CORE Resources - Policies

General

Security

Wireless

Quarantine

Glossary

Specific policies can be found under each of the above links. This is a comprehensive document that has been sub-divided for ease of reading and interpretation

Tip: Click on the Microsoft Word Icon to download the individual policies in Word format. You may also download the policy in Adobe Acrobat format by clicking on the icon. If you do not have the Acrobat Reader, click on the icon below to get a free reader from Adobe.

General Network Policy and Procedures

PURPOSE

The purpose of this document is to establish procedures to ensure the continuous operation of NewYork-Presbyterian Hospital’s and Columbia University Health Sciences’ (henceforth known as CPMC) data network.

SCOPE

This policy applies to all employees, contractors, consultants, temporaries, and other workers at CPMC, including those workers affiliated with third parties who access CPMC information systems and networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy applies to all computer and data communication systems owned by and/or administered by CPMC.

GENERAL POLICIES

All data network access devices, including switches, routers, hubs and access points, must be set up, configured, and administered by the department of Core Resources. With the exception of wireless access points and accessories, all such devices must be physically in secure locations accessible only by Core Resources workers. Any network access device (including any mini-hub in an office or on a lab bench) found connected to the network and not administered or already permitted in writing by Core Resources is subject to disconnection and confiscation by Core Resources without notice.

Dial-in modems or private lines (i.e. circuits) on network connected devices must be approved by Core Resources and the Security Officer and, if approved, must have authentication procedures and other security-related access parameters conforming to the Network Security Policy before they may be used.

All devices which will be attached to the network or use network services must first have their hardware addresses (MAC addresses) registered with the Core Resources ipadmin along with up to date demographic information about the party responsible for the device. Devices that are not so registered are subject to disconnection from the network without notice.

Hostnames and Domain Name Services for the Medical Center campus will be administered by the Department of Core Resources (operating in conjunction with AcIS at Morningside, since the medical center domain names are subdomains of the one administered by AcIS).

IP addressing of devices:

With the exception of servers and printers, which will use ip addresses that are locally configured on the device, network devices will use the protocol DHCP to lease an ip address from a central server. Stationary workstations will have a static ip address assigned to them by ipadmin. A workstation’s responsible operator may choose to configure the machine with that address rather than for DHCP. In that case, any problems resulting from use of that static configuration are the responsibility of that operator.

Any IP addressing conflicts will be resolved according to information found in the ipadmin database . Devices found to be using an ip address other than the one they were assigned are subject to disconnection from the network without notice.

Any Network Address Translation devices or procedures must be approved by Core Resources before implementation. Unapproved devices found to be translating addresses will be disconnected from the network.

All network firewalls on the NYP Computer Network will be configured, administered and managed by the Department of Core Resources. Exceptions must be approved of in writing by the Director of Core Resources.

All VPN services being provided to or by anyone on the NYP Computer Network must follow a configuration approved by the Director of Core Resources and must follow the policies regarding VPN set by the Security Officer.

Wireless Network Access:

As of 12/1/02, Wireless access at CPMC follows the “invisible wire” paradigm. You can set up your wireless device to access the network in the select locations where it is available, but if you associate your device with another access point, you will have to reconfigure and it won’t be easy. In future, the analogy will be different. Now and in the future, however, because of intrinsic limitations in the scope of the 802.11 standards, a single vendor for all wireless access points is necessary. That single vendor is Cisco Aironet.

Downtime:

Scheduled Downtime is necessary for all areas of the network in order to perform maintenance and upgrades on the network electronic devices. Core Resources shall notify and work with affected users to create reasonable scheduling of the downtimes that will mitigate the effect of these necessary Downtimes on users’ operations.

Cabling vendors, whether contracted by Core Resources or by Design and Construction for renovation projects or by individual users for single cable runs, must conform to all Hospital installations policies and procedures; in addition, they must be Siem0ns-certified and the cable labeling and documentation they provide must conform to Core Resources specifications.

Data closets, where network devices are connected together through ports on a switch, must be located on the same floor and the same building as those network devices. It is necessary to reserve space in floor designs for those closets when constructing or renovating locations. This requirement exists whether an area uses cabled or wireless network access.

Devices are connected to access switches in data closets using copper Category 5e cabling. Data closets are linked together on the campus using multi-mode and single-mode optical fiber (depending on the distance).

Private Departmental networks which are entirely self-contained and independent of the campus network are nonetheless discouraged because of the complicated support issues they raise for users. Furthermore, such private Departmental networks may not employ private access to any off-campus service (including ISPs).

Renovations and Projects which involve the addition of three or more network connections are expected to plan and budget for additional network equipment, as may be specified by Core Resources.

Bandwidth Utilization: No single network-connected device may use network bandwidth for data transmission at more than 2 megabits per second, averaged over at least five minutes.

Explanation:

The network has stretches on it where bandwidth is plentiful compared with the amount of data traffic that goes there. These include the 100 megabit ports that individual workstations may connect to. There are other stretches, for example, the 100 megabit microwave links to Columbia University's Morningside campus, where the bandwidth is more heavily used and therefore less plentiful. Because these heavily used links exist (they are potentially "oversubscribed"), a policy is required specifying the maximum network bandwidth a workstation is permitted to utilize before it is considered a "network hog" and may have its network connection turned off. That bandwidth threshold is 2 megabits per second, averaged over at least five minutes.

Well behaved applications will not exceed this threshold, even if your ethernet connection runs at 100 megabits per second. This is because, for a well-behaved application, five minutes is pretty close to forever. A workstation which is not being used abusively will not exceed this threshold.

Note that bursting -- briefly exceeding the 2 megabit per second limit -- is permitted. Being able to burst is the reason why everyone still benefits from having 100 megabit per second connections and should still get network interface equipment which supports that speed.

Note also that Kazaa and other software sharing systems behave abusively with regard to network bandwidth. So do Denial Of Service attacks caused by hacking.

The rules for servers are slightly different in that servers may be busy enough to utilize more than 2 megabits per second of bandwidth, averaged over at least five minutes. However, most of that traffic should be confined to the campus where the server is located. Therefore, servers are also subject to the above bandwidth utilization limitation when campus links or wide area connections are examined.

Procedure:

[This is draconian; see the explanation above for an understanding why. Briefly, bandwidth hogs impact everybody and therefore cannot be dealt with at a leisurely pace.]

When network utilization on a link exceeds 50%, that link may be subjected to a traffic analysis. Any device found in that analysis to be exceeding the permitted bandwidth utilization threshold may have its network connectivity suspended (immediately) and the causes of that high network utilization investigated (subsequently).

Quarantine Networks:

New Servers and other networked computer equipment which the Security Officer may designate shall be set up and configured while connected to special Quarantine Networks. These networks are not public and devices connected to them cannot exchange data packets with most other devices on the campus network or the Internet. Before going into production, devices must move from Quarantine Networks to production networks.

Responsibilities:

The Department of Core Resources shall administer the Quarantine Networks at NYP. The Security Officer shall administer and evaluate the network security testing of servers.

Procedure:

Vendors and server administrators or custodians may only assemble and set up new servers either standing alone (no network connection at all) or connected to a network port on a quarantined network. Quarantined ip addresses will be in the form, 10.120.x.x and the specific address appropriate for the location where the server is being set up physically should be obtained Core Resources IP Admin following the usual procedures for applying for an ip address. The Quarantined network for a given location will be on VLAN 999.

By default, all data processing services which would be delivered via the network (e.g. Simple Network Management Protocol service) are not delivered into a Quarantine network. While setting up and configuring a server, the administrator may need certain services to be brought into the Quarantine network for testing. Requests for these services for testing must be forwarded to the Core Resources Security Admin. The requests must be narrowly defined, noting the source and destination ip addresses and the TCP port number used.

Network Time Protocol and Netware Core Protocol are exceptions; those services will be routinely allowed into the Quarantined networks.

When its administrator believes that the server is ready to go into production, the server will be scanned – tested for known network security fallibilities. Any security holes identified by the scan must be fixed before the server may be moved off the quarantined network. The scan also generates warnings. These will be pointed out to the administrator but do not require action. When a scan shows no security holes, the server may be moved to a production network.

The server administrator applies to Core Resources IP Admin for a production ip address and gets the port changed from the Quarantine VLAN to a production VLAN. By default, servers will be assigned a private ip address (10.112.x.x or 10.115.x.x on the West Campus) but if the administrator chooses to make the case for the server’s needing to reach or be reached over the Internet, a public ip address will be assigned.

Immediately after the server has moved onto a production network, it will be scanned again. If this scan turns up security holes for any reason, its network connection will be broken (by disabling the port) until all holes are fixed. This may require moving the server back into quarantine.

All scan results for the server will be collected and saved by the Security Officer as a baseline measure of that server’s security.

Exceptions:

NYP acknowledges that under rare circumstances, certain workers will need to employ systems that are not compliant with this policy. All such instances must be approved in writing and in advance by the Information Security Officer. It will not be easy to persuade the Information Security Officer that the appropriate circumstances have actually come to pass.

VIOLATIONS:

NYP workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and civil and/or criminal penalties.

Computer Network Security Policy and Procedures

PURPOSE

The purpose of this policy is to establish management direction, procedures, and requirements to ensure the appropriate protection and continuous operation of New York Presbyterian Hospital information data networks.

SCOPE

This policy applies to all employees, contractors, consultants, temporaries, and other workers at New York Presbyterian Hospital and its affiliates, including those workers affiliated with third parties who access New York Presbyterian computer networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by and/or administered by New York Presbyterian Hospital.

GENERAL POLICY

All information travelling over New York Presbyterian computer networks that has not been specifically identified as the property of other parties will be treated as though it is a New York Presbyterian, Columbia University and / or Cornell University corporate asset. It is the policy of New York Presbyterian to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of New York Presbyterian to protect information belonging to third parties--that has been entrusted to New York Presbyterian in confidence--in the same manner as New York Presbyterian trade secrets and intellectual property as well as in accordance with applicable contracts.

RESPONSIBILITIES

The Director of CORE Resources is responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide network security policies, standards, guidelines, and procedures. The Director of CORE Resources is therefore also responsible for activities related to this policy. While responsibility for network security on a day-to-day basis is every worker's duty, specific guidance, direction, and authority for network security is centralized for all of New York Presbyterian and its subsidiaries in the CORE Resources Department. Accordingly, this Department will perform network risk assessments, prepare network security action plans, evaluate network security products, and perform other activities necessary to assure a secure network environment.

The Security Officer is responsible for conducting investigations into any alleged computer or network security compromises, incidents, or problems. All security compromises or potential security compromises must be reported to the Security Officer.

Departmental Managers must ensure that appropriate data communication system security measures are observed on all workstations and servers for which they are responsible. Besides funds and staff time needed to meet the requirements of these policies, departmental managers are also responsible for making sure that all users are aware of New York Presbyterian policies related to data communication system security.

Users are responsible for complying with this and all other New York Presbyterian policies defining data network security measures.

Process for Granting System Privileges

Third party vendors must NOT be given dial-up privileges to New York Presbyterian computers and/or networks unless the involved system administrator determines that they have a bone fide need. These privileges must be enabled only for the time period required to accomplish the approved tasks (such as remote maintenance). If a perpetual or long-term connection is required, then the connection must be approved, in writing, by the Security Officer.

All users wishing to use New York Presbyterian internal networks, or multi-user systems that are connected to New York Presbyterian internal networks, must sign a compliance statement prior to being issued a user-ID. If a certain user already has a user-ID, a signed compliance statement must be obtained prior to receiving a renewed user-ID. The latter process must be performed periodically. A signature on this compliance statement indicates the involved user understands and agrees to abide by New York Presbyterian policies and procedures related to computers and networks (including the instructions contained in this document).

If a computer or communication system access control subsystem is not functioning properly, it must default to denial of privileges to users. If access control subsystems are malfunctioning, the systems they support must remain unavailable until such time as the problem has been rectified.

Users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the Security Officer. If such testing is to happen on or across the hospital network, the Director of CORE Resources must also approve in writing. Incidents involving unapproved system cracking (hacking), password cracking (guessing), file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of New York Presbyterian policy. Requests that New York Presbyterian security mechanisms be compromised must NOT be satisfied unless: (a) the Security Officer approves in advance, or (b) New York Presbyterian is compelled to comply by law. Likewise, short-cuts bypassing systems security measures, as well as pranks and practical jokes involving the compromise of systems security measures are absolutely prohibited.

Establishment of Access Paths

Changes to New York Presbyterian internal networks include changing network addresses, reconfiguring routers, adding dial-up lines, and the like. With the exception of emergency situations, all changes to New York Presbyterian computer networks must be made by CORE Resources except as explicitly delegated by the Department. Emergency changes to New York Presbyterian networks must only be made by persons who are authorized by CORE Resources. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems. This process applies not only to "workers" as defined in the Scope section of this policy, but also to vendor personnel.

Workers must NOT establish electronic bulletin boards, local area networks, modem connections to existing local area networks, or other multi-user systems for communicating any New York Presbyterian or Columbia University information without the specific approval of the Security Officer. Likewise, new types of real-time connections between two or more in-house networks must not be established unless such approval has first been obtained. This policy helps to ensure that all New York Presbyterian systems have the controls needed to protect other network-connected systems. Security requirements for a network-connected system are not just a function of the connected system; they are also a function of all other New York Presbyterian connected systems.

Networking devices using radio technology such as 802.11b (WiFi) must not be used for data transmissions containing New York Presbyterian "confidential" or "restricted" information unless the connection is encrypted. Such links may be used for electronic mail as long as the user ensures that it contains no "confidential" or "restricted" information and that no safeguards to privacy and confidentiality has been provided by CORE Resources.

Browsing On New York Presbyterian Systems and Networks Prohibited

Workers must not browse through New York Presbyterian computer systems or networks. For example, curious searching for interesting files and/or programs in the directories of other users is prohibited. Steps taken to legitimately locate information needed to perform one’s job are not considered browsing.

Network Message Protection Services Not Provided

When providing computer networking services, New York Presbyterian is acting as a contractual carrier. New York Presbyterian is providing communications services, not message protection services. Accordingly, no responsibility is assumed for the disclosure of information placed on the network, and no assurances are made about the privacy of information placed on the network.

Internal Network Addresses Must Not Be Publicly Released

The internal system addresses, configurations, and related system design information for New York Presbyterian networks must be restricted such that both systems and users outside New York Presbyterian's internal network cannot access this information.

Access Control Packages Required For Computers on the Network

If workers leave the power for their computers turned on during non-business hours, and if such computers are connected to a network, the computers must be protected by an access control system approved by the Security Officer.

Access Control Packages for Network-Connected Computers

All New York Presbyterian computers that can be reached by third-party networks (dial-up lines, value added networks, the Internet, etc.) must be protected by a privilege access control system approved by the Security Officer. This policy does not apply to computers which use modems to make outgoing dial-up calls, provided these systems do not receive unattended incoming dial-up calls.

Direct Network Connections with Outside Organizations (Tunnels)

The establishment of a direct connection between New York Presbyterian systems and computers at external organizations, via the Internet or any other public network, is prohibited unless this connection has first been approved by the Director of CORE Resources and the Security Officer.

Prior Approval Required For All Communication Line Changes

Workers and vendors must not make arrangements for, or actually complete the installation of voice or data lines with any carrier, including NYP Department of Telecommunications, if they have not first obtained approval from the Director of CORE Resources.

Criteria for Connecting New York Presbyterian Networks to Third Party Networks

New York Presbyterian computers or networks may ONLY be connected to third party computers or networks after the Security Officer has determined that the combined system will be in compliance with New York Presbyterian security requirements.

Security Requirements for Network-Connected Third Party Systems

As a condition of gaining access to New York Presbyterian's computer network, every third party must secure its own connected systems in a manner consistent with New York Presbyterian requirements. New York Presbyterian reserves the right to audit the security measures in effect on these connected systems without prior warning. New York Presbyterian also reserves the right to immediately terminate network connections with all third party systems not meeting such requirements.

Approval Required For Internet Connection Establishment

Unless prior approval of the Director of CORE Resources has been obtained, workers may not establish Internet or any other external network connections which could allow non-New York Presbyterian users to gain access to New York Presbyterian systems and information. These connections include the establishment of multi-computer file systems (like Sun's NIS), Internet home pages, Internet FTP servers, and the like.

Standards of Common Carriers Do Not Apply

The networking services provided by New York Presbyterian are provided on a contractual carrier basis, not those of a common carrier. As the operator of a private network, this organization has a right to make policies regarding the use of its network systems without being held to the standards of common carriers.

Participation in Public Networks as Service Provider

Participation in public networks as a provider of services that others rely on is expressly prohibited unless two conditions are first fulfilled. Specifically, New York Presbyterian legal counsel must first assess the extent and nature of the liabilities involved, and then top management must expressly accept these risks.

Modems on Workstations Connected To Internal Networks

Workers are prohibited from connecting dial-up modems to workstations which are simultaneously connected to a local area network (LAN) or another internal communication network.

ENCRYPTION

When New York Presbyterian "confidential" or "restricted" information is transmitted over any communication network, including on-campus wire and fiber, it must be sent in encrypted form.

PRIVACY

Unless contractual agreements dictate otherwise, messages sent over New York Presbyterian computer and communications systems are the property of New York Presbyterian. To properly protect and manage this property, management reserves the right to examine all data stored in or transmitted by these systems. Since New York Presbyterian's computer and communication systems must be used for business purposes only, workers should have no expectation of privacy associated with the information they store in or send through these systems.

When providing computer networking services, New York Presbyterian does not provide default message protection services such as encryption. Accordingly, no responsibility is assumed for the disclosure of information sent over New York Presbyterian's networks, and no assurances are made about the privacy of information handled by New York Presbyterian internal networks. In those instances where session encryption or other special controls are required, it is the user's responsibility to make sure that adequate security precautions have been taken. Nothing in this paragraph should be construed to imply that New York Presbyterian policy does not support the controls dictated by agreements with third parties (such as organizations which have entrusted New York Presbyterian with confidential information).

HANDLING NETWORK SECURITY INFORMATION

From time to time, the Security Officer will designate individuals to audit compliance with this and other computer and network security policies. At the same time, every worker must promptly report any suspected network security problem--including intrusions and out-of-compliance situations--to the Security Officer.

All network malfunctions must be immediately reported to the Information Technology Department and/or the involved external information system service provider. Ignoring these malfunctions could lead to serious problems such as lost or damaged information as well as unavailable network services.

Information about security measures for New York Presbyterian computer and communication systems is confidential and should not be released to people who are not authorized users of the involved systems unless the permission of the Security Officer has first been obtained. For example, publishing modem phone numbers or other system access information in directories is prohibited. Nonetheless, release of Internet electronic mail addresses is permissible.

PHYSICAL SECURITY OF COMPUTER AND COMMUNICATIONS GEAR

All New York Presbyterian network equipment must be physically secured with anti-theft devices if located in an open office environment. Additional physical access control may also be used for these devices. For example, network devices must be placed in locked cabinets, locked closets, or locked computer rooms.

EXCEPTIONS

The Director of CORE Resources acknowledges that under rare circumstances, certain workers will need to employ systems that are not compliant with these policies. All such instances must be approved in writing and in advance by the Director of CORE Resources.

VIOLATIONS

New York Presbyterian workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and legal action.

Wireless Network Security Policy and Procedures

PURPOSE

The purpose of this document is to establish procedures to ensure the appropriate protection of New York Presbyterian (NYP) Hospital's and Columbia University Health Sciences' data communication over wireless forms of transmission and reception.

SCOPE

This policy applies to all employees, contractors, consultants, temporaries, and other workers at New York Presbyterian Hospital, including those workers affiliated with third parties who access NYP information systems and networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy applies to all wireless computer and data communication systems owned by and/or administered by NYP and Columbia University Health Sciences.

Currently, this Policy is limited to the 802.11b and 802.11a standards.

GENERAL POLICY

CORE Resources is implementing a new wireless data communication system called Rome. This system is a wireless access system based on the 801.11b standard. Rome allows NYP staff and Columbia Health Sciences staff, students and faculty to access the data communications network, and most of its facilities, from their mobile or portable computers.

This standard uses the FCC unlicensed 2.4 GHz Industrial/Scientific/Medical (ISM) band. Transmissions within that band conform to the IEEE 802.11 DSSS (Direct Sequence Spread Spectrum) wireless LAN specification. Certain other "wireless" devices exist in the market place that also employ the same 2.4 GHz frequency band and can cause interference to users of the Rome system. These devices include, but are not limited to other IEEE 802.11 wireless LAN devices, cordless telephones, video cameras, and audio speakers.

RESPONSIBILITIES

The Department of CORE Resources shall administer the Rome system at NYP / Columbia University Health Sciences. CORE Resources will provide access points (AP) and IP, IPX and AppleTalk connectivity to the data communication network at various areas throughout the campus as needed by the user community.

In order to assure the highest level of service to the users of the Rome system, CORE Resources needs help from all members of the campus community in minimizing the potential interference from those devices. CORE Resources requests that use of all other 2.4 GHz devices be discontinued in NYP / Columbia Health Sciences buildings. In cases where the device is being used for a specific teaching or research application, CORE Resources will work with faculty to determine whether there are circumstances under which use of the device may still be accommodated without causing interference to Rome system users.

CORE Resources will approach the shared use of the 2.4 GHz radio frequency in the same way that it manages the shared use of the wired network. We will actively monitor use of the airspace for potential interfering devices, we will seek out the user of a specific device if we find that it is actually causing interference and disrupting the campus network. In these cases, CORE Resources reserves the right to restrict the use of all 2.4 GHz radio devices in NYP / Columbia Health Sciences buildings and all outdoor spaces on the Columbia Presbyterian Center (CPC) / Health Sciences Campus.

If you think you have an existing system that may use 2.4 GHz radios for transmission or you are planning to purchase a wireless system and you are uncertain if it employs 2.4 GHz radios, please contact the Helpdesk at 5-HELP (5-4357) or send mail to rome@nyp.org. The Helpdesk can assist you in contacting CORE Resources and resolving any interference and / or interoperability issues.

The following is a list of General Rules

• All APs shall be Cisco Aironet 350 Wireless Access Points unless otherwise authorized by the department.

• Wireless Network Interface Cards (NIC) shall be Cisco Aironet 350. Support for other compatible devices is not guaranteed. Users are free to try other wireless NICs but will have to configure and troubleshoot connectivity on their own.

• Connectivity to the “wired” data communication network will be via existing network infrastructure at each AP location. The data will then be carried via a single Virtual LAN (VLAN) shared by all APs. This VLAN will collapse into a single network device that provides Layer 3 connectivity to the rest of the data communication network.

• All data communication and activity within the Rome system will be considered un-trusted. This means that users will be subject to restrictions implemented to protect the security and integrity of the data communication network in whole.

• Access to The Internet shall be provided with little restriction or protection. However, acceptable use policies (AUP) for the “wired” LAN supercede this policy. Users shall not violate the general AUP.

• Access to NYP / Health Sciences systems and data will only be allowed via a VPN connection using IPSec.

• CORE Resources reserves the right to confiscate any device causing interference with the Rome system and whose owner or custodian is unwilling to turn off after it has been found to interfere with the Rome system. Users are encouraged NOT to install their own wireless networking devices and should ask CORE Resources to provide connectivity in the area.

PROCEDURE

The system is provided as a supplement to the “wired” network, not a replacement of it. This implies that the Rome system will not be redundant nor shall it be considered for critical business use. It is intended more for convenience than for business critical application use. The following procedures will be used as a guideline for the implementation and use of the Rome system:

The Rome System

• The Rome system is to be implemented by the installation of a central switch/router where all connections from APs will eventually collapse into. The switch/router will be a Cisco 5500 class switch/router or similar with enough capacity to accommodate a fiber optic connection from each of the campus buildings at 100 Mb/s full-duplex or greater.

• A link from each building to the central Rome switch/router will be to the lower level distribution switch/router existing in Hospital buildings. University owned buildings currently have only one distribution switch and the connection shall be made from that switch.

• VLAN 888 will be used for the Rome system and implemented as a “Flat Network” where the VLAN will span every connection to each of the buildings and APs. This is necessary to facilitate seamless roaming from one location to another without having to re negotiate a new layer 3 network address between the mobile device and the system.

• IP Subnet 156.111.248.0/23 is to be used for IP addressing. This subnet provides roughly 512 IP addresses that can be active at any one time within the Rome system.

• Addressing will be via DHCP only. No static addressing will be supported in the Rome system. This will be strictly enforced and no single device can be assigned any one specific address. Users shall not expect a static address and if a mobile device receives the same address it is purely coincidental.

• Access Points will be initially Cisco Aironet 350 Wireless Access Points. These are 802.11b compliant devices that support industry standard protocols and are fully manageable.

• APs will be connected to existing distribution layer switches on a particular location as needed. They shall be connected to VLAN 888 and configured with an IP address from the management IP subnet within the Rome system.

Placement of APs

To ensure the highest level of performance and coverage, CORE Resources shall conduct a “site survey” with industry accepted equipment and procedures. A Wireless Site Survey kit shall be used to survey and map an area to be covered. Where more than one AP is necessary to provide coverage, the following channel overlap scheme is to be used:

Enough overlap is to be provided to allow ample time and power for mobile devices to transparently roam between "cells" without loss of connectivity. Signal strength is never to drop below 40 db without another cell overlapping the same spot at that db level. CORE Resources will allow for a 3db variance in signal strength.

APs will be mounted professionally to the wall, the ceiling, or above dropped ceiling tiles. Mounting will be dictated primarily by performance of the system. CORE Resources will take into consideration the aesthetics of an installation in a particular area and will accommodate the occupants of the area at the expense of the department requesting the relocation of the device(s)

Power is to be provided via in-line power over the Cat-5 cabling to be installed from each AP to the nearest data closet.

In cases where such application is required, CORE Resources will design and implement a more robust, highly redundant wireless system. These one time custom implementations shall NOT be part of the Rome system and shall remain as separate entities with unique addressing and connectivity schemes.

End User Responsibilities

Users are encouraged to purchase Cisco Aironet 350 Wireless Network Interface Cards (NICs) or a subsequent model from Cisco. CORE Resources has done extensive compatibility testing and we have found these cards to provide the greatest performance and feature sets than any other comparable product.

Of great importance is the support for security features not provided by other vendors. Security will be the most important consideration while we implement and support the Rome system. While WEP security is available in most wireless products, it will not be implemented within the Rome system. Instead, all traffic will be allowed unencrypted to and from The Internet. Traffic to and from the Health Sciences Campus network, Columbia University, New York Presbyterian Weill Cornell Center and Weill Cornell Medical College will be allowed only via a VPN connection. Users will need to have a VPN account to access these resources.

The use of other Wireless NICs is not prohibited. The Rome system shall support any 802.11b wireless device. However, CORE Resources will prioritize support for those users with a Cisco 350 Wireless NIC or similar.

Wireless NICs that are causing interference will be confiscated by CORE Resources to maintain system integrity. Users willingly causing interference to the system will be reported to Human Resources for disciplinary action and their device will be confiscated.

Attempts to bypass security or to damage the system passively and / or actively are strictly prohibited. The use of scanning software to capture raw data from the wireless data stream is strictly prohibited.

"War driving" or the active scanning of 802.11b data streams for the purpose of finding weaknesses in the integrity of the system with the intent of exploiting such weakness is strictly prohibited. Promiscuous data capture for whatever reason is also strictly prohibited.

Data capture is to be done only by CORE Resources or other authorized personnel for the purposes of system testing or troubleshooting or for security reasons. Ample notice shall be given prior to any such data capture.

Users shall never assume privacy when using the Rome system. It is the sole responsibility of the user to ensure their privacy and the protection of privileged information and / or intellectual property. CORE Resources makes no guarantees as the security of the data traversing the Rome system.

EXCEPTIONS

VIOLATIONS

NYP workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and civil and/or criminal penalties.

Quarantine Network Security Policy and Procedures

PURPOSE

The purpose of this document is to establish procedures to ensure the appropriate protection of New York Presbyterian (NYP) Hospital's data servers during setup and testing.

SCOPE

This policy applies to all employees, contractors, consultants, temporaries, and other workers at New York Presbyterian Hospital, including those workers affiliated with third parties who access NYP information systems and networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy applies to all computer and data communication systems owned by and/or administered by NYP.

GENERAL POLICY

All data servers employed at or by NYP must be set up in a quarantined network environment. Before those servers can be placed in production, they must pass testing for known network security fallibilities. By default, data servers at NYP will use ip addresses that leave them unreachable from the Internet ("private ip addresses"). Devices that serve purposes which require accessibility from the Internet will continue to be assigned public ip addresses (and these may include data servers, determined on a case-by-case basis).

RESPONSIBILITIES

The Department of Core Resources shall administer the Quarantine Networks at NYP. The Security Officer shall administer and evaluate the network security testing of servers.

PROCEDURE

Network Time Protocol and Netware Core Protocol are exceptions; those services will be routinely allowed into the Quarantined networks.

When its administrator believes that the server is ready to go into production, the server will be scanned and tested for known network security fallibilities. Any security holes identified by the scan must be fixed before the server may be moved off the quarantined network. The scan also generates warnings. These will be pointed out to the administrator but do not require action. When a scan shows no security holes, the server may be moved to a production network.

The server administrator applies to Core Resources IP Admin for a production ip address and gets the port changed from the Quarantine VLAN to a production VLAN. By default, servers will be assigned a private ip address (10.112.x.x or 10.115.x.x on the West Campus) but if the administrator chooses to make the case for the server's needing to reach or be reached over the Internet, a public ip address will be assigned.

All scan results for the server will be collected and saved by the Security Officer as a baseline measure of that server's security.

EXCEPTIONS

It will not be easy to persuade the Information Security Officer that the appropriate circumstances have actually come to pass.

VIOLATIONS

NYP workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and civil and/or criminal penalties.

GLOSSARY

Access control: A system to restrict the activities of users and processes based on the need-to-know.

Agents: A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information.

Algorithm: A mathematical process for performing a certain calculation; generally used to refer to the process for performing encryption.

Badge reader: A device which reads badges and interconnects with a physical access control system.

Booting: The process of initializing a computer system from a turned-off state.

Bridge: A device which interconnects networks or that otherwise allows networking circuits to be connected.

Cipherlock: A device that requires the entry of passwords at doors and which provides physical access control over a room or building.

Compliance statement: A document used to obtain a promise from a computer user that such user will abide by system policies and procedures.

Confidential information: A designation for information, the disclosure of which is expected to damage New York Presbyterian or its business affiliates (see restricted information).

Critical information: Any information essential to New York Presbyterian's business activities, the destruction, modification, or unavailability of which would cause serious disruption to New York Presbyterian's business.

Cryptographic challenge/response: A process for identifying computer users involving the issuance of a random challenge to a remote workstation, which is then, transformed using an encryption process and a response is returned to the connected computer system.

Default file permission: Access control file privileges (read, write, execute, etc.) granted to computer users without further involvement of either a security administrator or users.

Default password: An initial password issued when a new user-ID is issued, or an initial password provided by a computer vendor when hardware/software is first delivered.

Dynamic password: A password which changes each time a user logs-into a computer system.

Encryption key: A secret password or bit string used to control the algorithm governing an encryption process.

Encryption: A process involving data coding to achieve confidentiality, anonymity, time-stamping, and other security objectives.

End-user: A user who employs computers to support New York Presbyterian business activities, who is acting as the source or destination of information flowing through a computer system.

Extended user authentication technique: Any of various processes used to bolster the user identification process achieved by user-IDs and fixed passwords (see hand-held tokens and dynamic passwords).

Firewall: A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have first passed some security check (such as providing a password).

Front-end telecommunications processor: A small computer used to handle communications interfacing (polling, multiplexing, error detection, etc.) for another computer.

Gateway: A computer system used to link networks which can restrict the flow of information and which employs some access control method.

Information retention schedule: A formal listing of the types of information that must be retained for archival purposes and the timeframes that these types of information must be kept.

Isolated computer: A computer which is not connected to a network or any other computer; a stand-alone personal computer is an example.

Log-in banner: The initial message presented to a user when he or she first makes connection with a computer.

Log-in script: A set of stored commands which can log a user into a computer automatically.

Master copies of software: Copies of software which are retained in an archive and which are not used for normal business activities.

Multi-user computer system: Any computer which can support more than one user simultaneously.

Password guessing attack: A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access.

Password reset: The assignment of another (temporary) password when a user forgets or loses his/her password.

Password-based access control: Software which relies on passwords as the primary mechanism to control system privileges.

Password: Any secret string of characters used to positively identify a computer user or process.

Positive identification: The process of definitively establishing the identity of a computer user.

Privilege: An authorized ability to perform a certain action on a computer, such as read a specific computer file.

Privileged user-ID: A user-ID which has been granted the ability to perform special activities, such as shut down a multi-user system.

Restricted information: Particularly sensitive information, the disclosure of which is expected to severely damage New York Presbyterian or its business affiliates (see confidential information).

Router: A device that interconnects networks using different layers of the Open Systems Interconnection (OSI) Reference Model.

Screen blanker: See screen saver.

Screen saver: A computer program that automatically blanks the screen of a computer monitor or CRT after a certain period of no activity.

Hand-held token: A commercial dynamic password system which employs a smart card to generate one-time passwords that is different for each session.

Security patch: A software program used to remedy a security or other problem (commonly applied to operating systems).

Sensitive information: Any information, the disclosure of which could damage New York Presbyterian or its business associates.

Shared password: A password known by and/or used by more than one individual.

Software macro: A computer program containing a set of procedural commands to achieve a certain result.

Special system privilege: Access system privileges allowing the involved user or process to perform activities which are not normally granted to other users.

Suspending a user-ID: The process of revoking the privileges associated with a user-ID.

Systems administrator: A designated individual who has special privileges on a multi-user computer system, and who looks after security and other administrative matters.

Terminal function keys: Special keys on a keyboard that can be defined to perform certain activities such as save a file.

User-IDs: Also known as accounts, these are character strings that uniquely identify computer users or computer processes.

Valuable information: Information of significant financial value to New York Presbyterian or another party.

Verify security status: The process by which controls are shown to be both properly installed and properly operating.

Virus screening software: Commercially-available software that searches for certain bit patterns or other evidence of computer virus infection.