400 Network and Telecommunications Security

401: Transmission of Protected Information

Information Security Policies & Procedures Manual
Section 400: Network and Telecommunications Security
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this section is to state OSU’s policy regarding the transmission of protected information over the network.

Background

Once information is classified as Protected Information, established baseline standards ensure that the information resides and is processed within a secured zone of the network.  However, normal business operation does from time to time require the transfer of Protected Information to other authorized parties for purposes consistent with OSU’s mission and OSU’s obligations to protect the information.

Policy

It is the policy of OSU that no Protected Information be transmitted over any network outside of the secured zones within the OSU network, unless appropriate and standard encryption techniques are used.  Under no circumstances will Protected Information be transmitted across an unsecured network in clear text. In particular, it should be noted that Email is not by default an encrypted means of transmission and any Email sent is subject to this restriction.

402: Secured Zones for Protected Systems

Information Security Policies & Procedures Manual
Section 400: Network and Telecommunications Security
Effective: 01/11/2010

Purpose

The purpose of this section is to state OSU’s procedures regarding network security and firewall architecture to protect Protected Information.

Procedure

OSU Network Services establishes Secured Zones using current firewall technology and the appropriate network access control rule set to ensure that only authorized access is permitted to information systems which contain or will have access to Protected Information.  The overall architecture is based on separation of servers and workstations and the creation of various security zones based on the relative sensitivity.  Departmental zones are established for local servers and services and authority to manage the rules set for those zones is delegated to authorized departmental personnel.  Network Services monitors and audits all rule sets.

Direct connections to the OSU data network are controlled and restricted to authorized personnel only by means of ONID credentials and a registration process for computers.  All remote connections are limited to approved gateways only.  .  All machines connected to the OSU network are subject to the OSU Network Security Policy (see http://oregonstate.edu/net/info/policy/network_security_policy.php ).