Network Segmentation Policy
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
Florida Tech Campus | August 2024 | August 2024 | Dr. John Nicklow, President |
Policy Owner: Information Technology Department
Policy Purpose
The purpose of this policy is to establish guidelines for implementing network segmentation across Florida Institute of Technology (Florida Tech)'s campus network. The policy aims to mitigate specific risks, such as the lateral movement of attackers within the network and protect sensitive data from unauthorized access. Additionally, network segmentation is intended to enhance network performance by reducing congestion and optimizing resource allocation.
Policy Scope
This policy applies to all segments of the Florida Tech Campus Network. It encompasses all systems and departments within the university, ensuring consistent and uniform implementation of network segmentation measures.
Policy Statement
Network segmentation is an integral best practice for securing the Florida Tech's campus network. The university will segment its network by logically grouping hosts within similar broadcast domains, based on physical location, security requirements, compliance needs, and functional requirements. This segmentation will be implemented and managed by the Information Technology Department.
Procedures/Guidelines
- Network Segments:
- Segments will be created based on physical location, such as grouping by buildings or floors.
- Segments will be designed to protect access to sensitive data and provide privileged access to university information systems.
- Compliance-based segments may be created to meet specific regulatory requirements, such as a HR VLAN for FIRPA compliance.
- Functional segments will be established for specific needs, such as lab environments, guest wireless access, or Internet of Things (IoT) devices.
- Segment Management:
- Each segment will be identified, and a specific IP address scope will be assigned.
- Ports on switches or routers will be assigned to segments to control communication between them.
- Access to segments will be restricted to selected, approved, and trusted devices, users, and services based on a role-based or need-to-know basis.
- Firewall Rules:
- Firewall rules will be used to control access to network segments, adhering to the principle of Least Privilege.
- Rules will be managed by the IT department.
- Access to segments containing sensitive data will be permitted only through university-owned devices.
- Firewall rules will be regularly reviewed and updated to adapt to evolving threats and network changes.
Definitions
- Access Control List (ACL): A list of permissions associated with an object, specifying authorized entities and operations.
- Confidentiality: Preserving authorized restrictions on information access and disclosure to protect personal privacy and proprietary information.
- Dynamic Host Configuration Protocol (DHCP) Server: A network server that automatically provides and assigns IP addresses and network parameters to client devices.
- Firewall Rules: Rules used to filter network traffic based on defined criteria, managed to enforce least privilege access.
- Integrity: Ensuring information remains unaltered and authentic, guarding against improper modification or destruction.
- Internet of Things (IoT): Devices traditionally not connected to the network, capable of exchanging data with the campus network.
- Least Privilege: Granting minimal system resources and authorizations necessary for tasks or restricting access to authorized personnel as needed.
- Network Segmentation: The process of dividing a network into sub-networks, isolating potential threats, and enhancing security.
- Privileged Access: Rights granted to administrative accounts or users for management tasks, limited to necessity.
Compliance Reference
This policy aligns with the NIST 800-171 guidelines, particularly within the "Systems & Communications" and "Security Assessment" control frameworks. It also ensures compliance with relevant legal and regulatory standards, including the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA), which govern the protection of sensitive information and privacy within educational institutions.
Responsibilities
The IT Department is responsible for implementing and managing network segmentation. Regular monitoring and auditing will be conducted to ensure compliance with this policy.
Enforcement and Accountability
Non-compliance with this policy may result in disciplinary action, up to and including loss of access privileges. All stakeholders are responsible for adhering to and enforcing this policy within their respective areas of responsibility.