Information System and Communication Protection

Purpose

The purpose of this policy is to establish information security standards of identification, management, and control of all University of Maryland Global Campus (“UMGC” or “University”) Information Technology Resources that store or transit Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), or other forms of High Risk Data.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Information System and Communications Protection

Information System Stewards or their designee must adhere to this Policy to ensure active identification, management, and control of all University Information Technology Resources that store or transit Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), and other forms of High Risk Data to include:

1. Monitoring, controlling, and protecting University communications (i.e., Information transmitted or received by University Information Systems) at the external boundaries and key internal boundaries of the Information Systems.
   1. Information System boundary components include, but are not limited to:
      1. gateways,
      2. routers,
      3. firewalls, or
      4. encrypted tunnels.
   2. Restricting or prohibiting interfaces in organizational systems includes, but is not limited to, prohibiting external traffic that appears to be spoofing internal addresses.
2. Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3. Prohibiting remote activation of Collaborative Computing Devices and providing indication of devices in use to users present at the device.
4. Using encrypted sessions for the management of network devices.
5. Employing FIPS-validated cryptography when used to protect the confidentiality of High Risk Data.
6. Employing architectural designs, software development techniques, and systems engineering principles that promote effective Information security within organizational systems.
7. Separating User functionality from Information System management functionality.
8. Preventing unauthorized and unintended Information transfer via shared Information Technology Resources. Verifying that no shared system resource such as cache memory, hard disks, registers, or main memory should be able to pass information from one user to another user.
9. Denying network communications traffic by default and allowing network communications traffic by exception (i.e., deny all, permit by exception).
10. Preventing remote devices from simultaneously establishing non-remote connections with University Information Technology Systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
11. Implementing cryptographic mechanisms to prevent unauthorized disclosure of High Risk Data during transmission unless otherwise protected by alternative physical safeguards.
12. Terminating network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. This includes, but is not limited to, deallocating (stopping) TCP/IP addresses or port pairs at the operating system level, and/or deallocating networking assignments at the application system level if multiple application sessions are using a single, operating system-level network connection.
13. Establishing and managing cryptographic keys for cryptography employed in University Information Technology Systems to include developing processes and technical mechanisms to protect the cryptographic key's confidentiality, authenticity, and authorized use in accordance with industry standards and regulations.
14. Controlling and monitoring the use of mobile code to include ensuring that mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance with the University's policy and technical configuration, and unauthorized mobile code is not.
15. Controlling and monitoring the use of Voice over Internet Protocol (VoIP) technologies.
16. Protecting the Authenticity of communications sessions.
17. Protecting the Confidentiality of High Risk Data at rest.
18. Implementing Domain Name System (DNS) filtering services to prevent access to known malicious websites or categories of websites.
19. Implementing a policy restricting the publication of High Risk Data on non-UMGC owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Technology Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. UMGC Social Media Guidelines
2. UMGC Policy X-1.02 Data Classification
3. UMGC Policy X-1.04 Information Security
4. UMGC Policy X-1.05 Information Security Awareness and Training
5. UMGC Policy X-1.06 Information Security Incident Response
6. UMGC Policy X-1.07 Audit and Accountability
7. UMGC Policy X-1.08 IT Resource Configuration Management
8. UMGC Policy X-1.12 Acceptable Use
9. UMGC Policy X-1.14 Media Protection
10. UMGC Policy X-1.15 Maintenance of Information Systems and Technology Resources
11. UMGC Policy X-1.22 System and Information Integrity