3.8.11 External Trusted Network Security Policy
The University will not implement any dedicated connection between the University’s network and the network of an external entity prior to conducting a formal risk assessment.
Extranets are dedicated networks connecting one trusted entity with another trusted entity. While extranets are extraordinarily powerful communications tools, they can represent very serious security exposures if the “trusted” partner’s own security is lax. A trusted connection with another entity extends the University’s network to include that entity and all of the security flaws that may be present in their network.
Formal risk assessments will provide the University administration with a better understanding of the level of additional risk involved in a trusted or semi-trusted connection to a partner organization. By identifying security weaknesses in a partner organization, the University can better identify protective measures it can take to preserve the security and integrity of the University’s network, or determine that the connection simply is not worth the risk. Minimum acceptable security standards must be agreed upon in writing (through a contract or other instrument) prior to the connection being implemented. Note that it may be possible to make such a connection on the perimeter firewall and therefore accept no larger risk than connection to the general Internet.
A less-than-secure trusted partner poses an additional unique threat in that any unauthorized activity performed over the connection is difficult to investigate, as the University would not normally have the right to audit or monitor the partner’s systems. The University could be placed in the compromising position of having to choose between depending on another organization to deduce the source of unauthorized activity, or shutting down a valuable business connection to that organization.
The Information Security Analyst can perform formal risk assessments unless he or she deems it necessary to bring in outside assistance. The project sponsors would cover the cost of external assistance unless otherwise arranged.
The threats the University faces in maintaining a trusted connection to another organization with less than acceptable security standards are at least equivalent to the threats that the University would face were its own network that insecure (which it essentially becomes by extending trust to the other organization’s facilities).