Notre Dame data centers house the University’s most important and sensitive electronic data. Should this data become accessible, leaked, or exposed to unauthorized personnel or outside parties, the University could suffer serious reputational, operational, and financial risk. Because of this risk, administrators accessing the data centers are held to a higher security standard than general Notre Dame network users.
Administrative network access to data center resources, including applications, databases, operating systems, and network equipment, may be granted to employees of the University, student employees with supervisor permission, and vendors authorized by the Office of Information Technologies. Access will be granted to the extent necessary for individuals to exercise their job responsibilities. This standard applies to systems used to administer University resources such as desktops, mobile devices, and virtual guests (virtual machines) connecting to data centers.
“Data center” refers to any facility hosting Notre Dame services where the network infrastructure is managed fully or partially by Notre Dame staff. These facilities include on-campus data centers, off-campus data centers, (e.g., Data Realty), and infrastructure as a service data centers (IaaS), (e.g., Amazon Web Services). This standard does not apply to software as a service (SaaS).
Administrators who are granted access to Notre Dame data centers must follow the Office of Information Technologies access standard and procedures to manage data center resources. The Director of Information Security must approve any exceptions to this standard, and may revoke the access to Notre Dame data centers of those who fail to comply with this standard.
- Administrative access to data centers is only permitted via two-factor authentication and encrypted Virtual Private Network (VPN). AWS console access is only permitted via two-factor authentication.
- Administrative systems connected to the data centers must be protected by a host or network firewall.
- Administrative access from the 18.104.22.168/16 network is not permitted. Administrative access on the Notre Dame campus must connect from a zone network protected by a zone firewall. Virtual hosts of virtual guest administrative systems must also be on a zone network.
- When connected to University data centers, administrative systems should not be used for personal activities.
- Personally owned devices may not be used for administrator access to data centers or the AWS console.
- Data center VPN connections are subject to a 12-hour hard timeout.
- Administrative systems connected to data centers must be screen locked when unattended.
- Administrative systems connected to data centers should never be used for monitoring of data center systems except to facilitate troubleshooting.
- Windows and Mac administrative computers connected to data centers must have University-provided anti-malware, and endpoint detection and management software installed.
- Direct connections to databases hosted in the database security zone (core, private, etc) will not be permitted without the use of a VPN.
- Administrative systems connected to the data centers must have the most recent OS and application security patches installed within 30 days of release of those security patches.
- Administrative systems connected to data centers must be secured with a password that meets the University’s Strong Password Standard.
- Consultant access to University data centers must be established using the same process as any other Vendor account.
- NIST Special Publication 800-46 Guide to Enterprise Telework and Remote Access Security: http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf
- NIST Special Publication 800-114 User’s Guide to Securing External Devices for Telework and Remote Access: http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
- Notre Dame’s Strong Password Standard