Public Internet Address Policy
University Policy Number 1304
Responsible Office: Vice President of Information Technology/CIO
Related Law & Policy:
This policy applies to all users of George Mason University computing resources. This policy governs all computers directly connected to George Mason University networks, with the exception of student owned computers in the residence halls. Student owned computers in the residence halls are on a separate network that has similar policies.
II. POLICY STATEMENT
Allowing outside systems to initiate connections to a university computer increases the university’s risk to threats from the Internet. Outside systems cannot successfully achieve such connections unless the university computer is publicly addressable, i.e. it has a Public Internet Address, obtained either from the University or via a third party connection. The university recognizes that there can be legitimate reasons for a university computer to be made publicly addressable. This policy describes the process by which a department can receive permission for a computer to be made publicly addressable.
The applicant must register the computer with Information Technology Services (ITS). Registration information will include the name and contact information for the person who is responsible for administering the computer (the SA) as well as verification that security configurations are in place and that the person maintaining the computer will follow appropriate security procedures. The applicant will need to describe any highly sensitive data, as defined in the Data Stewardship Policy, which is stored on the computer. Once the registration information has been received and verified as complete, ITS will contact the SA to finalize the process.
Internet Protocol (IP) Address: An identifier of a device or computer on a network.
Public Internet Address: An IP address that is advertised to, and permits direct incoming connections from, computers located outside of the George Mason University network.
System Administrator (SA): The person who is responsible for the maintenance and configuration of one or more computer systems. Job Responsibilities are listed in Policy 1301, Responsible Use of Computing.
ITS will send out, at a minimum, an annual request for update of information about registered computers.
ITS will take measures to protect all university computers without a publicly addressable address from connections initiated by external systems.
Departments and administrative units are responsible for ensuring the security and safety of the computers in their department. They are to develop and administer their own local procedures for establishing security configurations as well as ensuring that university best practices for server management are followed in their departments. These procedures must include computers accessing and storing regulated and highly sensitive data.
System administrators (SA) will make a commitment to obtain and maintain their security knowledge and to maintain the security of the computers for which they are responsible.
The Office of Internal Audit will monitor compliance with this Policy.
V. OTHER INFORMATION
Network Access Consultation can be found at: https://ezvapps.gmu.edu/index.php?name=com.gmu.592824745f0e3|58adcdbeecece&SearchValue=ITSSRNWC). At a minimum, the following information will be required:
· Make and model of the hardware platform
· Operating system version
· Domain Name Service (DNS) name
· Assigned or requested IP address
· Name of the person responsible for management of the computer (including phone number and email address)
· Physical location of the computer
· Internet services being offered
· Security Protection measures applied to the computer
· Computer’s primary purpose
· Description of any regulated or highly sensitive data stored on the computer.
All persons installing computers in University owned or leased spaces, except residence halls, shall comply with this policy.
Grievance matters with this policy should be directed to the Executive Director, ITS Enterprise Infrastructure, for resolution. If the conflict is not able to be resolved at this level, the matter may be escalated to the Vice President for Information Technology for further review and action.
VII. EFFECTIVE DATE
The policies herein are effective July 24, 2006. This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: August 3, 2006
Revised: January 29, 2013
Revised: August 30, 2017