Communications Security Standard
- Purpose
To ensure the protection of University assets that are accessible by users, suppliers and vendors and to maintain the security of information transferred within network infrastructures manage by on behalf of the University and with any external entity. - Network security management
- Network Controls
Networks should be managed and controlled to protect information in systems and applications. - Security of Network Services
Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. - Segregation in Networks
All enterprise network architectures operated by, or on behalf of, the University should be designed to support, at a minimum, separate public, “demilitarized” and private security zones based on role, risk, and sensitivity. Bridging between separate security zones is strictly prohibited. All access between separate security zones should be controlled by a security mechanism configured to deny all access by default unless explicitly authorized and approved by the Office of Information Technology’s Information Security Management Team.
- Network Controls
- Information transfer
- Information Transfer Policies and Procedures
Formal transfer policies, procedures, and controls should be in place to protect the transfer of information through the use of all types of communication facilities. - Agreements on Data Transfer Policies
Agreements should address the secure transfer of business information between the University and external parties. - Electronic Messaging
- Data involved in electronic messaging should be appropriately protected.
- Internal Electronic Messages Control
- Email and instant messages internal to the University’s domain containing confidential data should be encrypted during transmission. Confidential information should not be placed on the subject line of the email or as any part of instant messages.
- External Electronic Messages Control
E-mail sent through the public Internet must be encrypted if it contains confidential information in the body or attachment of the email. Confidential information should not be placed on the subject line of the message. - Electronic Messaging Management
All electronic messages created, sent or received in conjunction with the transaction of official business should use the University approved gateway(s) to communicate via the Internet.
- Confidentiality or Non-Disclosure Agreements
When exchanging or sharing information classified as Sensitive or Confidential with external parties that are not already bound by the contract confidentiality clause, a non-disclosure agreement should be established between the owner of the data and the external party.
- Information Transfer Policies and Procedures
- Telephone and Voicemail
- All telephones, VOIP equipment, voicemail boxes, and messages contained within voicemail boxes or emailed to employees are the property of Winston-Salem State University.
- All voicemail boxes are protected with a PIN (personal identification number). PINs must be changed within 30 days of receiving reset or default PIN to aid in mailbox security. If a PIN is not changed within 30 days of receiving a reset or default PIN, the voicemail box will be locked by OIT administrators.
- University telephone and voicemail services may not be used for the following purposes:
- Transmitting obscene, profane, or offensive messages.
- Transmitting messages or jokes that violate our harassment policy or create an intimidating or hostile work environment.
- Using the telephone system or breaking into a voicemail box via unauthorized use of a PIN or other password.
- Broadcasting unsolicited personal views on social, political, or other non-business-related matters.