System and Communications Protection
Overview
This updated standard is to help align existing IT practices around System and Communications Protection to the requirements in NIST 800-171 (SC | 3.13.x) as well as industry best practices. This document does not give full coverage of 3.13.x controls within 171 due to existing limitations and other requirements that are specific to CUI.
What is in this document:
- System firewall requirement
- Some firewall configuration requirements
- Requirement for public systems to separate networks from non-public systems
What is NOT in this document:
- Network logging requirements (AU standard)
- Complete firewall configuration requirements
Policy Reference
APM 30.11 University Data Classification and Standards
APM 30.12 Acceptable Use of Technology Resources
APM 30.14 Cyber Incident Reporting and Response
Purpose
This System and Communications Protection standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.
Scope
These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process 果冻传媒麻豆社 data (see APM 30.14 C-6) or using 果冻传媒麻豆社 technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.
Standards
To ensure network connectivity is monitored, controlled and protected to adequate levels:
- All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.
- Both the external (north-south) and internal (east-west) edges of U of I Internal Networks must be monitored as per the Audit and Accountability standard.
- Both the external (north-south) and internal (east-west) edges of U of I managed networks must have a default block rule.
- Exceptions to the default block action must go through change management approval.
- Instances that cannot use inline protections such as the Science DMZ must use out-of-path protections as approved by OIT Security.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Public Systems must be registered with OIT Security as per Access Control standard.
- OIT Security May scan public U of I IP space to review what is and is not a public system and may respond to those accordingly.
- Non-public university-managed technology resources must be on separate VLANs from Public Systems.
Applies to: Moderate and High
Split tunneling must not be implemented unless specifically approved by OIT Security.
Other References
1. (February 2020)
2. (September 2020)
3. (February 2007)
4. (July 2008)
5.
6. Audit and Accountability standard
8.
Definitions
1. Firewall
“A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.” (CMMC Glossary)
2. U OF I internal Networks
Networks controlled by 果冻传媒麻豆社 excluding networks for student or public systems such as AirVandalHome or AirVandalGuest as defined by ‘What are Azure AD "Named Locations"?’ (3.13.1[a-b])
3. Public system
A system that can be accessed in any form from the general public or internet.
4. Intrusion Prevention System (IPS)
“Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Also called an intrusion detection and prevention system.” (NIST SP800-94)
5. Virtual Private Network (VPN)
“A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.” (NIST SP800-113)
6. Internal network edge
The boundary between two internal networks. Also referred to as east-west traffic.
7. External network edge
The boundary between an internal network and external network. Also referred to as north-south traffic.
8. Split tunneling
“The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.” (NIST SP800-171)
Standard Owner
OIT is responsible for the content and management of these standards.
.
Contact: oit-security@uidaho.edu
Revision History
3/1/2024 — Minor updates
- Minor formatting/wording/reference changes.
6/23/2023 — Original standard
- Full re-write to align with NIST 800-171r2