Skip to main content

System and Communications Protection Procedure

Version 1.0

Purpose

The purpose of this procedure is for Data Owners and Custodians to define information security controls around system and communications protection. The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series1 of publications, and this procedure is based on those guidelines.

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

Policy and Procedures (SC-1): Develop/adopt and maintain a system and communication protection program for critical IT Resources.
  1. Include the implementation of the System and Communications Protection Policy and associated controls.
  2. Review that program annually.
  3. Denial of Service Protection (SC-5): Assess the risk of denial of service attacks to critical IT Resources and ensure that those risks are adequately addressed.
Boundary Protection (SC-7):
  1. Establish and monitor the external and essential internal boundaries of critical IT Resources.
  2. Ensure that critical IT Resources deny network traffic by default and allow approved network traffic (i.e., deny all, permit by exception).
  3. Appropriately protect against the unauthorized release of information or unauthorized communication through the boundary protection mechanisms.

Cryptographic Key Management (SC-12): Ensure that when encryption is required within critical information systems, cryptographic keys are appropriately protected.

Collaborative Computing (SC-15): Ensure that critical IT Resources prohibit the remote activation of collaborative computing mechanisms (e.g., cameras, microphones, conferencing software) without an explicit indication of use to local users.

Secure Name/Address Resolution Service (Authoritative Source) (SC-20): Ensure that the name/address resolution service provides appropriate additional data origin and integrity artifacts (e.g., digital signatures) along with the authoritative data it returns in response to queries.

Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21): Ensure that name/address resolution services on the local clients of critical IT Resources perform data origin authentication and data integrity verification on resolutions received from authoritative sources.

Architecture and Provisioning for Name/Address Resolution Service (SC-22): Ensure that the IT Resources that collectively provide name/address resolution services are appropriately resilient (fault-tolerant).

Definitions

Custodian is the individual to whom day-to-day actions have been assigned by the data owner and is responsible for the storage, maintenance, and protection of information.

Data Owner(s) are responsible for the information, security, and use of a particular set of information.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

NIST Security Control Descriptions:

Policy and Procedures (SC-1)

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the System and Communications Protection Control Family (SC). Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or, conversely, can be represented by multiple policies reflecting the complex nature of specific organizations. The procedures can be established for the security program in general and particular information systems if needed. The organizational risk management strategy is a crucial factor in establishing policies and procedures.

Denial of Service Protection (SC-5)

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by a denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

Boundary Protection (SC-7)

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers. They may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

Cryptographic Key Management (SC-12)

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define essential management requirements per applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Collaborative Computing (SC-15)

Collaborative computing devices include, for example, networked whiteboards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

Secure Name/Address Resolution Service (Authoritative Source) (SC-20)

This control enables external clients, including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones include, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

Architecture and Provisioning for Name/Address Resolution Service (SC-22)

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server, and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process names and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: April 14, 2020

Revision History

Version: Date: Description:
1.0 04/14/2020 Initial document