Enterprise Security Controls Policy

Electronically stored academic, administrative, and research information is a critical University resource. Threats from computer hackers and malicious software and attempts to steal sensitive information jeopardize the confidentiality and integrity of this resource. The consequences to the University from a compromise of our electronic data could be widespread and damaging.

The Enterprise Security Controls solutions include a specific set of technologies to significantly reduce security vulnerabilities, including firewalls, email, and web services.

Enterprise Network Firewalls

Enterprise Firewall Services utilize network firewalls which provide the highest level of protection from Internet-based attacks. Network firewalls control network access to services on protected University computers. They also help monitor network activity that may be of a malicious nature. Network firewalls are required by several Federal regulations, including HIPAA, GLB, and others.

Enterprise Email

Enterprise Email systems, either IMAP or Exchange, offer powerful, redundant hardware and software that permits a high level of reliability, standard email backup and retention policies, enterprise spam and virus protection software, and strictly monitored security controls.

Enterprise Web Services

Enterprise Web Services offer web hardware and software which include closely monitored security controls and high level availability through redundancy to host University websites.

Optional Hosting Service

CSSD provides hosting service for unit-operated servers at its highly secure and closely monitored RIDC computer facility. A very reasonable cost model has been implemented to recover the cost of providing the service at RIDC. This is a very cost effective and highly secure solution for securing departmental servers that contain sensitive data.

Policy

All departments are required to use Enterprise email, web services and firewalls.

  • Departments and University units may use either the Enterprise IMAP or Exchange services. Independent email services are not permitted.
  • Departments and University units are required to use network firewalls installed and operated by CSSD. Supplemental software (host-based) firewalls are permitted and encouraged.
  • All University websites must be housed on the Enterprise Web Service. Departments, University units and individuals are not permitted to maintain independent web servers. Web-enabled applications in which the application web pages are not separable from the application code and web servers used solely to teach students how to manage web sites may be excluded from this requirement.

Departments are encouraged to consider using the optional server hosting service if the data on servers contain data which would benefit from a more secure location or contain sensitive data. This service also relieves departments of the need to maintain server hardware and software.

For more information or to request access to these services, contact the Technology Help Desk at 412-624-HELP [4357] or submit a request online.

References

University Policy 10-02-06, Administrative University Data Security and Privacy

Security Controls Memorandum, May 3, 2007