PURPOSE:
This Network Security Policy outlines the standards and procedures for protecting the integrity, confidentiality, and availability of the Idaho College of Osteopathic Medicine (ICOM) network infrastructure and all connected systems and data. The purpose of this policy is to establish a secure network environment that supports the Institution's mission by preventing unauthorized access, use, disclosure, modification, or destruction of network resources and the information they transmit or store. This policy applies to all aspects of the ICOM network, including wired and wireless connections, network devices, and all systems connected to it, encompassing both on-premises infrastructure and access to cloud-based services, including SaaS applications.
SCOPE:
This policy applies to all components of the ICOM network infrastructure, including but not limited to:
- Routers
- Switches
- Firewalls
- Intrusion Detection and Prevention Systems (IDS/IPS)
- Wireless Access Points
- Virtual Private Network (VPN) infrastructure
- Network cabling and physical infrastructure
- All systems connected to the ICOM network, including:
- Servers (physical and virtual)
- Workstations and laptops
- Mobile devices (institutionally owned and BYOD when connected)
- Printers and other network peripherals
- Internet of Things (IoT) devices (if applicable)
- Access to cloud-based services, including SaaS applications, accessed via the ICOM network.
This policy applies to all individuals and entities that use or manage the ICOM network, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Researchers
- Affiliates
- Volunteers
- Contractors
- Vendors
- Guests authorized to use the ICOM network.
DEFINITIONS:
- Firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- IDS/IPS (Intrusion Detection and Prevention System): A security appliance that monitors network traffic for malicious activity and can either alert administrators (IDS) or automatically block or prevent the activity (IPS).
- Network Segmentation: The practice of dividing a network into smaller, isolated segments to improve security and performance.
- VLAN (Virtual Local Area Network): A logical grouping of network devices that allows them to communicate as if they were on the same physical network segment, regardless of their actual physical location.
- VPN (Virtual Private Network): A technology that creates a secure and encrypted connection over a less secure network, such as the internet.
- WPA3 (Wi-Fi Protected Access 3): The latest and most secure Wi-Fi security protocol.
POLICY:
Network Access Control: Access to the ICOM network will be controlled based on the principle of least privilege and need-to-know.
- Authentication and Authorization: All users and devices connecting to the ICOM network must be properly authenticated and authorized before access is granted.
- Wired Network Access: Access to the wired network will be restricted to authorized devices and users.
-
Wireless Network Access:
- SSID: ICOM (Authenticated Wireless): A secure, authenticated wireless network will be provided for faculty, staff, and students, requiring ICOM credentials for access and utilizing strong encryption protocols (e.g., WPA2 Enterprise).
- SSID: ICOM_GUEST (Guest Wireless): A separate, isolated guest wireless network will be provided for visitors, offering limited internet access with limited access to internal ICOM resources.
- Remote Access: Remote access to the ICOM network will be governed by the Remote Access Policy and will require secure authentication methods, including Multi-Factor Authentication (MFA) where applicable.
- Port Security: Network ports not currently in use will be deactivated.
Network Segmentation: The ICOM network will be logically segmented to isolate different types of traffic and resources, limiting the potential impact of security incidents.
- VLANs (Virtual Local Area Networks): VLANs will be implemented to separate user traffic, server traffic, guest traffic, and other distinct network segments.
- Firewall Rules: Firewalls will be used to control traffic flow between network segments, enforcing access control policies and restricting communication to only necessary ports and protocols.
- Isolation of Sensitive Systems: Systems handling sensitive data (e.g., student records, financial data, patient data if applicable) will be placed on isolated network segments with stricter access controls.
Firewall Management: Firewalls are a critical component of network security and will be managed according to the following standards:
- Rule-base Management: Firewall rules will be reviewed regularly, documented, and kept up-to- date. Unnecessary or overly permissive rules will be removed.
- Default Deny Policy: Firewalls will operate on a default deny policy, allowing only explicitly permitted traffic.
- Regular Audits: Firewall configurations and rule-bases will be audited periodically to ensure effectiveness and compliance with this policy.
Intrusion Detection and Prevention Systems (IDS/IPS): IDS/IPS will be implemented to monitor network traffic for malicious activity and automatically block or alert on detected threats.
- Signature-Based and Behavioral Analysis: IDS/IPS will utilize both signature-based detection and behavioral analysis techniques to identify known and emerging threats.
- Regular Updates: IDS/IPS signature databases and software will be updated regularly to ensure protection against the latest threats.
- Alert Monitoring and Response: Security personnel will monitor IDS/IPS alerts and respond to detected incidents according to the Incident Response Policy.
Wireless Security: The ICOM wireless networks will be secured using strong encryption and authentication protocols.
- Encryption Standards: The SSID: ICOM network will utilize WPA2 Enterprise encryption or the strongest available standard. Weaker or outdated encryption protocols (e.g., WEP, WPA) will be phased out.
- Authentication: Access to the SSID: ICOM network will require authentication using ICOM credentials or secure certificate-based authentication.
- Guest Network Isolation: The SSID: ICOM_GUEST network will be isolated from the internal ICOM network and will provide limited access to internal resources.
- Rogue Access Point Detection: Measures will be implemented to detect and mitigate the risks posed by unauthorized or rogue wireless access points.
Network Monitoring and Logging: Network activity will be monitored and logged to detect security incidents, troubleshoot issues, and support investigations, as outlined in the System Monitoring and Logging Policy.
- Traffic Analysis: Network traffic will be analyzed for suspicious patterns and anomalies.
- Log Retention: Network logs will be retained for a defined period in accordance with the System Monitoring and Logging Policy.
Network Device Security: Security measures will be implemented to protect network devices themselves from unauthorized access and tampering.
- Strong Passwords and Access Controls: Network devices will be protected with strong, unique passwords and access controls will be restricted to authorized personnel only.
- Secure Configuration Management: Network device configurations will be securely managed and backed up regularly.
- Firmware Updates: Network device firmware will be updated promptly to address security vulnerabilities.
- Physical Security: Physical access to network devices will be restricted to authorized personnel.
Acceptable Use: Use of the ICOM network must comply with the Acceptable Use Policy. Prohibited activities include, but are not limited to:
- Unauthorized access to network resources.
- Intentional disruption of network services.
- Introduction of malware or other malicious software.
- Use of the network for illegal activities.
Third-Party Connections: Connections to the ICOM network by third-party vendors or contractors will be governed by the Third-Party Vendor Management Policy and will be subject to specific security requirements and access restrictions.
Policy Exceptions: Exceptions to this Network Security Policy may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification, documented risk assessment, and approved compensating security controls. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this Network Security Policy is the responsibility of all managers, supervisors, IT administrators, network administrators, security administrators, and users of the ICOM network, under the overall direction of the Chief Information Officer. Violations of this policy may result in disciplinary actions, up to and including warnings, suspension of network access, and termination of employment or access privileges, and potential legal consequences. The IT Department will monitor compliance with this policy and investigate reported violations.
POLICY REVIEW AND UPDATES:
This Network Security Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, security threats, regulations, institutional risk assessments, business needs, or best practices in network security. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 8/23/21
Last Reviewed: 7/8/25
Review Requirement: Annual
CROSS REFERENCE AND SUPPORTING DOCUMENTS:
Information and links to other policies or supporting documents referenced within this policy.
| Document/Resource | Location/Link |
| Information Security Program | Contact Chief Information Officer |
| Remote Access Policy | Remote Access Policy |
| Incident Response Policy | Incident Response Policy |
| System Monitoring and Logging Policy | System Monitoring and Logging Policy |
| Acceptable Use Policy | Acceptable Use Policy |