��������

1.0   Purpose

This document specifies CCNY’s Office of Information Technology’s (OIT) requirements for network hosts to connect to the City College of New York network infrastructure. These requirements are designed to protect the integrity of the campus network infrastructure by ensuring compliance with CCNY and CUNY IT policies and procedures, establishing cybersecurity safeguards, and facilitating optimal IT service and support.

2.0   Scope

These procedures apply to all network devices that are granted access to CCNY’s wired and wireless networks. This document establishes the requirements for all network hosts, including desktops, laptops, servers, mobile devices, and network-enabled equipment.

All CCNY students, faculty, staff, researchers, CUNY affiliates, and visitors sponsored by CCNY affiliates are required to adhere to its provisions.

3.0   Requirements

To be granted access to the wired network, desktop computers shall be added to OIT’s Active Directory domain. As a minimum, this will require installing security endpoint protection, software patch management, and inventory control software managed by OIT. If a system is required that cannot meet this SOP, alternatives must be installed with approval from the CIO.

For security and inventory purposes, as part of onboarding, internal transfer, and offboarding procedures, network hosts should be assigned to users who utilize them for work purposes as well as systems administrators that are responsible  for maintaining the system in accordance with college technology policies.

To ensure long-time compatablity with cybersecurity standards and compliance with CUNY policy, when purchasing devices that will be connected to the CCNY network, members of the CCNY community are required to work with OIT, Purchasing Office, Receiving Office, Property Management, and, when applicable, the Office of Sponsored Grants and Research to ensure that all such devices are delivered to the appropriate system administrators, who must ensure that new systems are configured with the appropriate security software and agents installed.

• All network hosts connected to CCNY’s wired network must be registered with the CCNY IT and Property Management Office and, where applicable, assigned a CUNY tag number. Hosts without the proper CUNY tag number are prohibited from connecting to CCNY’s wired network.
• All network hosts must have a designated system administrator (or system administration group) to ensure compliance with network host requirements and other relevant policies and procedures who are expected to remediate security incidents in a timely manner. The name and contact information (email address, title, department affiliation, work phone, mobile phone) of the administrator must be provided to OIT.
• Hosts’ owner or support personnel must provide Property Management inventory tag number (also known as CUNY tag number), MAC address of network host, jack port number where the host is intended to be connected, and supported and up-to-date operating system version.
• All desktop computer and server network hosts that are connected to the wired network must be added to CCNY’s Active Directory domain services and host naming convention must include location and CUNY tag number. Aliases could be requested for special hosts.
• All network hosts must have automated up-to-date patching of the latest critical and security updates for the devices operating system and all installed software. Computers should be left on because operating system and software patch upgrades are typically scheduled to be deployed after midnight; to take affect, they often require the device to be restarted, so users should ensure to regularly backup their data and sign out. Software that is no longer supported by the developer or no longer in use by users should be regularly deleted.
• All desktop computers, servers, and laptop network hosts must have CUNY approved endpoint security software, Cortex XDR, installed on them.
• All desktop computer, server, and laptop network hosts must have an administrative login account that allows OIT helpdesk and security staff to perform periodic information security vulnerability scans and security incident remediation.
• All desktop computer, server, and laptop network hosts must be managed by a device or patch management system which aid with patching and security incident remediation.
• All desktop computer and server network hosts that are connected to the wired network must install vulnerability scan agent and add firewall exemptions in the network host to allow vulnerability scans from OIT vulnerability scanner server.
• OIT-managed desktop computer, server, and laptop network hosts must have service management agent to facilitate customer service delivery, troubleshooting, and inventory control.
• Network hosts that are used to store and/or transmit confidential, sensitive, and non-public university information (NPUI) that is required by law or regulations to be held confidential (i.e. FERPA, HIPAA, GLBA, PCI, etc.) are required to utilize access controls, including strong passwords and encryption, to protect against inadvertent or unauthorized disclosure. (For more information, refer to .)
• All network hosts and system administrators must comply with CUNY and CCNY IT security policies and procedures.

OIT reserves the right to block or disconnect non-compliant devices from the CCNY networks. Devices that have been identified as cybersecurity risks will automatically be blocked and isolated from the college network until a cybersecurity incent investigation has been performed.

Installation of wireless access points, wireless routers or repeaters require the explicit written approval of the CIO and/or Deputy CIO; OIT reserves the right to disconnect unauthorized devices from the network.

Internet of Things (IoT) devices such as digital personal assistants (i.e. Amazon Echo, Google Home), sensors, gadgets, appliances and other machines that collect and exchange data over the Internet are not permitted to access the CCNY wireless network. Exemption could be made upon approval from CIO and technology compatibility.

Devices that are not compliant with these network host requirements, will be denied access to CCNY’s wired network infrastructure.

There are a limited number of alternative network accommodations available using VPN to connect to compliant devices on the CCNY network including virtual desktop infrastructure (VDI) clients. Another option is utilizing mobile wireless hotspots which provide cellular rather than WiFi connectivity.

4.0   Requesting an Exemption

To request an exception from a policy, standard, or procedure, a written request must be submitted to the CIO and Deputy CIO providing the following information:

• Requestor’s name(s) and contact information (email address, title, department affiliation, work phone, mobile phone
• System administrators name(s) and contact information (email address, title, department affiliation, work phone, mobile phone
• An explanation detailing the reasons the exemption is being requested.
• Specific policy, standard, and/or procedure for which the exemption is requested.
• Classification of sensitive data (e.g., highly sensitive data)
• Inventory of hardware and software:
  • Manufacturer and model of device(s)
  • Hostname of all devices
  • Property management CIT number
  • Operating system including version installed on the device (i.e. Windows 10 Enterprise version 1903)
  • Endpoint protection
• Details mitigating factors and compensating controls that will be used to offset risks
• Duration of time for which the exception is requested (three, six, 12 months or duration of the research project)

The College Information Security Office will assess the level of risk associated with the requested exception. The magnitude of assessed risks will determine the levels of approval necessary to grant the request.  After InfoSec has reviewed the request and confirmed the details of the requested exception, the Chief Information Security Officer (CISO) or designee will review and if approved, determine the additional approvals the user needs to obtain based on the following chart:

For example, the risk associated with storing highly sensitive data on an individual device is usually considered a medium risk, thus requiring approvals from the department chair/head or designee, and the VP/Dean or designee.

Once approved exception will be subject to annual reviews for reapproval.

Note: Exceptions will not be granted when feasible alternatives exist or risks outweigh projected benefits.

5.0   Definitions of Key Terms

Active Directory: A structured data store that creates a logical and hierarchical organization of network devices that allows administrators to manage devices. Joining devices to Active Directory allows access controls to grant and restrict access the network hosts to access shared resources, such as printers and file shares, to users or other hosts on the network.

Confidential and Sensitive data:

Endpoint protection: Software utilities used to provide security protection such as antivirus, anti-malware, and firewall features. Endpoint security software must be configured to continuously scan all files and applications for viruses, malware, and other malicious content. It can also be configured to block unauthorized access.

Network host: Device connected to a computer network, including desktop computers, servers, laptops, mobile devices, and network-enabled equipment. Hosts are assigned at least one network IP address that can be configured by an administrator or automatically at startup by means of the Dynamic Host Configuration Protocol (DHCP).

NPUI: The definition of Non-Public University Information (NPUI), as defined in the CUNY IT Security Procedures – General (June 25, 2014), is superseded by this standard. The combined Confidential and Sensitive data classifications are substantially comparable to the less-detailed NPUI definition and may be used to guide compliance with the Procedures until they are revised.

Confidential Data: Data shall be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could result in a significant level of risk to the University. Significant risk includes but is not limited to: substantial financial, reputational and/or personal privacy loss; impairing the functions of the University; or presenting a legal or financial liability. Confidential Data requires the highest level of protection and control. See Appendix A for a list of predefined types of Confidential Data.

Sensitive Data: Data shall be classified as Sensitive when the unauthorized disclosure, alteration or destruction of that data could result in a moderate to low level of risk to the University. All data that is not classified as Confidential Data or Public Data should be considered Sensitive Data. Sensitive Data requires moderate protection. See Appendix B for examples of Sensitive Data.

Public Data: Data shall be classified as Public when the unauthorized disclosure, alteration or destruction of that data could result in little or no risk to the University. Examples of Public Data include data published on public websites, press releases, course catalog information, job postings, etc. While access control measures may or may not be required for particular Public Data, protections to ensure the integrity and/or availability of certain Public Data may be appropriate.

Patch management:  Patches are software updates dispatched by software developers to add or remove functionality and resolve security vulnerabilities. Patch management is the systemic process of deploying critical and security software updates to all network hosts as they are released. The patch management process includes a process for testing patches to minimize disruptions to network hosts.

System administrator: An individual who is responsible for the configuration, deployment, maintenance, troubleshooting, security, and reliable operation of computer systems they manage. A system administrator may acquire, install, or upgrade computer components and software; provide routine automation; enforce security policies; troubleshoot; and offer technical support and expertise for projects.

Vulnerability scan: Extensive inspection of network hosts designed to detect and catalog security weaknesses and exploits, classify them by risk level, and recommend effective remediation measures and resources. Scanned hosts may require login credentials for OIT helpdesk and security staff and/or the installation of a software vulnerability scanning agent.

Wired network access: Using ethernet cables (Cat 5, Cat 5e., Cat 6, etc.) that plug into devices to establish a physical ethernet connection to the college’s network infrastructure. Ethernet connections are typically faster and grant access to Active Directory resources (i.e. file shares, printing resources, software licenses, etc.)

Wireless network access: Using “ccny-wifi” wireless network.

6.0   Reference and Related Documents

CUNY Acceptable Use of Computer Resources Policy -

CUNY Anti-Virus Software Standards -

CUNY Data Classification Standard -

CUNY Gramm-Leach Bliley Act (GLBA) Financial Information Security Program Policy -

CUNY Information Technology Security Procedures&�Բ�����;‐

CUNY Payment Card Industry (PCI) Compliance Policy -