Communications Security Policy

Appropriate security controls to ensure the protection of information in networks and its supporting information processing facilities to ensure confidentiality, integrity and availability of information residing on MAHE information systems.

General Guidelines

• External connections to MAHE networks, i.e., connections between a MAHE network and a non-MAHE network shall be protected by a firewall;

• Necessary network and security components shall be implemented, managed, and maintained in a secure manner;

• All network and security components shall be configured to provide audit logs for necessary and continual security monitoring;

• Confidentiality and integrity during transmission of critical data shall be ensured using appropriate encryption as required (refer to Cryptography Policy);

• Access to the network components and security devices shall require strict access control and authentication as per the Access Control Policy;

• Remote management of critical servers and network components shall only be done through proper encrypted channels; RDP as an option will be enabled as necessary with proper approval. 

• All internet connection shall be passed through a content filtering solution to block undesirable web sites;

• Appropriate network redundancy shall be built in the environment as per business requirements;

• Network components and the cabling of MAHE network shall be protected;

• Detailed network architecture diagram shall be maintained up to date by the Assistant/Deputy Director, IT/the designated assignee; and access to authorised users will be given on a need-to-know basis.

• Required documentation in support of all activities, related to network and security components, shall be created and maintained.


Remote Access Policy 


• The Assistant/Deputy Director, IT/the designated assignee shall be responsible for the management and administration of remote access services; (access over SSL VPN)

• All MAHE users with remote access privileges to MAHE information assets are responsible to ensure that their remote access connection shall have the same controls as their on-site connection; 

• Remote access security shall be controlled and enforced using strong password as per MAHE 'Password Management' section within the Access Control Policy;

• MAHE will incorporate different methods/types of access to its network assets from remote hosts, such as Teams & other collaboration services, Remote Access Tools etc.;

• TELNET service shall not be used to access MAHE’s information assets; 

• All sensitive data sent through Remote Access shall be over an encrypted tunnel;

• MAHE user with remote access privileges must ensure that their MAHE owned or personal computer or workstation, which is remotely connected to MAHE University network, is not connected to any other network at the same time;

• Devices that connect to the MAHE network must have its personal firewall enabled, operating system patches updated and should have active and updated Anti-virus software installed. Non-compliance device/system will be quarantined by the IT Department, without notice;

• For Non-MAHE users, access to production system will not be permitted;

• Access to production system for Non-MAHE users may be permitted against written approvals from the respective HOI/HOD/Functional Head and Director IT & Digital;

• Components providing remote services must be configured to terminate inactive connections based on timeout. For details, please refer to the Network Security Guideline; and

• The Assistant/Deputy Director, IT must ensure that the reconciliation of remote access rights to MAHE network is conducted once in every six months with the business owners’ approved authorization list, and any discrepancies identified are communicated to the respective functions for further appropriate action.


Wireless Guideline 


• Necessary controls shall be established to protect the confidentiality, integrity, availability and authenticity of data passing over wireless networks;

• All wireless Access Points/Base Stations connected to the University network must be registered, and approved by Assistant/Deputy Director, IT;

• These Access Points/Base Stations shall be subject to periodic penetration tests and audits;

• Necessary assessment shall be performed to assess the threats and risks involved with wireless communication on a periodic basis; and

• Wireless network shall be segregated from other networks based on necessary risk assessment.


Firewall Policy 


• Firewalls shall deny all Inbound & Outbound traffic that do not support MAHE's business objectives;

• Current Firewall Access rule set shall be maintained by MAHE IT Team;

• Firewall configuration shall be audited and verified half yearly;

• Strict physical access controls shall be in place to secure the firewall;

• Logical access to the firewall shall be controlled and authorized by Assistant/Deputy Director, IT;

• Necessary controls shall be implemented through configuration hardening of the Firewall;

• Necessary failover or redundancy mechanism as applicable shall be in place as per business needs and criticality;

• Firewall logs shall be stored and maintained as per the log retention matrix defined by MAHE (for a month) or based on internal customer requirements;

• Firewall logs shall be analysed on a regular basis and any discrepancies will be logged and acted upon;

• Firewall configuration shall be backed up as per the ‘Backup’ Section (daily backup) in Operations Security Policy; 

• Changes to firewall configuration shall be streamlined and authorized as per the Change Management process; and

• Firewall Management responsibilities shall be listed and assigned.


Network Security


• Network security controls shall be documented and implemented at MAHE for logical segregation of MAHE networks and for the protection of critical networks, information systems, and applications from unauthorized access, modifications, or destruction by internal or external users; 

• The wireless infrastructure of MAHE shall be logically separate from the wired LAN and further secured with adequate levels of strong user authentication, encryption levels, detection of rogue access points and appropriate physical security controls;

• All critical applications shall be protected by a firewall from both external users and internal users of MAHE;

• The firewall shall be configured and managed to permit access to University data from authorized users only and for authorized network services only;

• Intrusion prevention systems shall be deployed, as appropriate, to detect / prevent any intrusions and any unauthorized or malicious activities; and

• Network Architecture documentation shall be maintained and access to it shall be restricted.


Instant and Social Messaging


• MAHE reserves and intends to exercise the right to review, audit, intercept, access and disclose all messages created, received or sent over the IM system(s) for any purpose;

• The contents of IM messages may be disclosed within MAHE to and among authorized personnel without permission of the affected IM user, if reasonable suspicion exists of activities that may violate this or any other MAHE Policy; 

• Social Media platforms and/ or Messaging platforms such as but not limited to Facebook, Twitter, Whatsapp, WeChat, SnapChat, Hike etc. shall not be used by the MAHE faculty members, students and third-parties for any official/ professional communication; Users need to use official social media channels and handles only. 

• Any communication on social media platforms shall be carried out by a function or employee only post authorization from HIO/HOD/Functional Head, Registrar, MAHE and Director IT & Digital; 

• MAHE shall consider proactively scanning for and blocking or flagging any transmissions, via the MAHE network, that contain phrases of profanity or violence, confidential information, or other sensitive data that may expose the organization to operational, legal, reputation, or physical risks.

Clock Synchronization

All clocks of MAHE, including servers, desktops, laptops, etc. shall be synchronized with a Network Time Protocol (NTP) server or equivalent.