Network Security Practice Directive

Approved by Executive Tier on 11/22/2021, revised 12/12/2022.

Authority

UW Board of Regents

• Policy 25-5 - Information Technology: Information Security

UW System Administration

• Policy 1031 - Information Security: Data Classification and Protection
• Procedure 1031.A - Information Security: Data Classification
• Procedure 1031.B - Information Security: Data Protections
• Policy 1035 - Information Security: IT Asset Management
• Procedure 1035.A - Information Security: IT Asset Management Standard

Objective

This practice directive is intended to minimize risk to the UW-Whitewater (UWW) information technology environment from cyber criminals and ensure compliance with UW System policies, Regent policies, and applicable state and federal statutes regarding information security risk management.

Scope

This document applies to all staff, faculty, and students who access the UW-Whitewater network through a virtual private network (VPN) or traditional on-campus means.

Statement

Remote Access

In December 2020, the Executive Tier Committee approved disabling the Remote Desktop Protocol (RDP) through VPN connections to campus computers for the purpose of protecting UWW from potential security risks. A secure alternative solution, Citrix Workspace, was made available to individuals who require access to fulfill their job responsibilities.

UWW employees and students use a VPN to gain access to campus resources that are generally not available through a browser, primarily to the network document storage. VPN access requires authentication. However, to be fully compliant with UW Administrative Procedure 1031.B Information Security Data Protections, access to High Risk data must also be protected by multi-factor authentication (MFA). MFA shall be enabled for VPN access.

As computers connect to the campus network, to ensure the security of UW-W network and compliance with applicable policies, posture checking shall be conducted. Posture checking includes confirmation that required malware protection or antivirus software is installed and functioning.

Access to the Wired Network

Network authentication is identified as one of the network security requirements in the UW System Administrative Procedure 1031.B Information Security: Data Protections Protections. Access to the wired network shall be controlled by allowing access only to those devices that are identified in the IT Asset inventory. Guest (personal or campus devices) access shall be restricted based on the resources they are trying to access.

In addition to the network access controls, UW System Administrative Policy 1035 Information Security: IT Asset Management Management stipulates that “All UW institutions must inventory all UW-owned or leased IT assets”. To ensure the accuracy of this inventory, all IT assets must be documented in the IT asset inventory before accessing the UW-W network.

Posture checking shall be performed to validate computers connecting to the UWW wired network are free of malware and have supported and patched versions of software and antivirus installed.