System and Communication Protection

Purpose

The purpose of this policy is to establish information security standards for the System and Communication Protection processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Authenticity: The quality of Information and records as being genuine, verifiable, and trusted; confidence in the validity of a transmission, a message, or message originator.

2. Collaborative Computing Devices: Collaborative computing devices include smartboards, camera systems and microphones. This includes cameras and microphones built into laptops as well as stand-along devices in conference rooms or classrooms.

3. Confidentiality: The principle of preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.

4. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

5. Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. CUI includes Personally Identifiable Information (PII).

6. Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

7. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

8. Federal Information Processing Standard (FIPS): A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.

9. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

10. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

11. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

12. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

13. Personally Identifiable Information (PII): An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:

    1. A social security number;

    2. A driver's license number, state identification card number, or other individual identification number issued by a state government unit;

    3. A passport number or other identification number issued by the United States government;

    4. An Individual Taxpayer Identification Number; or

    5. A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.

14. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.

System and Communications Protection

Information System Stewards or their designee must adhere to the University's System and Communications Policy to ensure active identification, management, and control of all University Information Technology Resources that store or transit Controlled Unclassified Information to include:

1. Monitoring, controlling, and protecting University communications (i.e., Information transmitted or received by University Information Systems) at the external boundaries and key internal boundaries of the Information Systems. Information System boundary components include, but are not limited to, gateways, routers, firewalls, or encrypted tunnels. Restricting or prohibiting interfaces in organizational systems includes, but is not limited to, prohibiting external traffic that appears to be spoofing internal addresses.

2. Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

3. Prohibiting remote activation of Collaborative Computing Devices and provide indication of devices in use to users present at the device.

4. Using encrypted sessions for the management of network devices.

5. Employing FIPS-validated cryptography when used to protect the confidentiality of CUI.

6. Employing architectural designs, software development techniques, and systems engineering principles that promote effective Information security within organizational systems.

7. Separating User functionality from Information System management functionality.

8. Preventing unauthorized and unintended Information transfer via shared Information Technology Resources. Verifying that no shared system resource such as cache memory, hard disks, registers, or main memory should be able to pass information from one user to another user.

9. Denying network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

10. Preventing remote devices from simultaneously establishing non-remote connections with University Information Technology Systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

11. Implementing cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

12. Terminating network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. This includes, but is not limited to, deallocating (stopping) TCP/IP addresses or port pairs at the operating system level, and/or deallocating networking assignments at the application system level if multiple application sessions are using a single, operating system-level network connection.

13. Establishing and managing cryptographic keys for cryptography employed in University Information Technology Systems to include developing processes and technical mechanisms to protect the cryptographic key's confidentiality, authenticity, and authorized use in accordance with industry standards and regulations.

14. Controlling and monitoring the use of mobile code to include ensuring that mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance with the University's policy and technical configuration, and unauthorized mobile code is not.

15. Controlling and monitoring the use of Voice over Internet Protocol (VoIP) technologies.

16. Protecting the Authenticity of communications sessions.

17. Protecting the Confidentiality of CUI at rest.

18. Implementing Domain Name System (DNS) filtering services to prevent access to known malicious websites or categories of websites.

19. Implementing a policy restricting the publication of CUI on non-UMGC owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

Exceptions

Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

Enforcement

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Technology Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

Related Policies

1. UMGC X-1.04 Information Security

2. UMGC X-1.05 Information Security Awareness and Training

3. UMGC X-1.06 Information Security Incident Response

4. UMGC X-1.07 Information Security Audit and Accountability

5. UMGC X-1.08 IT Resource Configuration Management

6. UMGC X-1.10 Identity and Access Management

7. UMGC X-1.14 Media Protection

8. UMGC X-1.15 Maintenance of Information Systems and Technology Resources

9. UMGC X-1.22 System and Information Integrity

Effective Date

This policy is effective as of the date set forth above.