Network Security Policy

This applies to all staff and students and is designed to protect individual and institutional data and programs, and to preserve the UEL network as a resource for all members of the University.

Introduction
Network Security Considerations
Computer Use Policy
Disciplinary Procedure for Staff
Glossary of Terms

Introduction

Security is imperative in any network system. However, with the complex nature of the UEL network, through connectivity with the outside world via the Internet and Joint Academic Network (JANET), it is even more important for UEL's network to be made as 'secure' as possible. There are real dangers of illegal infiltration and malicious abuse of systems, which UEL must guard against.

It is naturally best practice to protect any data and information resources in any set up. However, it is even more important in the complex nature of integrated network systems such as at UEL, used for and by differing user applications such as Payroll, Student Administration, Systems Development, Finance and other academia, across a large user base in a multi-site operation.

Therefore, there is an obligation on UEL to have formal procedures and practices to protect data and information resources. Furthermore, UEL practices are governed by external sources such as Computer related Acts of Parliament and links through HEFCE/UKERNA on Joint Academic Network (JANET).

Network Security Considerations

Network security considerations can be broken down into four key areas, with each area providing a firm backing towards a more 'secure' network system at the UEL.

1. Legal - The University is obliged under two major laws, The Data Protection Act (1998) and The Computer Misuse Act (1990), and other legislation, such as The Criminal Justice and Public Order Act 1994, Obscene Publications Act, The Protection of Children Act, The Telecommunications Act 1978, The Copyright, Designs and Patents Act 1988, to secure its computer systems and network. UEL shall endeavour to uphold its procedures and practices in line with the laws, and that, where breach has taken place, it will take appropriate action wherever possible.

2. External Bodies - The University is provided with a JANET (Joint Academic Network) link by JISC (Joint Information Systems Committee), a sub-committee of the Higher Education Funding Council on condition that it accepts and follows JISC's acceptable use guidelines. UEL will take appropriate actions, in so far as possible, to adhere to these guidelines.

3. Users - The user community will act responsibly and be aware of the associated risks and penalties for breaches. It will work closely with the system administrators and the UEL establishment to ensure that security of systems and networks is maintained at all times. A The Computer Use Policy will be published.

4. Systems - Given the complexity of network systems with multiple and heterogeneous protocols, it is important to secure hosts by means of routers and/or 'firewalls'. IT Services will be responsible for management of routers and firewalls to provide a base level of security. These precautions should be taken by the System Administrators.IT Services is available for providing advice on technical and software expertise.

Policy Implementation and Codes of Practice

The Security Policy will be backed by the University's disciplinary procedures (for staff and students), and technical sanctions such as withdrawal of network access. Accordingly, all users, system administrators schools and services will be fully informed of the Policy, and to this end, Codes of Practice such as the Computer Use Policy will be made available to everyone via our Human Resources and IT Services Webpages.

IT Security Team

This team will consist of existing staff with designated responsibility for Network Security. It will monitor security on the network, advise users, schools and services on security measures, and investigate breaches of security. This team will provide a central focus for information and expertise, and a single point of contact on security matters for external agencies such as the Police and the recently established JANET-CERT - the Computer Emergency Response Team operated by UKERNA.

Procedural and Technical Guidelines on Security

The Network Security Team will produce a technical implementation manual in conjunction with the System Administrators. System Administrators will be responsible for ensuring that all the users on their system have access to and understanding of the individual responsibility placed upon them as outlined in the policy, the technical guide and associated documentation.

Action in the Event of a Security Breach

The object of the security policy is to prevent breaches occurring. However, where it is found that breaches have occurred, the network access for that individual may be disabled pending full investigation, and may result in formal action under the following procedures:

Employees Disciplinary Code and Procedures
General Regulations for Students.

Where the user involved is non-UEL person, then the UEL sponsor will be notified of the severity of the breach with a recommendation of action. The withdrawal of access may be extended following a disciplinary hearing where it is deemed appropriate.

Responsibilities

The University will aim to preserve the UEL network as a vehicle for, teaching and learning, academic research and communication, and for the administration supporting the University. It will also fulfil its obligations as a member of the JANET and Internet community, by maintaining and publicising a security policy and providing the necessary resources to implement it
The Network IT Security Team will be responsible for co-ordinating the security issues and to provide advice and central support for security measures on all hosts
The Director of Services will be responsible for ensuring that the security standards are implemented as outlined in the policy document and associated publications (Procedural manuals, Computer Use Policy and any Technical Implementation Manuals, etc.)
System administrators are responsible for the secure operation of their hosts.
Users must observe the Comp[uter Use Policy.

Review process

The security policy and associated procedures will be reviewed in the light of the decision for implementing new applications that directly or otherwise impact on the UEL Network.

Regular Reporting - The Director of IT Services will report on the implementation of the policy on a regular basis at each meeting of the IS/IT Strategy Group during first year, then subsequently as appropriate.
Security procedures and policy - The IT Security Teamt will produce a brief report on all security breaches once a year around the implementation date. It will also carry out a review of the policy, and will put forward proposals to the IS/IT Strategy Group for implementing recommendations following the review.

Disciplinary Procedure for Staff

The University will consider any breach of security on the network as serious and may invoke the University Disciplinary Procedure where it is satisfied that a breach has been committed.

Detailed below is an example list of security breaches and an indication of the level of offence that each breach may be considered under in the Disciplinary Procedure. The list is not exhaustive or exclusive and similarly, the level of offence indicated may depend on the circumstances of individual cases.

Security Breach	Disciplinary Level of Offence
Disclosure of own password to another user	Minor Offence
Use of another user's password with their knowledge	Minor Offence
Disclosure of own password to a unauthorised user	Serious Offence
Sending anonymous mail	Serious Offence
Sending forged mail	Serious Offence
Reading another user's data except by properly granted access	Serious Offence
Disclosure of another user's password to a third party	Serious Offence
Obtaining a super-user password without authorisation	Serious Offence
Use of own super-user password to read a user's file	Major Offence
Eavesdropping on network communications	Major Offence
Amending another user's data except by properly granted access	Major Offence
Deleting another user's data except by properly granted access	Major Offence
Secretly obtaining and using another user's password	Major Offence
Use of own super-user password to amend a user's file	Major Offence
Disclosure of another user's super-user password to a third party	Major Offence
Unauthorised use of a super-user password	Major Offence

Disablement of User Password During Investigation

On initial discovery of a potential breach of security the Dean of School or Director of Service may arrange for the immediate withdrawal of the employee's password whilst a full investigation is undertaken.

Disciplinary Sanctions

The sanctions applied in respect of the Security Policy shall generally fall within those specified in the University's Disciplinary Procedure as detailed in the staff handbook.

In addition, the line manager with disciplinary authority may at his/her discretion consider the extension of any password disablement where it is deemed appropriate.

This Procedure should be read in conjunction with the University's Disciplinary Procedure, details of which can be found in the Staff Handbook. Advice on application of the Procedure may be obtained from HR Services.

Glossary of Terms

File Server - Computer providing central disk storage over a network
Hosts - Computers (usually offering network service)
HEFCE - Higher Education Funding Council for England
JANET - Joint Academic Network
JISC - Joint Information Systems Committee
Novell - Vendors of Netware network operating system
UKERNA - UK Education and Research Network Associations
Unix - Generic operating system for multi-user hosts

Useful link

Contact us:

020 8223 2468 servicedesk@uel.ac.uk

University of East London Homepage

Network Security Policy

Network Security Policy

Introduction