Policy Information

• 1.0 Purpose

  The purpose of this policy is to outline the requirements and procedure to request exceptions to firewall rules at Portland State University. These rules are in place to protect the users and the University. Exceptions without proper precautions may expose the University to a higher level of risk including virus attacks, compromise of network systems and services, and possible litigation.

• 2.0 Scope

  The policy applies to employees, students, contractors, consultants, temporaries, and other workers at Portland State University, including all personnel affiliated with third parties. This policy applies to all equipment that is connected to the PSU network.

• 3.0 Policy

  It is recognized that a firewall can restrict certain activities on the network and Internet at large that are necessary to conduct the teaching, research, and outreach functions of the University. Thus, the following policy establishes requirements and guidelines before exceptions are established through a firewall protecting individual or groups of machines:

  1. All exception requests must be made by a Department's professional information technology staff person. These individuals are keenly aware of the security issues and needs within their department as well as are aware of existing servers within the University or their Department that may already have the necessary exception and may better provide the service. Additionally, if an exception request must be made for a machine they are aware of what information the Firewall Exception Committee will need to make an informed decision such as the justification for each port included in the request. If you do not have an information technology staff person, please contact OIT User Support Services and they will act on your behalf.
  2. The device(s) must be administered by a professional information technology staff person and should be a system dedicated to providing the services for which the exception is requested. The purpose is to provide University and Departmental servers the accessibility they need to provide their intended services. Ad hoc, personal, or research servers should make use of Departmental, College, or University resources whenever possible rather than solicit an exception. Dedicated appliances or servers that cannot be incorporated into the aforementioned services provided by the Department, College, or University (e.g., a web cam used for providing live video feed of lectures or experiments) due to technical reasons will be reviewed on a case-by-case basis.
  3. Security patches for the device must be installed in a timely fashion (as soon as possible, but not to exceed 72 hours of release by the vendor) by the information technology staff. The only exception would be if the patch prevents the proper function of installed software and no satisfactory work-around can be found. Occasionally, OIT staff will audit devices granted exceptions to ensure that the latest security patches have been installed.
  4. A device will be disconnected from the network if a security incident occurs and the port(s) granted the exception will be closed until the device again complies with items 1 and 2.

• 3.1 Exceptions

  Exception process — Any exceptions requested for a given interface must be thoroughly researched by the department making the request for both the necessity of the exception as well as the possible security risks associated with making the exception. Upon approval by the department, a request must be made via a Request for Exceptions to Firewall Security to PSU/OIT's Firewall Rules Exception Committee. Any such requests will be reviewed by the committee and either subsequently adopted for the department, or University as a whole, or denied based on the lack of necessity or because of unavoidable security risks associated with adopting the exception. Lack of necessity would be determined based on the need for the service in question and/or the availability of alternate means to more securely use the service (e.g., tunneling the traffic via a VPN).

  Requests for exceptions through the firewall may only be submitted by a Departmental IT professional or designated User Support Services representative. All requests must contain the following information:

  1. The specific need for the exception and port(s) to be opened with justification for each.
  2. The Internet name and address of the device(s) for the exception.
  3. The name, phone number, and email address of the information technology staff person responsible for administration of the device(s). If staffing changes leave an excepted device unmanaged the exception(s) may be removed if an unreasonable security risk arises from the system remaining unmanaged.
  4. Security measures in force on the system including password policy, auditing policy, antivirus software (if any), and any additional security related software and/or settings of the machine.
  5. A statement to the effect that the owner of the device(s) "understands that the device(s) will be disconnected from the network and the port(s) granted the exception will be closed if a security incident occurs with that device, contact information for the technology staff person responsible for the device is not kept current, or security patches are not being applied in a timely manner."
  6. Exceptions may not be granted for a request that OIT Security, NTS or Firewall Rules Exception Committee considers too vulnerable to attack or for operating systems and applications without a proven record of adequate security.

   

• 4.0 Enforcement

  If security measures are altered or not maintained after exception has been granted, the exception can be immediately rescinded.