Policy Number: 
IT-08
Date Drafted: 
11/04/2001
Approved Date: 
04/04/2002
Approved Date: 
07/18/2005
Revision Date: 
06/24/2005
Version: 
2
Revision Date: 
02/13/2007
Revision Date: 
06/22/2021
Version: 
3
Description: 
Any computer or device connected to or accessing the University network or systems must be secured using the Device Security Standard to minimize disruptions to the operation of the network and to prevent data compromise. 

POLICY TITLE:  Network Citizenship Policy
POLICY #: IT - 08
DATE DRAFTED: 11/04/01
DATE POSTED  
APPROVED DATE: 04/04/02, 07/18/05
REVISION DATE: 06/24/05, 06/22/21
BRIEF DESCRIPTION: Any computer or device connected to or accessing the University network or systems must be secured using the Device Security Standard to minimize disruptions to the operation of the network and to prevent data compromise. 

Introduction:

The University of Iowa relies on technology to meet its operational, financial, and information requirements. The enterprise network is a critical institutional resource and provides important foundational services for these computing and technology implementations. In order to protect the integrity of these network services and that functionality, persons owning or managing devices connected to the network assume responsibility for securing these devices to ensure they don’t disrupt its operation or compromise the University’s data assets. 

Scope:

This policy governs all devices (e.g., servers, desktops, laptops, IoT, research instruments, medical devices, phones, etc.) that are connected to the campus network. This also includes remote devices connected via wireless, VPN or the Internet, as well as devices that access institutional resources that are an extension of campus resources (e.g., cloud resources). 

Systems that are not properly administered can become a threat to the operation of the network. The responsibility for the security and integrity of the devices connected to the campus network initially rests with the person who connects the device to the network. Thereafter, the primary user of a computer shares responsibility with whoever provides IT support for that computer, followed by the department housed in the physical space the device occupies. Technical staff who manage multi-user shared resources will have primary responsibility for them, followed by the department housed in the physical space the computers occupy.  

Policy Statement:

The network citizenship policy is intended to protect the integrity of the campus network and to mitigate the risk and losses associated with threats to data, the campus network and networked resources. System administrators and users must  

  1. Follow the University of Iowa Device Security Standard for securing devices in order to ensure that key security vulnerabilities are addressed. Key vulnerabilities will change over time as new threats and risks emerge. Security standards will evolve in the same manner.   
  2. Not extend the University of Iowa enterprise network in a wired or wireless manner without prior approval from the UI Security of Office (ISPO) and Network Engineering Services (NES).
  3. Not employ or utilize network scanning, network sniffer, or other network investigative and probing tools unless it is a requirement of their position and the services they provide.  
  4. Cooperate with the Information Security and Policy Office (ISPO) to resolve security problems identified with any systems you are responsible for.  
  5. Submit devices to vulnerability scans, and resolve high-risk issues identified by the scans in a timely manner.
  6. Immediately report compromises and other security incidents to ISPO (report a security incident or call 319-335-6332) or report it to your local IT support staff.    
  7. Comply with the individual responsibilities stated in Section IV of the University’s Acceptable Use Policy for Information Technology Resources.

Enforcement:

Systems posing an immediate threat to the campus network will be removed (or contained) from the network to isolate the intrusion or problem and minimize risk to other systems, until the system is repaired, and the threat is removed, as determined by the Information Security and Policy Office. Systems involved in security incidents which do not adhere to the Device Security Standard will remain off the campus network until the system administrator brings the system into compliance.  IT support staff have the authority to remove devices from the network in their area of responsibility and will be notified when systems in their department are removed from the network by central security or network engineering staff. 

Accounts that pose a threat to the campus network (e.g., compromised via phishing or other means) may have their passwords reset. 

Systems or accounts that are involved in multiple incidents represent a higher level of risk and may require additional steps to avoid further problems.  

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contains acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Iowa Operations Manual (http://opsmanual.uiowa.edu/) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources).
 

Device Security Standard  

Network Vulnerability Assessment and Incident Response Policy

Security Policy

Request a Security Exception

Network and Airspace Policy 

Enterprise Password Standard

Resources

ITS Telecommunication & Network Services (TNS)