These zones can vary significantly in how they are trusted: from networks trusted little more than the general Internet to networks that require stringent vetting and auditing. Most networks are public, but some are very isolated and not even routed. The common requirements across all zones are only that systems follow University security policies and that the Security and Networking teams can quickly identify the location and responsible party for all hosts on our networks.
For the purposes of this document, production systems are defined as any system, to include allocated systems, intended to provide reliable computational and/or data services to a networked constituency. These systems include not only “customer facing” hosts, such as web servers, file servers, login nodes, etc., but also the infrastructure required to support these systems, such as backend database servers, backup and storage systems, authentication servers, etc.
NCSA IT Operations Board
The leaders of ADS (Advanced Digital Services), ITS (Information Technology Systems), and Security are responsible for application of this policy. These three groups are the service providers of infrastructure at NCSA and meet regularly to discuss security issues and strategy for providing better services.
The Security Team is responsible to ensure regular auditing of this policy and automates this when possible. However, responsible does not always mean executing every audit on their own. This is a group endeavor among all the NCSA service providers and requires coordination and cooperation between ADS, ITS and SecurityThe Security Team will be responsible for verifying that regular audits are performed for compliance with this policy, however the actual auditing may be performed by full-time system administrators, particularly for major production resources. Furthermore, approval from the Security Team is required prior to installation of any systems in Zone 1 (described below). Where possible, this verification and auditing will be done in an automated manner. For example, some policy compliance can be checked by the NIDS, and other components can be checked by security tools on the systems being protected, e.g., file integrity checkers and change control software.
Violations of this policy may result in immediate disconnection of systems by the Security Team, especially in critical and sensitive zones. Failure to obtain prior approval for installations based on zone policies or attempts to circumvent these policies will be reported to senior management at the NCSA.