Science DMZ Security Standards

All Science DMZ users are subject to all of the University’s general information-security policies, including policies regarding account maintenance, server hardening, software updates, risk assessments, backup/recovery, data classification, etc. The following standards modify those policies or impose additional responsibilities on Science DMZ Users.

  1. The University Information Resource Manager (IRM) is the Owner of the Science DMZ and shall designate a Science DMZ Custodian who will implement the controls specified by the Owner of the information resource.
  2. The DMZ Custodian shall ensure that all traffic in and out of the Science DMZ passes through a device that permits the examination of all such traffic; attach hardware devices that are property of the University or under its control to the Science DMZ; and ensure that the Office of Information Security (OIS) has the ability to view all traffic in and out of the Science DMZ.
  3. Custodians shall place all of their DMZ resources within the Datacenter in the Dugan Wellness Center; ensure that no confidential data is stored on their DMZ resources, with the exception of encrypted passwords; where technically possible, ensure that all DMZ resources are running host-based firewalls; maintain an account so OIS can perform security monitoring; enable logging on all of the DMZ resources for OIS to review.
  4. The Office of Information Security shall notify the relevant Custodian(s) and the DMZ Custodian five working days in advance of any scan of the DMZ or DMZ resources; review and act on hardware attachment requests to the Science DMZ within five working days of receipt; and not approve an attachment request unless an initial vulnerability scan has been performed on the relevant hardware device and the results provided to OIS.