Queen's University Network Security Policy

Approved by Senate April 4, 2002

March 19, 2002

Purpose

This policy establishes responsibility and authority for security of the campus data network. While recognizing that easy access to and from the Internet is important to the academic mission of the University, the goals of this policy are to:

1. safeguard the integrity and availability of the campus data network;
2. reduce threats to integrity and availability of computer systems connected to the network;
3. reduce the likelihood that computers on campus are used to attack other organizations, bringing liability and disrepute to the University.

Responsibilities

The responsibility for security of computing and communication systems rests with the systems administrators who manage those systems. Information Technology Services (ITS) will help systems administrators carry out these responsibilities to the extent possible with available resources.

The Vice Principal (Operations and Finance) will be responsible for actions pursuant to this policy.

Heads of all Departments and units with computing or communication devices connected to the campus network will:

• Designate an individual with the responsibility to create and maintain a current contact list of individuals who are responsible for the computer(s) for each location in the department/unit.
• Provide ITS with the names, e-Mail addresses and telephone numbers for at least two different contacts: a primary technical contact (usually a System Administrator); and a supervisor contact.

Information Technology Services will:

• Prepare and publish security alerts, notices, recommendations and guidelines for network and system administrators.

• Monitor backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity and intrusion attempts.

  • When a security problem (or potential security problem) is identified ITS will seek the co-operation of the appropriate contacts for the systems and networks involved in order to resolve such problems, but in the absence or unavailability of such individuals may need to act unilaterally to contain the problem, up to and including temporary isolation of systems or devices from the network, and notify the responsible system administrator when this is done.

• Carry out and review the results of automated network-based security scans of the systems and devices on University networks in order to detect known vulnerabilities or compromised hosts.

  • ITS will inform the departmental system administrators of planned scan activity providing detailed information about the scans, including time of scan, originating machine, and test and vulnerabilities tested for. The security, operation or functionality of the scanned machines should not be endangered by the scan.

  • ITS will report the results of scans that identify security vulnerabilities only to the departmental system administrator contact responsible for those systems.

  • ITS will report recurring vulnerabilities over multiple scans to departmental management.

  • If identified security vulnerabilities, deemed to be a significant risk to others and which have been reported to the relevant system administrators, are not addressed in a timely manner, ITS may take steps to disable network access to those systems and/or devices until the problems have been rectified.

• Provide assistance and advice to system administrators to the extent possible with available resources.

• Issue semi-annual requests to verify the accuracy of departmental contact information.

• Co-ordinate investigations into any alleged computer or network security compromises, incidents and/or problems.

• Co-operate in the identification and prosecution of activities contrary to University policies and/or the law. Actions will be taken in accordance with relevant University Policies, Codes and Procedures with, as appropriate, the involvement of the Campus Security and law enforcement agencies.

• Report to the Vice Principal (Operations and Finance) for action.

• Report annually to Senate and Senate Information Technology Committee on experience relating to this policy.

"System Administrator" refers to the individual who is responsible for system and network support for computing devices in a local computing group. In some instances, this may be a single person while in others the responsibility may be shared by several individuals some of whom may be at different organizational levels. If an administrator is not designated, the owner of a computer is considered the System Administrator. System Administrators will:

• Endeavour to protect the communication networks and computer systems for which they are responsible.

• Endeavour to employ ITS recommended practice and guidelines where appropriate and practical.

• Co-operate with ITS in addressing security problems identified by network monitoring.

• Address security vulnerabilities identified by ITS scans deemed to be a significant risk to others.

• Report significant computer security compromises to ITS Information Security Officer.

Violations

The Queen's University Computer User Code of Ethics states, among other things, individual responsibility for taking precautions against others obtaining unauthorized access to computing resources, and against adversely affecting others. As this Network Security Policy represents minimal precautions that must be taken in today's environment to meet this obligation, failure to act in accordance with this policy may be considered a violation of the Code, and subject to the Computer Abuse Procedures of the Code.

Revision Process

This policy will be evaluated annually by Information Technology Services, in consultation with the Senate Information Technology Committee and the Administrative Computing Steering Committee, and revised if necessary.

---

Acknowledgement:
Thanks to the University of Toronto for permission to use text from the CNS Network Security Policy.