The UEL Network Security Policy applies to all staff and students and is designed to protect individual and institutional data and programs, and to preserve the UEL network as a resource for all members of the University.
There are currently around 12000 users, nearly 3000 workstations and 22 Novell File Servers on the UEL Network System. We also have a number of Unix Hosts, seven within Information Technology and around 35 others located within Faculties. The UEL network provides an integrated network service to all of its user base. Given the need to balance the requirement for a very large user base to have access to the UEL network system and academic freedom associated with it, against the need to make a provision for adequate controls and security mechanisms, at the request of the IS/IT Strategy Group, Information Technology has drafted a Network Users Security policy for the University.
Security is imperative in any network system. However, with the complex nature of the UEL network, through connectivity with the outside world via the Internet and Joint Academic Network (JANET), it is even more important for UEL's network to be made as `secure' as possible. There are real dangers of illegal infiltration and malicious abuse of systems which UEL should guard against.
It is naturally best practice to protect any data and information resources in any set up. However, it is even more important in the complex nature of integrated network systems such as at UEL, used for and by differing user applications such as Payroll, Student Administration, Systems Development, Finance and other academia, across a large user base in a multi-site operation.
Therefore, there is an obligation on UEL to have formal procedures and practices to protect its data and information resources. Furthermore, UEL practices are governed by external sources such as Computer related Acts of Parliament and links through HEFCE/UKERNA on Joint Academic Network (JANET).
Network Security considerations can be broken down into four key areas, with each area providing a firm backing towards a more `secure' network system at the UEL.
The University is obliged under two major laws, The Data Protection Act (1998) and The Computer Misuse Act (1990), and other subsidiary laws, such as The Criminal Justice and Public Order Act 1994, Obscene Publications Act, The Protection of Children Act, The Telecommunications Act 1978, The Copyright, Designs and Patents Act 1988, to secure its computer systems and network. UEL shall endeavour to uphold its procedures and practices in line with the laws, and that, where breach has taken place, it will take appropriate action wherever possible.
The University is provided with a JANET (Joint Academic Network) link by JISC (Joint Information Systems Committee), a sub-committee of the Higher Education Funding Council on condition that it accepts and follows JISC's acceptable use guidelines. UEL will take appropriate actions, in so far as possible, to adhere to these guidelines.
The user community will act responsibly and be aware of the associated risks and penalties for breaches. It will work closely with the system administrators and the UEL establishment to ensure that security of systems and networks is maintained at all times. The User Code of Practice for Users and System Administrators Code of Practice for System Administrators will be published. These will outline responsibilities and procedures to be followed by users and administrators.
Given the complexity of network systems with multiple and heterogeneous protocols, it is important to secure hosts by means of routers and/or `firewalls'. Information Technology will be responsible for management of routers and firewalls to provide a base level of security. These precautions should be taken by the System Administrators. Information Technology is available for providing advice on technical and software expertise.
The Security Policy will be backed by the University's disciplinary procedures (for staff and students), and technical sanctions such as withdrawal of network access. Accordingly, all users, system administrators and departments will be fully informed of the Policy, and to this end, Codes of Practice will be circulated to all existing users, and given to new users on application for a Login ID, or on enrolment.
This unit will consist of existing staff with designated responsibility for Network Security. It will monitor security on the network, advice users and departments on security measures, and investigate breaches of security.
This unit will provide a central focus for information and expertise, and a single point of contact on security matters for external agencies such as the Police and the recently established JANET-CERT - the Computer Emergency Response Team operated by UKERNA.
The Network Security Unit will produce a technical implementation manual in conjunction with the System Administrators. System Administrators will be responsible for ensuring that all the users on their system have access to and understanding of the individual responsibility placed upon them as outlined in the policy, the technical guide and associated documentation.
The object of the security policy is to prevent breaches occurring. However, where it is found that breaches have occurred, the network access for that individual may be disabled pending full investigation, and may result in formal action under the following procedures:
Where the user involved is non-UEL person, then the UEL sponsor will be notified of the severity of the breach with a recommendation of action. The withdrawal of access may be extended following a disciplinary hearing where it is deemed appropriate.
The security policy and associated procedures will be reviewed in the light of the decision for implementing new applications that directly or otherwise impact on the UEL Network.
As an authorised user of the UEL network, you have access to computing facilities, software, electronic mail and network services at UEL and other sites on wider networks. With these facilities there are direct and implied responsibilities on the part of the University and on you, as an authorised user.
This code of practice sets out your responsibilities with regard to security under the UEL Network Security Policy.
If you infringe the lettered rules laid out below or the laws referred to, your access to network facilities will be removed, and you may be subject to disciplinary action by the University, and even civil or criminal prosecution.
These rules are not unique in essence to computer networks, but are designed to protect the confidentiality of correspondence, files and other records and to protect people from unwelcome intrusion. They are also necessary to fulfil the University's obligations as a network operator, and ensure that UEL can continue to have access to JANET and the Internet.
You are also subject to the provisions of the Computer Misuse Act 1990, which makes it a criminal offence to attempt to gain unauthorised access to computer systems, and the Data Protection Act 1998, which imposes duties with regard to acquiring, storing and handling information on other people. The Criminal Justice and Public Order Act 1994 amends the Obscene Publications Act, the Protection of Children Act and the Telecommunications Act 1978 to extend their provisions to computer networks, including data in coded form. You are also bound by the Copyright, Designs and Patents Act 1988, and the laws relating to theft with regard to "pirate" software.
When you join the university, you are allocated a `username' (which may also be referred to as a login id, or 'userid'. This is how you are identified on the UEL network. Students are automatically allocated a username based on information from their enrolment card. Staff are allocated ausername based on their first or last names.
For each system which you will be using on the network, you will also be given a password. The computer systems identify who is using them by this username and password pair.
As an authorised user, you must ensure that nobody, other than you, uses your username. You are responsible for the confidentiality of your username and password. For this reason, it is vital that you observe the following good practice:
A) You must not permit anyone else to use your username and password. You will be held accountable for any action taken using your username (e.g. in terms of paying for laser printing, or disciplinary action in case of further security breaches).
B) You must not use anyone else's password, even if they tell it to you. (There are ways of transferring or sharing information and programs without using someone else's username and password - ask your local use support area)
C) You must not obtain or try to obtain anyone else's password.
If you suspect that someone else has been using your username and password, you must tell Information Technology immediately.
On each system for which you have a password, you will be allocated space for files. This space is for your personal use and no-one other than the computer system administrator will have access to it, unless you specifically grant this to them. The system administrator will not inspect your files unless you ask them to, or they are investigating a breach of security. In any case, they will not browse the contents of personal files or amend any file unless so requested. If you have material of a particular sensitivity, you should consider encrypting it - contact the Information Technology Help Desk for details.
D) You must not gain access or attempt to gain access to any files unless the owner has specifically granted you access.
E) You should not hold files which contravene the Obscene Publications Act and the Protection of Childrens Act.
If you suspect that someone else has been reading or altering your files, you should tell Information Technology immediately.
Your username is also used to identify a mailbox for your electronic mail. Electronic Mail should be treated in the same way as ordinary mail, and the same standards of behaviour apply. Your mail is confidential, and its contents will not be examined by systems administrators. If you are transmitting material of a particular sensitivity, you should encrypt it before sending - contact the Information Technology Help Desk for details.
F) You must not transmit electronic mail that, in the terms of the Telecommunication Act, causes "annoyance inconvenience, or needless anxiety to other people". The content of mail is also covered by the Obscene Publications Act and the Protection of Children Act.
G) You must not send or attempt to send anonymous or `forged' electronic mail.
If you receive mail which you find offensive, is anonymous, or appears not to have been written by the apparent sender, then you should contact the Information Technology Help Desk immediately. pelase keep ac opy of the message for examination by Network Staff.
H) You must not deliberately interfere or attempt to interfere with the operation of the network or computer systems, or persist in any activity which Information Technology has identified as inadvertently interfering in this way.
I) You must not connect or attempt to connect any computer or network equipment to the UEL network without following the procedures laid down in the UEL Network Security Policy.
J) You must not operate any equipment or software designed to eavesdrop on network communications.
For further information, please contact the Information Technology Helpdesk, or your local user support.
As the administrator of a service on the UEL network, you have a set of responsibilities in addition to those laid out in the "Code of Practice for Users" relating to the UEL Network Security Policy. The policy is designed to allow any department, group or individual to offer a networked service, provided that appropriate security practices are followed.
Information Technology will provide advice and technical consultancy for making hosts secure, but you are responsible for the security of the host, and for carrying out the system administrator's role so as not to jeopardise the integrity of the UEL network, to ensure that the University does not breach the JANET acceptable use guidelines, and to ensure that the confidentiality of user data is respected.
Failure to discharge this responsibility could result in the disconnection of the host from the network, the removal of your network access rights, and in the most serious cases, to disciplinary action or civil or criminal prosecution. You must make sure that you understand your obligations under this code of practice, under the JANET acceptable use guidelines, and under the law.
The Computer Misuse Act 1990 makes it a criminal offence to attempt to gain unauthorised access to computer systems, and the Data Protection Act 1998 imposes duties with regard to acquiring, storing and handling information on other people. The Criminal Justice and Public Order Act 1994 amends the Obscene Publications Act, the Protection of Children Act and the Telecommunications Act 1978 to extend their provisions to computer networks, including data in coded form. You are also bound by the Copyright, Designs and Patents Act 1988, and the laws relating to theft with regard to "pirate" software.
A)
The administrator has responsibility for the security of the host, and implied responsibility for all users of the host. The administrator must ensure that security policy is enforced within the system(s) within their control. All users of the host must be made aware of and take seriously their responsibilities under the "User Code of Practice".
B) The administrator will not browse the contents of users' personal files without their permission. In cases of suspected security breach only, the administrator may use automatic means of searching for files and searching for data within files.
C) The administrator will not amend users' files without their consent. Files may only be deleted in emergency, and the administrator must inform the user of the action and the reason for it (email is an acceptable form of notification).
D) The administrator will draw up a `Host Code of Practice' which sets out the local policy on the definition of `personal files', and their treatment.
It is the responsibility of the Head of Department or Dean of Faculty owning the host to decide who is to be granted super-user privilege.
E) Where technically feasible, connection to the host as a super-user should not be permitted except at the system console. Administrators should connect under their personal ID, then assume privileged status, to preserve an audit trail.
F) Knowledge of the super-user password should be restricted to a short, explicit list of trusted users. The members of this list will be jointly and severally responsible for actions carried out with privileged status.
G) The following procedure will be followed to connect a host to the UEL network:
Information Technology will maintain a central host name table. This saves the administrator work in maintaining local host tables, and ensures that host and address information is consistent and up to date.
H) Where technically feasible, the host will use the Name Service for all address resolution.
To maintain the accountability necessary for the secure operation of an open network policy, it is necessary to be able to identify network users quickly and easily. For the purposes of integrating network services it is also desirable to have consistent user names and system IDs. Information Technology will maintain a central Login ID database for all authorised UEL users, comprising currently enrolled students, staff members, and other users sponsored by a member of staff.
I) The system administrator will only create login accounts for authorised users, taking the Login ID (and, where appropriate, the UID and GID) from the central list maintained by Information Technology.
If for some administrative reason an authorised user cannot be allocated a Login ID from this database, Information Technology will allocate a temporary ID for the user (with, where appropriate, a valid UID and GID). As soon as the permanent ID becomes available, Information Technology will contact the administrator, and will give any assistance required to change the Login ID.
J) No anonymous accounts will be created except in exceptional circumstances, with the sanction of the Network Security Unit, and having access only to a highly restricted range of services.
K) No shared accounts will be created, except where absolutely necessary, and under the condition that a list is kept of the users of the account, and that they are jointly and severally responsible for any action taken under the account.
Any account which remains unused for more than three months should be disabled.
L) The administrator must remove the login accounts of users who are no longer in the central database.
M) All login accounts will have a password.
N) A hidden password file will be used.
It is recommended that password ageing be used, and that the host uses password-changing software which detects and disallows easily-guessed passwords.
Information Technology will provide every authorised user with a mailbox which can be accessed from the host. Email administration is complex and can offer security loopholes, and it is important to retain the integrated UEL mail service and aliasing for external mail.
O) The host will not run any local mail transfer agent (MTA). However, where there is an overriding need to do so, it will be provided only with the prior agreement of the Network Security Unit.
The host should be physically secured and only accessible to authorised persons. Where this is impossible, for instance in laboratories of Unix workstations, strict system security must be maintained by the system administrator.
P) Where technically feasible, the system console must require the super-user password when the host is rebooted into its supervisory state.
Where particular security is required, the host should not be connected to a subnet of the network shared by public, unsupervised areas. Hosts such as central administration machines which hold confidential records should not, for instance, be located on the same network section as open-access student laboratories. Information Technology will advise which areas share a particular section of the network.
Hosts should only rely on user authentication from `trusted hosts' which are on physically secure parts of the network. Permitting super-user access from trusted hosts is strongly discouraged except wholly within such secure network sections.
The level of security which each host requires will depend on a variety of factors:
Information Technology will discuss the appropriate level of security for any service you wish to offer. Please note that many hosts will automatically start network services such as address or routing broadcasts, ftp, telnet and mail. The security implications of this should be discussed with the Network Security Unit prior to connecting to the network.
Example 1. Central Management Information host
This host would require a very high level of internal and network security. At the very least, it should disable all unused network services and install software to permit network connections only from designated hosts. The use of encryption for files, network sessions and mail should be actively considered. Network measures such as bridging and restrictive static routing should be discussed with Information Technology. The host should be physically secure and regular backups must be carried out.
Example 2. Departmental `Gopher' server
The minimum level of network and internal security would be adequate for this host, as it has no local users except the administrator, who logs in via the console. Physical and super-user password security would remain important. The system administrator will request Information Technology to grant or deny Internet access to the host. If Internet access is required, then it will be the responsibility of the administrator to uphold strict security procedures and correspondingly higher level of system security will be needed.
Q) The administrator will be responsible for preventing unauthorised network access of the host and ensuring that the host is not used for any activity contravening the Network Security Policy. If the host is to be used for the teaching of network security and network management techniques which would otherwise contravene the policy, the administrator must inform the Network Security Unit and with them ensure that the security of the wider network is not compromised by this activity.
R) The administrator will immediately report any breach of the Security Policy to the Network Security Unit. The report will include details of the breach together with evidence and copies of relevant logs and system files.
If the administrator has any doubt about the adequacy of security on a host, then they should contact the Network Security Unit for advice.
The administrator will monitor the use of the system and its security, so as to fulfil the foregoing obligations. The Network Security Unit will offer advice on methods and software.
Certain system information is needed to trace security breaches. In addition to the minimum statistics listed below, records of commands executed under each Login ID should be maintained. Additional logging information may be generated for each of the network services offered.
S) A record of logins and logouts on the host should be kept.
T) A record of users assuming super-user privilege will be kept.
U) The administrator will not amend any audit or system information which may be used as part of an audit trail in cases of security breach.
V) Audit information will be stored as part of the regular system backup procedures, or saved separately and stored in physically secured conditions for a minimum of six months.
The nominated administrator(s) of a host will be invited to join the UEL Systems Administrators Security Group, a forum for discussion of security issues and dissemination of information, a source of help on security matters, and a channel for input into the development of security policy.
For further information, please contact the Network Security Unit of Information Technology.
The University will consider any breach of security on the network as serious and may invoke the University Disciplinary Procedure where it is satisfied that a breach has been committed.
Detailed below is an example list of security breaches and an indication of the level of offence that each breach may be considered under in the Disciplinary Procedure. The list is not exhaustive or exclusive and similarly, the level of offence indicated may depend on the circumstances of individual cases.
|
Security Breach |
Disciplinary Level of Offence |
|
Disclosure of own password to another user |
Minor Offence |
|
Use of another user's password with their knowledge |
Minor Offence |
|
Disclosure of own password to a unauthorised user |
Serious Offence |
|
Sending anonymous mail |
Serious Offence |
|
Sending forged mail |
Serious Offence |
|
Reading another user's data except by properly granted access |
Serious Offence |
|
Disclosure of another user's password to a third party |
Serious Offence |
|
Eavesdropping on network communications |
Serious Offence |
|
Use of own super-user password to read a user's file |
Serious Offence |
|
Obtaining a super-user password without authorisation |
Serious Offence |
|
Amending another user's data except by properly granted access |
Major Offence |
|
Deleting another user's data except by properly granted access |
Major Offence |
|
Secretly obtaining and using another user's password |
Major Offence |
|
Use of own super-user password to amend a user's file |
Major Offence |
|
Disclosure of another user's super-user password to a third party |
Major Offence |
|
Unauthorised use of a super-user password |
Major Offence |
On initial discovery of a potential breach of security the Head of department may arrange for the immediate withdrawal of the employee's password whilst a full investigation is undertaken.
The sanctions applied in respect of the Security Policy shall generally fall within those specified in the University's Disciplinary Procedure as detailed in the staff handbook.
In addition, the line manager with disciplinary authority may at his/her discretion consider the extension of any disablement password where it is deemed appropriate.
This Procedure should be read in conjunction with the University's Disciplinary Procedure, details of which can be found in the Staff Handbook. Advice on application of the Procedure may be obtained from the Department of Personnel Services.
© 2009
Contact us:
Tel: 020 8223 2468
Email: servicedesk@uel.ac.uk
For a general description of these pages and an explanation of how they should work with screenreading equipment please follow this link:Link to general description
For further information on this web site's accessibility features please follow this link:Link to accessibility information
The following message does not apply to screenreader users:
You will still be able to access all the essential content of this web site, but it will not look, or function, exactly as intended.
