie Barling for copies of the following laws and policies:

Computer Security Act 1987
Copyright Information
Family Educational Rights and Privacy Act of 1974, as amended
Freedom of Information Act Policy
Illinois Campus Security Act
Illinois State University Code of Responsibility for
Security and Confidentiality of Data

Our data and information resources are one of our greatest assets, they are only as secure as the weakest link of our network.

Last Review: April 2000