UM Network Security Standard

Body

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

The University's network is the backbone that connects its systems, data, and people — and securing it requires more than just a firewall. This standard sets the rules for how University networks are designed, configured, and monitored, including requirements for segmentation, access controls, encrypted remote access, and wireless security. It also covers an area unique to a campus environment: the building automation and operational technology systems — like HVAC and energy management — that are increasingly connected to the network and must be properly isolated from systems handling sensitive data. Network devices must be kept patched, securely configured, and monitored for suspicious activity.

1. Purpose

The purpose of this Standard is to establish minimum requirements for the secure design, configuration, operation, and monitoring of network infrastructure used to support University Data and Information Technology Resources. Effective network security reduces the risk of unauthorized access, data compromise, service disruption, and lateral movement within the University environment.

This Standard implements network security controls under the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • University-owned and University-managed wired and wireless networks
  • Network devices including firewalls, routers, switches, wireless controllers, and access points
  • On-premises, cloud-hosted, and third-party-managed network environments that support University systems or data
  • All campuses and affiliated locations within the University of Montana System

This Standard applies regardless of network location when supporting University business or connecting to University Information Technology Resources.

3. Roles and Responsibilities

3.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to network security requirements
  • Escalating material or systemic network security risks to executive leadership

3.2 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Designing, implementing, and operating secure network infrastructure
  • Applying network security controls consistent with this Standard
  • Supporting monitoring, vulnerability remediation, and incident response activities

3.3 Network and System Administrators

Administrators are responsible for:

  • Secure configuration and maintenance of network devices
  • Documenting configurations, changes, and approved exceptions
  • Promptly addressing identified vulnerabilities and security issues

4. Network Security Principles

Network security controls must be designed and implemented according to the following principles:

Least privilege — Network access is restricted to what is necessary for business or academic functions.

Defense in depth — Multiple layers of controls are used to reduce reliance on any single mechanism.

Default deny — Network traffic is denied by default and explicitly permitted by documented business need.

Segmentation — Networks are logically segmented to reduce risk and limit blast radius.

5. Configuration and Change Management

5.1 Secure Configuration Baselines

  • Network devices must be configured using secure baseline configurations based on CIS Benchmarks or equivalent industry standards
  • Deviations from baseline configurations must be documented and approved
  • Secure configurations must be verified periodically and following significant changes

5.2 Change Management

  • Network changes must follow approved change management processes
  • Changes with security impact must be reviewed prior to implementation
  • Emergency changes must be documented retrospectively

5.3 Patch and Lifecycle Management

  • Network devices must run vendor-supported software and firmware
  • Security patches must be applied in a timely manner
  • Devices no longer supported by vendors must be replaced or isolated

Patch timing expectations and vulnerability remediation targets are defined in the Vulnerability Management Standard.

6. Network Access Controls

6.1 Boundary Protection

  • Inbound network traffic must be denied by default
  • Explicit rules must be documented and justified by business need
  • Firewall and access control rules must be reviewed at least annually and upon significant change

6.2 Segmentation

Network segmentation must be implemented to isolate systems based on risk and function, including:

  • Separation of servers from endpoint environments
  • Isolation of systems processing Restricted (Moderate Risk) or Confidential (High Risk) Data
  • Segmentation of specialized devices such as printers, IoT, and building systems

6.3 Remote Access

  • Remote network access must use secure, encrypted methods approved by UM IT
  • Multi-factor authentication is required for administrative and privileged remote access
  • Remote access must be limited to users with documented business need

7. Operational Technology (OT) and Building Systems Security

7.1 Scope

This section applies to Operational Technology (OT) systems, including:

  • Building Automation Systems (BAS)
  • HVAC, lighting, and energy management systems
  • BACnet/IP and related industrial control protocols
  • Facilities monitoring and control systems
  • IoT devices supporting campus operations

7.2 Segmentation

Operational Technology systems must be logically segmented from general-purpose user networks, enterprise administrative systems, and systems processing Restricted (Moderate Risk) or Confidential (High Risk) Data. Segmentation must be implemented using VLANs, firewall controls, or equivalent isolation mechanisms.

Where technical or operational constraints prevent full segmentation, compensating controls must be documented and approved through the exception process defined in the UM Information Security Policy.

7.3 Internet Exposure

Operational Technology systems must not be directly exposed to the public internet unless:

  • A documented business need exists
  • Vendor documentation confirms secure internet-facing deployment is supported
  • A risk assessment is completed
  • The exception is formally approved by the CISO

Protocols not designed for secure internet transport (e.g., BACnet/IP over UDP 47808) must not be publicly accessible.

7.4 Remote Access

Remote access to OT systems must:

  • Occur through University-approved managed remote access solutions
  • Require multi-factor authentication
  • Be limited to authorized users with documented business need
  • Be logged and monitored

Persistent vendor tunnels or shared credentials are prohibited unless formally approved through the exception process.

7.5 Vulnerability Management

OT systems must participate in the University Vulnerability Management Program in accordance with the UM Vulnerability Management Standard. Where vendor limitations prevent patching within defined remediation targets, risk must be documented and managed through the formal risk response process.

8. Wireless Network Security

  • Wireless networks must use secure authentication and encryption
  • Wireless infrastructure must be protected from unauthorized modification
  • Unmanaged or consumer-grade wireless access points are prohibited in environments processing Restricted (Moderate Risk) or Confidential (High Risk) Data

9. Logging, Monitoring, and Detection

9.1 Network Logging

  • Network devices must generate logs sufficient to support security monitoring and incident investigation
  • Logs must be protected from unauthorized access or modification

9.2 Centralized Monitoring

  • Network security logs must be integrated with centralized logging and monitoring systems where technically feasible
  • Automated analysis and alerting should be used to detect anomalous or suspicious activity

9.3 Intrusion Detection and Prevention

  • Intrusion Detection and/or Prevention Systems (IDS/IPS) must be deployed at appropriate network boundaries
  • Detection capabilities must be tuned to reduce false positives and false negatives

10. Vulnerability Management Integration

  • Network devices must participate in the University Vulnerability Management Program
  • Identified vulnerabilities must be remediated or managed through approved risk response strategies

11. Enforcement and Risk Response

When network security requirements are not met and no approved exception exists:

  • Additional controls or restrictions may be applied to reduce risk
  • Network access may be limited or isolated as necessary to protect University systems
  • Unresolved issues may be escalated to appropriate management or executive leadership

12. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

13. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.

14. References

  • UM Information Security Policy
  • UM Vulnerability Management Standard
  • UM Endpoint Management & Configuration Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • Center for Internet Security (CIS) Benchmarks
  • Montana University System BOR Policy 1300

Details

Details

Article ID: 171152
Created
Fri 3/27/26 1:06 PM
Modified
Thu 4/9/26 11:39 AM