Northeastern University System and Communications Protection Standard
Related Policy: Northeastern University Information Security Policy
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum system and communications protection criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
System and Communications Protection Overview
The System and Communications Protection (SC) domain focuses on controlling, protecting, and monitoring communications at key boundaries. Architectural designs, software development lifecycles, and secure IT system engineering principles are leveraged to promote IT system and communications security.
Roles and Responsibilities
The following high-level functional roles support the system and communications protection processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with system and communications protection within the Northeastern University environment.
Chief Information Security Officer (CISO): Individual responsible for the overall Northeastern University information security program.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel,Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system.
Also responsible for maintaining the appropriate operational security posture for an IT system or enclave and for ensuring the information assurance of a program or organization. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Information System Security Officer.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.13.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the system and communication protection capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Security Requirements for Systems and Communications
(3.13.11) The System Owner is responsible for ensuring the confidentially of Northeastern University data at rest, and in transit, is encrypted using modern encryption algorithms (e.g., Advanced Encryption Standard [AES]). The System Owner is also responsible for reviewing the current encryption algorithms on our in-scope hardware/software on a yearly basis to determine if they are still effective in their ability to keep Northeastern University’s data confidential.
The Security Administrators are responsible for deploying approved encryption solutions to protect the confidentiality of Northeastern University data.
(3.13.2) The System Owner is responsible for ensuring IT systems security engineering principles are applied to IT systems processing, storing, or transmitting Northeastern University data during development and while undergoing significant changes. At a minimum, the following IT systems security engineering concepts must be addressed:
- Utilizing a software development life cycle based upon security best practices (e.g., Microsoft Security Development Lifecycle (SDLC).
- Defining and incorporating security requirements.
- Developing a security architecture.
- Performing a security impact assessment.
- Performing threat modeling.
(3.13.3) The System Owner is responsible for defining IT system management functions for privileged users (e.g., server configuration changes, audit log review) and defining user functions as all non-management functions aligned to a general user role.
The System Administrator is responsible for assigning IT system management functions to authorized privileged users.
(3.13.4) The System Owner is responsible for ensuring IT systems rely on modern operating systems (e.g., Windows, Red Hat) to prevent unauthorized and unintended information transfer via shared IT system resources.
(3.13.7) The System Administrator is responsible for configuring endpoints (e.g., laptops, mobile devices) and implementing remote access methods (e.g., VPN) to prevent communication that is not routed through centralized network traffic control hardware (eg. Firewall).
(3.13.8) The System Owner is responsible for identifying and approving transmission mechanisms (e.g., Transport Layer Security [TLS], SSH) containing cryptography to protect Northeastern University data in transit. If encryption is not feasible, the System Owner is responsible for identifying alternative physical safeguards and requesting approval from the CISO prior to use of alternative physical safeguards.
The System Administrator is responsible for deploying encryption to protect the confidentiality of Northeastern University data.
(3.13.9) The System Administrator is responsible for configuring network hardware to terminate network sessions (e.g., virtual private network [VPN]) after 8 hours of inactivity and upon session end.
(3.13.10) The System Owner is responsible for ensuring cryptographic keys are established whenever cryptography is employed within the Northeastern University environment. Additionally, the System Owner is responsible for establishing processes to protect and manage cryptographic keys (e.g., access controls, key storage, backup, recovery, revocation, destruction). The System Administrator is responsible for managing cryptographic keys in accordance with established processes defined by the System Owner.
(3.13.15) The System Owner is responsible for ensuring security protocols (e.g., TLS) are used to validate the integrity of communication sessions.
(3.13.16) The System Owner is responsible for ensuring the confidentially of data at rest is protected using encryption.
Control Communications at System Boundaries
(3.13.1) The System Owner is responsible for defining external boundaries and key internal boundaries of the IT system and documenting the boundaries. The System Owner is responsible for authorizing boundary protection devices (e.g., firewall) for use within the IT system to protect communications between sources and destinations.
The System Administrator is responsible for configuring boundary protection devices (e.g., gateways, router) to protect communications between sources and destinations. The System Owner is responsible for auditing communications and reviewing logs in accordance with the Northeastern University Information Security Policy and Northeastern University Audit and Accountability Standard.
(3.13.5) The System Owner is responsible for maintaining an updated IT system inventory in accordance with the Northeastern University Configuration Management Standard and identifying publicly accessible IT system components. Publicly accessible IT systems components include those requiring no identification and authentication (e.g., kiosks) as well as those requiring a logon (e.g., username and password).
The System Administrator is responsible for segmenting (e.g., demilitarized zone [DMZ]) all publicly accessible IT system components from the Northeastern University environment.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary1 and, where appropriate, tailored for Northeastern University’s IT environment.
Access Control: Process of granting access to IT system resources only to authorized users, programs, processes, or other IT systems.
Cryptographic Mechanism: Application, process, module, or device that provides a cryptographic service, such as confidentiality, integrity, source authentication, and access control (e.g., encryption and decryption, and digital signature generation and verification).
Domain Name System (DNS): The system by which Internet domain names and addresses are tracked and regulated.
Encryption: Any procedure used to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.
Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information Technology (IT): Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
Organization: An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 12/19/2024 | Initial draft for Stakeholder Review | 0.1 | Kwaku Danquah |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. System and Communications Protection Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling system and communications protection capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| CMMC Practice ID | CMMC Practice Statement | Derived Requirement | Northeastern University Environment Criteria (Northeastern University Practice Implementation) |
|---|---|---|---|
| 3.13.1 | Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational IT systems) at the external boundaries and key internal boundaries of the IT systems. | Define Boundaries | The System Owner is responsible for: Defining external boundaries and key internal boundaries of the IT system. Documenting the boundaries. |
| Boundary Protections | The System Owner is responsible for: • Authorizing boundary protection devices (e.g., firewall) for use within the IT system to protect communications between sources and destinations. | ||
| Enforce Boundary Protections | The System Administrators are responsible for: • Configuring boundary protection devices (e.g., gateways, router) to protect communications between sources and destinations. | ||
| Monitor Communications | The System Owner is responsible for: • Auditing communications and reviewing logs in accordance with the Northeastern University Information Security Policy and Northeastern University Audit and Accountability Standard. |
| 3.13.5 | Implement subnetworks for publicly accessible IT system components that are physically or logically separated from internal networks. | Identify Publicly Assessable IT systems | The System Owner is responsible for: Maintaining an updated IT system inventory in accordance with the Northeastern University Configuration Management Standard. Identifying publicly accessible IT system components. Publicly accessible IT systems components include those requiring noidentification and authentication (e.g., kiosks) as well as those requiring a logon (e.g., username and password). |
| Segment Network | The System Administrator is responsible for: • Segmenting (e.g., demilitarized zone [DMZ]) all publicly accessible ITsystem components from the Northeastern University environment. | ||
| 3.13.2 | Employ architectural designs, software development techniques, and IT systems engineering principles that promote effective information security within organizational IT systems. | Security Engineering | The System Owner is responsible for: • Ensuring IT systems security engineering principles are applied to IT systems processing, storing, or transmitting Northeastern University data during development and while undergoing significant changes. At a minimum, the following IT systems security engineering concepts must be addressed: Utilizing a software development life cycle based upon security best practices (e.g., Microsoft Security Development Lifecycle (SDLC). Defining and incorporating security requirements. Developing a security architecture. Performing a security impact assessment. Performing threat modeling. |
| 3.13.3 | Separate user functionality from IT system management functionality. | Define Functionality | The System Owner is responsible for: Defining IT system management functions for privileged users (e.g.,server configuration changes, audit log review). Defining user functions as all non-management functions aligned to ageneral user role. |
| Separate Functionality | The System Administrator is responsible for: • Assigning IT system management functions to authorized privilegedusers. | ||
| 3.13.4 | Prevent unauthorized and unintended information transfer via shared IT system resources. | Prevent Information Transfer | The System Owner is responsible for: • Ensuring IT systems rely on modern operating systems (e.g.,Windows, Red Hat) to prevent unauthorized and unintended information transfer via shared IT system resources. |
| 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of sensitive university data during transmission unless otherwise protected by alternative physical safeguards. | Identify Mechanisms | The System Owner is responsible for: Identifying and approving transmission mechanisms (e.g., Transport Layer Security [TLS], SSH) containing cryptography to protect Northeastern University data in transit. Identifying alternative physical safeguards Requesting approval from the CISO prior to use of alternative physical safeguards. |
| Implement Mechanisms | The Security Administrators are responsible for: • Deploying encryption to protect the confidentiality of Northeastern University data. |
| 3.13.9 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | Network Termination | The System Administrator is responsible for: • Configuring network hardware to terminate network sessions (e.g.,virtual private network [VPN]) after 8 hours of inactivity and upon session end. |
| 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational IT systems. | Key Management | The System Owner is responsible for: Ensuring cryptographic keys are established whenever cryptography is employed within the Northeastern University environment. Establishing processes to protect and manage cryptographic keys (e.g., access controls, key storage, backup, recovery, revocation, destruction). |
| The System Administrators is responsible for: • Managing cryptographic keys in accordance with established processes defined by the System Owner. | |||
| 3.13.15 | Protect the authenticity of communications sessions. | Session Authenticity | The System Owner is responsible for: • Ensuring security protocols (e.g., TLS) are used to validate the integrity of communication sessions. |
| 3.13.16 | Protect the confidentiality of data at rest. | Encryption Type | The System Owner is responsible for: • Ensuring the confidentially of data at rest is protected using encryption. |
Appendix B. System and Communications Protection References
The following list of references are common industry standards used to carry out the system and communications protection criterion defined within this standard.
- NIST Special Publication (SP) 800-28 version 2 (Draft), Guidelines on Active Content and Mobile Code.https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-28ver2.pdf
- NIST SP 800-41, Guidelines on Firewalls and Firewall Policy.https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
- SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography.
https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final - SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography.https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final
- SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes.https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final
- NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General.https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
- NIST SP 800-58, Security Considerations for Voice Over IP Systems.https://csrc.nist.gov/publications/detail/sp/800-58/final
- NIST SP 800-77 Rev. 1, Guide to IPsec VPNs.https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/final
- NIST SP 800-95, Guide to Secure Web Services.https://csrc.nist.gov/publications/detail/sp/800-95/final
- IST SP 800-113, Guide to SSL VPNs.https://csrc.nist.gov/publications/detail/sp/800-113/final
- NIST SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. https://csrc.nist.gov/publications/detail/sp/800-125b/final
- NIST SP 800-160 Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final