Organizational Policy and Resource Guide
Guide Home Page
Information Services
Academic Computing &
Media Services
 

Internal Lab Security Policy

Internal Lab Security Policy

This policy establishes information security requirements for Bryant University labs to ensure that Bryant University confidential information and technologies are not compromised, and that production services and other Bryant University interests are protected from lab activities.

This policy applies to all internally connected labs, Bryant University employees, and third parties who access Bryant University's labs. All existing and future equipment, which fall under the scope of this policy, must be configured according to the referenced documents.

Ownership Responsibilities:

  1. Lab-owning organizations are responsible for assigning Lab Managers, a point of contact (POC), and a back-up POC for each lab. Lab owners must maintain up-to-date POC information with Information Services.
  1. Lab Managers are responsible for the security of their labs and the lab's impact on the corporate production network and any other networks. Lab Managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined, Lab Managers must do their best to safeguard Bryant University from security vulnerabilities.
  1. Lab Managers are responsible for the lab's compliance with all Bryant University security policies. The following are particularly important: Password Policy for networking devices and hosts, Wireless Security Policy, Anti-Virus Policy, and physical security.
  1. The Lab Manager is responsible for controlling lab access. Access to any given lab will only be granted by the Lab Manager or designee to those individuals with an immediate business need within the lab, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the lab have their access terminated.
  1. The Network Support team must maintain a firewall device between the corporate production network and all lab equipment.
  1. The Network Support team and/or Information Services reserve the right to interrupt lab connections that impact the corporate production network negatively or pose a security risk.
  1. The Network Support team must record all lab IP addresses, which are routed within Bryant University networks, in Enterprise Address Management database with current contact information for that lab.
  1. Any lab that wants to add an external connection must provide a diagram and documentation to Information Services with business justification, the equipment, and the IP address space information. Information Services will review these for security concerns and must give approval before such connections are implemented.  
  1. All user passwords must comply with Bryant University's Password Policy. In addition, individual user accounts on any lab device must be deleted within three (3) days when no longer authorized.
  1. No lab shall provide production services. Production services are defined as ongoing and shared business-critical services that generate revenue streams or provide customer capabilities. These should be managed by the support organization.
  1. Information Services will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

General Configuration Requirements

  1. All traffic between the corporate production and the lab network must go through a Network Support team-maintained firewall. Lab network devices (including wireless) must not cross-connect the lab and production networks.
  1. Original firewall configurations and any changes thereto must be reviewed and approved by Information Services. Information Services may require security improvements as needed.
  1. Labs are prohibited from engaging in port scanning, network auto-discovery, traffic spamming/flooding, and other similar activities that negatively impact the corporate network and/or non-Bryant University networks. These activities must be restricted within the lab.
  1. Traffic between production networks and lab networks, as well as traffic between separate lab networks, is permitted based on business needs and as long as the traffic does not negatively impact on other networks. Labs must not advertise network services that may compromise production network services or put lab confidential information at risk.
  1. Information Services reserves the right to audit all lab-related data and administration processes at any time, including but, not limited to, inbound and outbound packets, firewalls, and network peripherals.  
  1. Lab-owned gateway devices are required to comply with all Bryant University product security advisories and must authenticate against the Corporate Authentication servers.  
  1. The enable password for all lab owned gateway devices must be different from all other equipment passwords in the lab. The password must be in accordance with Bryant University's Password Policy.  The password will only be provided to those who are authorized to administer the lab network.
  1. In labs where non-Bryant University personnel have physical access  (e.g., training labs), direct connectivity to the corporate production network is not allowed. Additionally, no Bryant University confidential information can reside on any computer equipment in these labs. Connectivity for authorized personnel from these labs can be allowed to the corporate production network only if authenticated against the Corporate Authentication servers, temporary access lists (lock and key), SSH, client VPNs, or similar technology approved by Information Services.
  1. Infrastructure devices (e.g. IP Phones) needing corporate network connectivity must adhere to the Open Areas Policy.  
  1. All lab external connection requests must be reviewed and approved by Information Services.
  1. All lab networks with external connections must not be connected to Bryant University corporate production network or any other internal network directly or via a wireless connection or any other form of computing equipment. A waiver from Information Services is required where air-gapping is not possible (e.g., Partner Connections to third-party networks).

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definition of Terms
DMZ (De-Militarized Zone)

This describes a network that exists outside of primary corporate firewalls but are still under Bryant University administrative control.

External Connections (also known as DMZ )

External connections including (but not limited to) third-party data network-to-network, analog and ISDN data lines, or any other Telco data lines

Extranet
Connections between third parties that require access to connections that are non-public Bryant University resources, as defined in Information Services' Extranet policy (link).

Firewall

A device that controls access between networks. It can be a PIX, a router with access control lists, or similar security devices approved by Information Services.

Internal

A lab that is within Bryant University's corporate firewall and connected to Bryant University's corporate production network.

Lab

A lab is any non-production environment intended specifically for developing, demonstrating, training, and/or testing of a product.

Lab Manager

The individual responsible for all lab activities and personnel.

Lab-Owned Gateway Device

A lab-owned gateway device is the lab device that connects the lab network to the rest of Bryant University network. All traffic between the lab and the corporate production network must pass through the lab-owned gateway device unless approved by Information Services.

Network Support team

Any Information Services-approved Bryant support team that manages the networking of non-lab networks.

Telco

A Telco is the equivalent to a service provider. Telcos offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL. Telcos are sometimes referred to as "baby bells," although Sprint and AT&T are also considered Telcos. Telco interfaces include BRI, or Basic Rate Interface - a structure commonly used for ISDN service, and PRI, Primary Rate Interface - a structure for voice/dial-up service.

Traffic

Mass volume of unauthorized and/or unsolicited network Spamming/Flooding traffic.

 

© Copyright 2008, Bryant University. All rights reserved. Click here to submit questions or feedback.