Firewall Rule Request Procedure

Description:

The Information Security Office and Network Design and Development Office facilitate the provisioning, deprovisioning, and auditing of firewall rules upon request from campus community community members. All requests will be reviewed in accordance with standard security practices, regulatory compliance and support implications. Requests will be approved on case by case basis and need to meet the following criteria:

  1. Firewall rule needs to be for a valid University business purpose.

  2. Firewall rule needs to be reviewed and approved by the Information Security Officer.

  3. Firewall rule needs to be assigned a “Requestor” and will be audited annually.

Procedure:

  1. A Tracker ticket is submitted by a firewall rule Requestor. A "Requestor" maybe any member of the campus community that meets the above requirements and is an employee or affiliate (e.g. FSA).

  2. The Tracker ticket is automatically assigned to the ISO and Network Design and Development Manager for review. Reviews may expand to include the Fredonia Security Operations team or ITS leadership should additional consultation becomes necessary.

  3. Upon review, a Nessus Vulnerability Management scan (non credentialed) will be completed by the ISO of the source and or destination hosts. NOTE: All new virtual and physical hosts are required to complete the ITS Service Production Certification Checklist.

  4. Upon approval from the ISO, the Firewall Audit Register will be completed internally and the following information will be collected  to conduct annual audits moving forward:

    1. Request Date

    2. Requestor

    3. Ticket# Reason

    4. Source

    5. Destination ports

    6. Firewall affected

    7. ISO approval

    8. Approval date

    9. Rule created by

    10. Created date

  5. The firewall rule is completed by the Network Design and Development Manager (Requestor - "First Name Last Name" will be annotated in the Comments section of the rule.)

  6. The Tracker  ticket is updated to notify the requestor of the approval and completion of the request. If the request is denied, the ticket will be updated accordingly.

  7. Firewall rules will be deprovisioned upon request or if a security issue necessitates such action or if the rule is no longer needed by the requestor.

Note: A “Requestor” is responsible for demonstrating the valid business purpose for the firewall rule and participating in the annual firewall rule audit. The original "Requestor" is responsible for informing the the Information Security Office (security@fredonia.edu) of any changes in personnel or if the rule is obsolete so that it can be removed.