OPERATIONAL POLICY

NUMBER: IS.201

TITLE: Network Infrastructure Use

EFFECTIVE DATE: May 8, 2018

DEPARTMENT: Cyberinfrastructure Technology

Authorized: Dr. Robert Owen, Vice Provost for Information Services & CIO

Background

Santa Clara University provides network infrastructure to support the mission of the University in making resources accessible to staff, faculty and students for instruction, administration and research. The network infrastructure must be controlled and managed to ensure resources are continuously available for these uses.

Purpose

To ensure the availability of the network infrastructure by defining network infrastructure ownership, and the restrictions and responsibilities of any user of the SCU network infrastructure.

Scope

Applies to all SCU students and employees, campus visitors, contractors, and anyone else with physical access to any part of the SCU network infrastructure, including use of Wi-Fi.

Policy

1. Ownership of Network Infrastructure and Network Address Space

1. The SCU Network Infrastructure is owned by, and is the property of, Santa Clara University. The Information Services department is primarily responsible for overseeing the operations of the network infrastructure.
2. The Network Infrastructure includes all SCU-owned routers, switches, wired telephony devices, outlet jacks, wiring (copper and fiber), WiFi access points, and commercial WiFi network bands in the 2.4GHz and 5GHz ranges.
3. Network Infrastructure owned or managed by any other entity must not be used to interconnect or interfere with SCU Network Infrastructure except where such equipment is explicitly registered and endorsed by Information Services. Information Services retains the right to insist on the removal of such equipment at any time in the future should it be necessary for the continued operation of SCU Network Infrastructure.
4. Network addresses, including IPv4 and IPv6 addresses and DNS names, are controlled by Information Services. Delegation of address space must be explicitly authorised by Information Services. Address space delegation may be revoked by Information Services to maintain the integrity of the network.
5. scu.edu: The DNS domain scu.edu and all subdomains of scu.edu are controlled by Information Services. No subdomain may be used without explicit authorization of Information Services. No DNS servers are permitted to be visible to SCU or public networks except those directly managed by Information Services. DNS servers providing name resolution wholly within a Private Network  (see §2) are permitted so long as the DNS server has been registered with Information Services in accordance with the requirements of §2. 

2. Private Networks

Private networks are defined as any network segment or subnet behind a device over which Information Services do not have administrative control.

1. All private networks must have an administrator assigned to oversee and maintain security and network integrity. This administrator will be registered with and be contactable by Information Services.
2. Private network administrators must register any servers on the private network with Information Services, and notify Information Services of any server decommissioning.
3. Private network administrators must maintain up-to-date documentation of the private network infrastructure including hardware types, physical locations, and IP addressing information, and make such documentation available to Information Services on request.
4. Private networks must maintain comprehensive usage logging, including the authenticated identity of the user. Administrators should allow appropriate logging and monitoring access to SCU corporate systems.
5. All private networks must comply with SCU Information Security policies.

3. Private WiFi Networks

Private WiFi networks are defined as any continuously transmitting WiFi devices, operating in Infrastructure Mode, in the 2.4GHz or 5GHz bands, within reasonable transmission range of the SCU campus.

1. No Private WiFi network is permitted to transmit without prior registration with Information Services. Information Services reserve the right to restrict the active bands of any private WiFi network radio.
2. Information Services will monitor WiFi transmissions and may require Private WiFi Networks to modify their configuration including, but not limited to, power level restrictions, SSID name changes, or frequency or protocol avoidance, to ensure SCU-provisioned WiFi networks can operate without interference.
3. Networks provisioned through Private WiFi are considered Private Networks, and are subject to the same requirements as defined above.

4. Network Connections

A network connection applies to any endpoint connected to network infrastructure, whether by physical cable or by WiFi to an SCU WiFi network.

1. Only endpoint devices may be connected to an outlet jack. Permitted endpoint devices are defined in Acceptable Endpoints in Definitions below, and include computers and telephony handsets, but do not include network extenders (routers, hubs switches, etc) of any kind.
2. Only endpoint devices may connect to an SCU-provisioned WiFi network. Permitted endpoint devices are defined in Acceptable Endpoints in Definitions below, and include computers and telephony handsets, but do not include network extenders (routers, hubs switches, etc) of any kind.
3. Endpoint devices that can interface to an external network - such as cellular modems or VPN devices - must never be connected to any wall outlet or allowed to connect to any SCU WiFi network. This includes allowing an SCU-connected device (such as  PC) to simultaneously tether to a cellular device.
4. SCU network segments must be used in accordance with the purpose of that segment.  Users must not attempt to connect end devices to unauthorized infrastructure, such as connecting a PC to a CCTV outlet. When using WiFi, users should use the appropriate WiFi SSID for their affiliation to SCU (e.g. students use SCU-Student; staff and faculty use SCU_Employee). Only visitors to SCU should use SCU-Guest.
5. SCU Network Infrastructure will automatically disable or otherwise disrupt network communications to unauthorised devices connected to the network infrastructure. Exemptions to this policy to allow endpoints or network infrastructure extensions via a wall outlet must be individually negotiated with Information Services, and will be subject to specific conditions negotiated as part of the authorization process.

Procedures

Contact the Technical Helpdesk for all registration activities, including to:

• request allocation of, or delegation of control over, an address space (see §1.4)
• register a private network and define an administrator (see §2.1, §2.2)
• register a private Private WiFi and allocate an administrator (see §3.1)
• initiate exemption negotiations for physical network connections (see §4.3)

Enforcement

SCU Network Infrastructure will automatically disable or otherwise disrupt network communications to devices connected to the network infrastructure that do not comply with the terms of this Operational Policy.

Compliance with information security policies shall be monitored regularly in conjunction with the university’s monitoring of its information security program.

Individuals who do not comply with these policies shall be subject to remedial action in accordance with the Student Handbook, Faculty Handbook, Staff Policy Manual,, and departmental disciplinary actions as appropriate.

Any disciplinary action under this policy shall take into account the severity of the offense and the individual’s intent. Disciplinary action can include revocation of privileges to use or access any or all components of the network infrastructure, up to and including termination or dismissal from Santa Clara University.

Definitions

1. SCU-provisioned WiFi network

SCU WiFi networks include, but are not limited to, WiFi networks conforming to the series of 802.11 standards, operating in 2.4GHz or 5GHz bands. SSIDs include, but are not limited to, SCU-Employee, SCU-Student, and SCU-Guest.

2. Acceptable Endpoints

Acceptable endpoints permitted to be connected to the network consist of desktop and laptop computers, mobile devices, printers and projectors; telephone equipment,  camcorders, TVs, video players, and FAX machines; and satellite equipment. Endpoints not in this list may be included with explicit written permission of Information Services.

Related

• Information Resources Acceptable Use Agreement
• End User Information Security Standard
• IS.002 Network Acceptable Use Policy

Questions or comments to is-policy@scu.edu

Last Reviewed: April 2018

Next Scheduled Review: April 2020