Policy: Policy 8-2-5: Firewall Policy Date Adopted: Mar 15, 2011
Department: Computing Services Contact: Director
Statement: WNC operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for WNC's computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how WNC's firewalls will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users. The Firewall Policy is subordinate to WNC's general Security Policy, as well as any governing laws or regulations.

Purpose

WNC operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for WNCs computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how WNCs firewalls will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users.

The Firewall Policy is subordinate to WNCs general Security Policy, as well as any governing laws or regulations.

Definition

Firewall Computer hardware or software that prevents unauthorized access to private data (as on a local area network) by outside computer users ( as of the Internet).

Scope

This Firewall Policy refers specifically to the WNC firewalls.

The role of the firewalls is to help WNC keep unauthorized visitors from accessing valuable college resources.

WNCs Firewalls will (at minimum) perform the following security services:

All employees of WNC are subject to this policy.

Responsibilities

Computing Services is responsible for implementing and maintaining WNC firewalls, as well as for enforcing and updating this policy. Logon access to firewalls will be restricted to a primary firewall administrator. Password construction for firewalls will be consistent with the strong password creation practices outlined in WNCs Password Policy.

Any questions or concerns regarding WNC firewalls should be directed to the Network Engineer.

Policy

The approach adopted to define firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. WNC firewalls permit the following outbound and inbound Internet traffic.

Operational Procedures

WNC Directors may request changes to firewall configurations in order to allow previously disallowed traffic. A firewall change request must be submitted through a work order, with full justification, to the Computing Services department for approval. If an outside vendor working for WNC needs firewall changes, the same procedure applies. The Director of the requesting area will submit a work order requesting the firewall changes. All requests will be assessed by the Computing Services Director to determine if they fall within the parameters of acceptable risk. If approval is given, the Network Engineer will make the changes and note those changes in the Firewall Change Order spreadsheet. In an emergency threatening the network, the Network Engineer may make a temporary change without the Computing Services Directors approval. In that case, approval would be sought as soon as the Computing Services Director is available and all changes would be recorded on the Firewall Change Order spreadsheet. Requested approvals are not guaranteed as associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored.

Turnaround time for the above stated firewall reconfiguration and network access requests is approximately five (5) days from the receipt of the work order.

Firewall logs will be archived 10 days. Firewall logs will be reviewed weekly.

Enforcement

Wherever possible, technological tools will be used to enforce this policy and mitigate security risks. Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.


Date(s) Revised November 1, 2016; Date(s) Reviewed