Data Management Zone (DMZ)
Major Functional Area (MFA):Finance and Administration
Policy Title: Data Management Zone
Responsible Executive (RE): VP for Finance and Administration
Sponsoring Organization (SO): Information Technology Services
Dates: Effective Date: August 1, 2011
Annual Review: August 1, 2012
Idaho State University (ISU) maintains a protected network of electronic information systems and related equipment that is not directly accessible from the internet. ISU also maintains a separate network, referred to as a "Data Management Zone" or "DMZ", that serves as a buffer between the protected network and electronic resources not owned by the University.
ISU's Data Management Zone policy defines and establishes the practices and standards implemented by the University to protect electronic information systems and related equipment residing on both the protected network and the DMZ from unauthorized use. Adherence to these requirements will minimize the potential risk to ISU from damage to its public image caused by unauthorized use of ISU resources, and the loss of sensitive or confidential data and intellectual property.
This policy applies to all of ISU's Information Technology (IT) systems. The following policies are incorporated into this policy by reference:
- The General IT Policy http://www.isu.edu/policy/2000/index.shtml
- The General Faculty/Staff and Student Policies http://www.isu.edu/policy/4000/index.shtml, http://www.isu.edu/policy/5000/index.shtml
II. POLICY STATEMENT
Servers publicly reachable through the Internet will reside in the DMZ. All other components of ISU's IT System will reside on the protected network.
No server containing private sensitive information may reside in the DMZ. Servers containing confidential information should be further segmented from the rest of the protected network for extra access protection.
Systems communicating from the DMZ to internally protected systems will be restricted to utilize only authorized communication protocols approved by the IT Administrator.
All other electronic communication that is not a direct response to a request from ISU's IT System will be blocked, unless allowed for business reasons approved by management and the Information Technology Administrator. Whenever possible, such access should be provided via ISU's Virtual Private Network (VPN) services. Approval of exceptions will be documented and exceptions reviewed annually to ensure they are still needed.
To ensure that no "back door" entry into ISU's protected network is created, any extension of ISU's protected network via the addition of, but not limited to, a router, bridge, gateway, hub, switch wireless access point, dial-up modem, dual homed server or personal computer, or provisioned telephone service must be approved in advance by the Information Technology Administrator.
III. AUTHORITY AND RESPONSIBILITIES
The author of this policy is the ISU Department of Information Technology Services (ITS). The ISU Security Working Group, in conjunction with representatives from the ISU Office of the Provost and Vice President for Academic Affairs and the Office of the Vice President for Finance and Administration review all changes and updates. Final approval and execution rests with the President of ISU in consultation with University Counsel.
For the purpose of this policy, the definitions for ITS policies available at http://www.isu.edu/policy/fs-handbook/part3/3_8/3_8a.html, are incorporated by reference.