P10
2
Office of the Chief Information Security Officer
For more definitions and terms: USC Information Security Policies Terms and Glossary
5. Policy Details
Objective
The objective of this policy is to protect and preserve an environment that encourages academic and
research collaboration through the responsible use of information technology resources, and to ensure
that members of the USC community have access to reliable and robust IT resources that are protected
from unauthorized or malicious use.
Policy Requirements
5.1 Network Owners will map and document network connections and identify key components
during network analysis, operations and investigations.
5.2 Access to USC's secured wireless network is permitted so long as the following security
measures have been implemented on that network:
5.2.1 Encryption is enabled on wireless network traffic;
5.2.2 Media Access Control (MAC) based, certificate based, or username/password
authentication is required before connecting to USC secured wireless network; and
5.2.3 All wireless infrastructure consoles and other management interfaces have been
secured or disabled.
5.3 The confidentiality of transmitted information will be protected using encryption and device
authentication as defined in the Data Protection Policy.
5.4 Networks, along with related endpoint devices (e.g., department workstations, security
cameras, point of sale systems), will be logically or physically segregated into separate logical
domains due to regulations and security requirements. Public-facing devices will reside within
an OCISO approved network, based on the security requirements of the System Owners and in
accordance with the data classification scheme in the Data Protection Policy.
5.5 Network and endpoint devices that store Confidential data, in accordance with the Data
Protection Policy, will have information security event logging enabled, as defined in the
Information Security Logging and Monitoring Policy.
5.6 System Owners should utilize OCISO services to perform a timely analysis or System Owners will
ensure a timely analysis is performed of identified vulnerabilities on all network devices as
defined by the Vulnerability and Patch Management Policy.
5.7 System Owners will perform remediation activities within a reasonable time frame by
implementing appropriate risk mitigation procedures (e.g., deploying security controls, applying
patches, making configuration changes, and implementing compensating controls) on all
network and endpoint devices as defined by the Vulnerability and Patch Management Policy.
5.8 External connections (e.g., third-party connections, remote access) will be approved by System
Owners and secured with network protection mechanisms, such as firewalls, and/or an Intrusion
Prevention System (IPS), to adequately prevent external entities from accessing the internal USC
network.