Network Access Stability -- Authorized Devices Policy
Providing University faculty, staff and students with a stable, high-performance network environment is a shared responsibility of Information Technology (IT) and all users of campus networking services. The term "devices" means any combination of hardware and software that is logically or physically attached to the network. Devices which pose an acceptable risk to the stability, performance, and security of the network will be termed "authorized". To obtain authorization for a device, all the user has to do is to ask IT to check the device. If all is working properly and in the judgment of the Director of Networks and Computing the device does not behave in a way that affects the stability, performance, or security of the network, the device will be recorded as "authorized". Other devices, then, fall into the category of "not assessed". This often means that the device simply has not been checked for compatibility and unexpected problems. The user can check the status of a device and be placed in the "authorized" category by submitting a Help Desk Ticket (via Web, email, or phone), or by following the procedure below. Periodically, to assist campus users, devices that are in the "not assessed" category will be scheduled for assessment by IT if an assessment is not initiated by the owner.
In some cases machines (devices) are attached to the network, which inadvertently or intentionally have an adverse effect on the network system. The devices are categorized as "unauthorized". Much of the policy deals with this unauthorized category of machines and not to the large number of devices in general at the University.
The items below are pre-approved and once associated with a user are automatically "authorized". Purchasing these items will place users in the "authorized" category with little effort on the user's part:
- Desktop systems and peripherals meeting minimum standard criteria as established by IT.
- Base operating systems required by such desktop systems.
- Printers meeting minimum standard criteria as established by IT.
- Standard desktop productivity software such as Web browsers, email programs, database access programs (not servers), spreadsheet software, word processors, graphic editors, or any other production software that does not function as a server.
Configuring any device (even those that are pre-authorized by the guidelines above) or using any technique that makes the connection between University networking equipment and "authorized" devices opaque to network management tools should have prior approval by IT. This includes the use of routers and hardware (but not software) firewall devices. Because in certain conditions these devices can inhibit effective network management, IT cannot guarantee proper network operation in situations where these devices are installed without prior approval.
Requesting Authorization for a Device
To request that a device be authorized the user can fill out a Request for Authorization form which asks for some information which helps IT develop a database for the network. This kind of information is useful should the network system become compromised. This information should include the following:
- The business and technical requirements of the device.
- Location on the campus network where it is going to be used.
- The person, group, or department that will be using the device.
- Risk factors associated with the device.
- Permanent contact information of the person responsible for maintaining the device.
- Security update procedures.
For help with filling out this form, the user can contact the IT Help Desk at 573-341-4357 (HELP).
IT will evaluate the request for approval and provide a response to the requester. IT will work with the requester and explain any concerns it has about the device. If the device could (under rare circumstances) be a threat to the network, IT will contact the user and make arrangements for temporarily isolating the device and helping the user restore or convert the device into one that is "authorized".
In those (few) cases in which the device cannot be put in the authorized category, the individual is not a valid University user, or IT has some indication that the individual is connecting a device capable of affecting the stability, performance, or security of the network the device will be deemed "unauthorized".
Responsibilities of the Person(s) Receiving Authorization
The person(s) associated with the "authorized" device is (are) called "authorized person(s)". They have the responsibility for maintaining the security and stability of the device. If any problems arise with either security or stability of the device, the authorized person should take immediate action to address the situation. If help is needed, they should contact IT. IT will take reasonable actions to rectify the problem so that isolation of the device from the network is not necessary.
When a person receives the authorized status from IT, IT provides tracking methods to maintain information for the device. The authorized person should also monitor the information concerning the device, such as its location, contact, or removal of the device and notify IT via the network registration tool (http://itweb.mst.edu/~netdb ) as soon as they aware of the change.
IT will contact the person(s) responsible for the device and place the device into the "unauthorized" category (as outlined above) in the case that the device does not comply with the criteria outlined above. If the device violates Computing and Network Acceptable Use Policy, the user can also be subject to disciplinary actions.
Maintenance of Device Authorization
On an annual basis, IT will aid the user by providing a Web tool to update the information of the authorized devices. This will help to establish for the user a continuing need for the device and protect the device from being removed from the network in a routine maintenance of the system. If the authorized user no longer has an active account at the University and IT is not able to contact the authorized person, IT will notify the department or individuals in charge of the device location (if they can be determined) and seek to resolve the problem. After all efforts have failed to establish contact with the authorized user, IT will place the device in the "unauthorized" category and the device will be removed from the network. The device can be re-authorized by contacting IT and resolving the issues which caused it to be placed in the "unauthorized" category.
Existing Devices Already in Service
IT will work with departments, research groups and individuals to make sure that their devices are compatible with the network. IT also wants to make sure that the process is implemented in a manner which does not unnecessarily inconvenience the user. This is a good time for everyone to become familiar with the importance of security and have their systems protected from deliberate or inadvertent abuse. In this process, IT hopes to help the users become authorized without having to undergo a formal process for each device.
Note: All IT policies and procedures are subject to annual review.