IT Security Policy DEPARTMENT 1. Revised DATE. 1 Prepared and maintained by NAME OF MAINTAINER, JOB TITLE

Transcription

1 IT Security Policy DEPARTMENT 1 Revised DATE 1 Prepared and maintained by NAME OF MAINTAINER, JOB TITLE

2 Abstract This is not a legal document, but contains references to certain legal obligations which arise as a result of the Data Protection Act. It outlines the management of network and computing security in the DEPARTMENT and as such may be referred to as a System Level Security Policy. The policy applies to all DEPARTMENT networked systems both at DEPARTMENT premises and to DEPARTMENT-owned equipment located elsewhere. This document should be read in conjunction with the DEPART- MENT document Data access and data handling policy The content of this document is designed to be consistent with BS-7799 (BS :2000, BS ISO/IEC 17799:2000 Information technology - Code of practice for information security management ) and with the University of Oxford s Information Security Policy 1. Each section provides a statement of the relevant issues and, where appropriate, a brief policy summary. 1 Reference to be included here, once available

3 Contents Revision History 3 1 Definitions Network terminology Administrative and organisational Overview General Summary Computing staff Overall Computing Manager Other Computing Staff Duty of care Summary Systems, servers and services General Network physical layout Network provider Physical network Firewall Network topology Network services requiring authentication Connecting equipment to the network Publically-available network services Remotely-accessible network services Summary Staff and user accounts General Passwords Non-Computing Staff

4 5.2.2 Computing Staff Account removal Acceptable Use Policy Summary Remote access and home working Remote access Data resources Electronic mail Home working Remotely-accesssed server Summary Backups and data retention Backups Schedule Scope Data retention Data on network servers Data on physical media Media destruction Summary Access rights General Approval Summary Issue tracking General Staff issues System issues Assets Summary Maintenance, monitoring and reporting Maintenance Planned maintenance Unplanned maintenance Logging and reporting Security incidents Routine security updates Summary

5 Revision History Changes, DATE Important changes to the document should be recorded in the revision history. 3

6 1 Definitions 1.1 Network terminology DEPARTMENT network The general term DEPARTMENT network refers to the entirety of the computing and network resources at the DEPARTMENT premises. It includes: servers, switches, cabling, desktop PCs, laptops, printers, print servers and so on. DEPARTMENT network boundary The boundary of the DEPARTMENT network, from a network security standpoint, is the point at which the external Internet connection enters the DEPARTMENT firewall. From a physical security standpoint, the boundary is a little further upstream, at the point where the fibre cable leaves the confines of DEPARTMENT premises. Network server A network server is a single network-connected computer whose primary purpose is to provide one or more network services. A network server is typically kept in a controlled environment to allow 24/7 operation. Typically this means that servers are located in a dedicated airconditioned room, with power supply backup provided via UPS. Network service A network service is a feature of network functionality provided by a network server. Examples of network services are: electronic mail, file-serving, DNS, DHCP, LDAP, NTP and so on. A network service may be provided by a single network server or by more than one server when a degree of redundancy is required. Local network service A local network service is a network service which is made available to local DEPARTMENT staff only. It is not made available outside the confines of the local DEPARTMENT network. A local network service may or may not require authentication or authorisation. Public network service A public network service is available to both DE- PARTMENT staff and to others, world-wide. Public services typically require no authentication or authorisation. 4

7 Remotely-accessed network service A remotely-accessed network service is available to DEPARTMENT staff from locations outside DEPARTMENT s premises. These services require authentication and authorisation. System General term which may be used to refer to a server or service, or a group of servers or services; also occasionally to an entire network of servers, services and equipment. Desktop PC A desktop PC is the general term for a computer used in a DE- PARTMENT staff office. These PCs are carefully and consistently configured for use on the DEPARTMENT network. 1.2 Administrative and organisational Acceptable Use Policy The Acceptable Use Policy (AUP) is a document which all DEPARTMENT staff sign upon the start of their employment. It lays out expectations and limitations and indicates to staff what their responsibilities are with respect to use of the computing and network systems. Line manager A member of staff s line manager is the person to whom they are directly responsible. Often, a line manager must give prior approval for various computing-related activities. Study controller The person responsible for all data-related issues for a particular study. Normally, the study controller decides which members of staff are permitted to use or manage the data associated with that study. 5

8 2 Overview 2.1 General This document ensures that DEPARTMENT complies with all relevant legal requirements, such as the Data Protection Act (1998), and that general good practice is applied to the management of computer systems in DE- PARTMENT. With regards to data management, this is discussed in some detail in the companion document Data access and data handling policy. This document, however, discusses the responsibilities and procedures that should be followed when managing the network in a manner which allows us to meet these requirements in a reliable and secure way. The underlying principle of network management should be that, as far as is practically possible, services are provided in a manner that is secure by default. At the same time, one needs to acknowledge that the entire system needs to be useful and useable for staff. This document is maintained by the DEPARTMENT Computing Manager. Overall responsibility for the IT and computing security policies contained in this document lie with the Unit Director. 2.2 Summary Ensure compliance with the Data Protection Act 1 ; Follow the good practice guidance in Data access and data handling policy ; As far as possible, be secure by default. Document to be maintained by DEPARTMENT Computing Manager. Overall responsibility for the policy lies with the DEPARTMENT Unit Director. 1 DEPARTMENT s good practice will usually exceed the Act s minimum requirements 6

9 3 Computing staff 3.1 Overall DEPARTMENT has a Computing Manager and one or more further Computing Staff with a variety of responsibilities. 3.2 Computing Manager The Computing Manager has responsibility for the management of the DEPARTMENT network and all its systems. All other Computing Staff report directly to the Computing Manager on all matters. Decisions relating to the provision and security of all network services and equipment must be approved by the Computing Manager. The Computing Manager is responsible for all aspects of the computing and network services in DEPARTMENT. This includes: long-term strategy planning, ongoing maintenance, sourcing and provisioning of equipment, staff training (in the areas of technical skills, security awareness and data management), responding to technical issues, documenting and tracking technical and operational issues, monitoring servers and services, responding to security incidents, managing systems to ensure data availability, security and safety, and managing backups. The Computing Manager will delegate aspects of the above to other Computing Staff. 3.3 Other Computing Staff Other Computing Staff in DEPARTMENT are responsible to the Computing Manager and have a variety of individual roles and responsibilities. These roles and responsibilities will usually involve a degree of privileged access to some or all of the DEPARTMENT systems and as such the Data access and data handling policy applies. In addition, Computing Staff must observe the principles of an appropriate Duty of care (see section 3.4). 7

10 3.4 Duty of care The Computing Manager and other Computing Staff in DEPARTMENT, as part of their daily work, perform the kind of actions which will from time to time result in privileged or confidential information being seen. In general, all computing staff should follow a suitable code of ethics, such as that drawn up by S.A.G.E. 1 This encourages good practice at all times when handling systems and servers carrying data belonging to others, which may be of a sensitive or personal nature; it encourages integrity and responsibility. Further, it encourages a strong duty of care when managing systems on the DEPARTMENT network. IT staff may from time to time be asked to access files belonging to members of staff, for example to make them available to other staff during absences. Approval from one or more senior members of staff should be sought prior to doing so. 3.5 Summary Computing Manager has overall responsibility for the management of the DEPARTMENT network and system; Other Computing Staff report to the Computing Manager; All computing staff must exercise an appropriate duty of care in their daily work. 1 See 8

11 4 Systems, servers and services 4.1 General The DEPARTMENT network provides many services via a number of different servers. These services are provided to the DEPARTMENT network and typically fall into these categories: services for direct end-user use (such as Electronic Mail); services to support the network infrastructure and overall operation (such as DNS); The first category of services includes not only services normally and routinely used by all staff, but also services used solely by Computing staff for network management (so-called administrative systems, such as for issue tracking and documentation). For ease of management, every network server should have a clearlydefined role. Typically, this means that the services it provides are very clearly stated. Conversely, every network service should have a clearlydefined service provider. In general, service separation means that servers which provide end-user services do not also provide infrastructure services. This provides a system which is both easy to manage as well as being more secure. 4.2 Network physical layout Network provider The DEPARTMENT network is connected to the University of Oxford s campus-wide network via fibre cabling. This network connection is managed and maintained by the University s Computing Services. Apart from the provision of DEPARTMENT s external network connectivity, the University has no further role in the management or security of DEPARTMENT 9

12 systems, since this is by mutual agreement managed internally by DEPART- MENT. The University s Computing Services are responsible for the network up to the limit of the DEPARTMENT Network Boundary Physical network DEPARTMENT resides in a secure building with swipe-card access at all entry points. High-security areas, such as server rooms, are physically separate from other facilities, are provided with air conditioning and have additional locks in place. All systems in the server rooms are protected via UPS (uninterruptible power supply) to protect against service failure or data loss in the event of a power outage. The network comprises a number of fibre and copper cables which run underfloor and within the confines of the physically secure areas of the department. 4.3 Firewall The DEPARTMENT Firewall protects the entirety of the DEPARTMENT network from the outside world and also protects each sub-network within the DEPARTMENT network from the other sub-networks. The firewall enforces rules which determine what network traffic is allowed to flow across it. It operates using a default deny policy, meaning that all needed functionality has to be explicitly permitted via the firewall ruleset. Connections to the firewall itself are severely restricted, for firewall administration and monitoring only. 4.4 Network topology For reasons of security and ease of management, the DEPARTMENT network has a number of different, logical sub-networks. These are provided to allow careful separation of services and servers which perform different operations. For services which are designed to be used from non- DEPARTMENT locations (such as the web service), the servers that provide them are located in the DMZ (De-Militarized Zone) which is separated from DEPARTMENT local network services. A further separate, isolated subnetwork is provided for visiting staff to allow Internet access without exposing local DEPARTMENT network services. 10

13 4.5 Network services requiring authentication Many network services need authentication, usually requiring staff to provide their username and password. For security, whenever this is necessary the appropriate network communication is protected with strong encryption. Strong encryption is a well-defined term and in DEPARTMENT it means one of the following, depending on the protocol/context of the connection: the network traffic will be transparently encrypted using 128-bit or higher SSL, or equivalent SSH or TLS ciphers Connecting equipment to the network All network devices (PCs, laptops, printers, print servers) must be registered before they can be used on the DEPARTMENT network. Any unknown device which is plugged-in to the DEPARTMENT network will receive no network connectivity. 4.7 Publically-available network services The DEPARTMENT network itself is not used by other organisations. However, some services may be made available publically and for security reasons these are always provided by servers in the DMZ 2. No content of a confidential or sensitive nature is made available. 4.8 Remotely-accessible network services Some limited services are available to DEPARTMENT staff remotely: see section 6 for more details. Although these services are not restricted to the local DEPARTMENT network, they are only available to DEPARTMENT staff, since they require specific authentication and authorisation. 4.9 Summary Clearly define network services and the servers which provide them; Separate end-user systems from infrastructure systems and administrative systems; 1 Note that this does not specify the level of encryption required for explicitly encrypting datasets for distribution to other parties. For clarification on data encryption of this sort, please see the Data Handling And Data Access Policy. 2 As of January 2007, the only publically-available network service is the DEPARTMENT web site. 11

14 Keep local and public services on separate subnets; Ensure that only appropriate, non-sensitive information is made available via public services; Lock down the firewall: deny by default ; Ensure that no alien equipment can operate on the DEPARTMENT network. 12

15 5 Staff and user accounts 5.1 General All DEPARTMENT staff are given a basic network account which allows them to send and receive and to store files on a network fileserver. By default, this will not include any access to sensitive or confidential data. Additional resources will be provided as required and will normally need to be approved by either a study controller (in the case of data resources) or by the Computing Manager (in the case of server-level resources). 5.2 Passwords Non-Computing Staff Staff are assigned their username upon arrival in DEPARTMENT and an initial password. Staff must change their password to one of their own choice immediately and thereafter passwords must be changed at intervals no longer than 90 days. As per the AUP (see section 5.4) staff are also instructed to change their password if it has been inadvertently revealed to another person; equally, sharing of usernames and passwords with others is not permitted Computing Staff All Computing Staff have a normal username and password like other staff: routine work will be carried out using that username. However, depending on operational requirements Computing Staff may also be given additional passwords for various network resources, such as the root password for one or more servers, or the access password for network infrastructure equipment such as switches. It is current policy that all such non-user passwords will be changed immediately when any member of Computing Staff leaves DEPARTMENT. 13

16 5.3 Account removal When DEPARTMENT staff leave, their account is normally disabled immediately and a date set for archival or deletion. Exact policy is determined on the nature of the staff post 1. In all circumstances, however, account disabling or deletion is set on a timetable, to ensure that old accounts are not left open. 5.4 Acceptable Use Policy The Acceptable Use Policy (AUP) is signed by all DEPARTMENT staff upon the start of their employment. It lays out expectations and limitations and indicates to staff what their responsibilities are with respect to use of the computing and network systems, and to matters of data protection and confidentiality. It is expected that all staff will adhere to the spirit as well as the letter of this document. It details general usage guidelines for electronic mail and internet usage as well as underlying the broad policy of If unsure whether something is permitted, ask for permission. Staff s attention is drawn to responsibilities relating to the Data Protection Act and the Computer Misuse Act. Staff are also required to sign a Confidentiality Statement, which indicates their understanding that they must treat confidential data appropriately. 5.5 Summary By default, new staff get a minimal account setup; Passwords must be changed regularly, or if compromised or believed to be compromised; Passwords must not be shared with others; System passwords are available only to the Computing Manager and to appropriate additional Computing Staff and are routinely changed following Computing staff departure; Staff accounts are disabled or deleted, or scheduled for disabling or deletion, upon staff departure. All staff are required to sign the DEPARTMENT Acceptable Use Policy and Confidentiality Statement. 1 For example, scientific staff often submit papers while in DEPARTMENT that are published later, requiring some management of correspondence arising as a result 14

17 6 Remote access and home working 6.1 Remote access Data resources Remote access to DEPARTMENT local network systems 1 is not possible Electronic mail A limited web-based service is in place for the DEPARTMENT network. Staff are able to access their from non-department locations using appropriate authentication and authorisation. The server is located in the DMZ (see 4.4) which keeps it physically and logically separate from the rest of the DEPARTMENT network. This is deliberately very limited, so that the provision of this service is not a risk to data confidentiality. 6.2 Home working Some DEPARTMENT staff work at home (or elsewhere), using a DEPARTMENTsupplied laptop. As described in Data access and data handling policy no confidential or sensitive data may be taken out of DEPARTMENT. As described in section above, staff working from home have no remote access to DEPARTMENT local network services and this includes any data held in DEPARTMENT systems. 6.3 Remotely-accesssed server Staff have remote access to a dedicated server for storing files and documents, and for working on them. This server contains no confidential material of any kind and its use provides no access to confidential material 1 see section 1.1 for a definition of local in this context 15

18 or data on DEPARTMENT local network systems. For security reasons, this dedicated server is logically located outside DEPARTMENT s local network. 6.4 Summary No remote access to local network services is permitted; Remote access to electronic mail is available to all staff; Some staff work at non-department locations, but with no access to any DEPARTMENT systems, including data held in DEPARTMENT systems. 16

19 7 Backups and data retention 7.1 Backups Schedule There are two independent backup rotations in use: All DEPARTMENT network servers undergo daily backup en masse to magnetic tape. Daily backups are kept on site for four weeks and then reused (i.e. overwritten with new backups). Daily backup tapes are stored in a secure fire safe in the IT Office, which is a secure area as described in section 4.2.2; Separate, monthly off-site backups are made: the backup tapes are kept at a secure, off-site location. Off-site backups are kept for six months and then reused. From time to time additional, ad-hoc backups may be made. No backup is kept for more than two years. Any backup tape older than two years will either be reused or destroyed. The content of all backup tapes is encrypted using 256-bit AES Scope In general, only staff data files and general configuration information is backed-up from each server. Operating system files and programs are considered easily replaceable via reinstallation and are not backed-up. 7.2 Data retention Data on network servers The vast majority of data files are stored on a shared fileserver. Data which is no longer required will be deleted in a secure manner 1 which is designed to render attempts at recovery impractical. 1 This would use a utility such as GNU Shred 17

20 7.2.2 Data on physical media Data on physical media which is deemed sensitive or to contain confidential information will be stored in a secure, locked location when not in use and will be physically destroyed when no longer required. 7.3 Media destruction Hard disks for destruction will be physically destroyed, or damaged beyond use, typically using a hammer to break the disk platters. CD and DVD media will be broken into a number of individual pieces. Tapes will be unspooled and cut into many pieces. 7.4 Summary DEPARTMENT servers are backed-up to tape daily; Monthly off-site backups are taken; Backups are kept for a maximum of two years, often much less; Physical media are kept in a secure location and destroyed when no longer required; Sensitive data on shared fileservers are shred -ed when no longer required. 18

21 8 Access rights 8.1 General Access rights to data resources, datasets and databases are assigned only to staff requiring them for their job and are unavailable to everyone else. For more details, see Data handling and data access policy. 8.2 Approval Study controllers or project leaders must give permission on an individual basis to allow staff to access specified data resources. 8.3 Summary Staff have access to necessary data resources only; Approval by study controller is required. 19

22 9 Issue tracking 9.1 General There are many issues, questions, tasks and problems that may arise when running the DEPARTMENT network. Having a means of keeping track of them all in a flexible manner is vital. Being able to review past issues is important, so that similar problems arising in future can be dealt with more easily. 9.2 Staff issues Staff often have questions and will report problems. Tracking these issues is important to ensure that all matters are dealt with in a timely manner and that staff are kept informed as work is progressing. Generally, userspecific issue-tracking should be kept confidential since sensitive matters may be discussed. 9.3 System issues The Computing Staff and other DEPARTMENT technical staff can discuss more general technical issues via a local, open issue-tracking system. Unless security-sensitive information is to be discussed, all such technical discussion should be open. This encourages accountability and transparency and thus trust in the management of the network. 9.4 Assets All computing systems and related equipment in DEPARTMENT have a DEPARTMENT Computing Item Number asset tag. This is used as an identifier when recording issues with DEPARTMENT computing equipment, allowing an equipment history to be kept easily. 20

23 9.5 Summary Track staff requests and reports, and keep them private; Wherever possible document and discuss all non-sensitive network matters in the open; Affix asset tags to all DEPARTMENT computing equipment for the purposes of tracking. 21

24 10 Maintenance, monitoring and reporting 10.1 Maintenance Planned maintenance From time to time, it will be necessary to carry out maintenance work on one or more network servers which will require a service outage. When this happens, staff will be notified in advance, with the notice period broadly proportional to the expected outage duration. Whenever possible and appropriate, such maintenance will be done out of normal office hours Unplanned maintenance Occasionally emergency maintenance is required, such as if a piece of equipment develops a fault or fails. In these circumstances, Computing Staff will aim to meet the combined goals of: bringing the equipment back into service as quickly as possible; ensuring that data loss does not occur; keeping all staff informed of the problem and of expected resolution time, plus the implications (if any) of the outage; documenting the events and countermeasures employed, for future inspection Logging and reporting All network servers and services provide logging and reporting information which is sent to a central log server. These log files are scanned every few minutes for anomalous entries which are ed to all computing staff for inspection. These entries will include hardware diagnostics and security alerts (ie: from trivial matters such as mistyped passwords up to more 22

25 serious issues such as external attempts to access DEPARTMENT systems by intruders and notification of attempts to connect alien equipment to the DEPARTMENT network.) The DEPARTMENT firewall operates as a NAT device and as a result, full logs of the NAT translations are kept for 60 days Security incidents If a serious security incident, such as a server compromise by an intruder, occurs details must be recorded regarding the nature of the incident and a description of the repercussions. All individuals and groups affected by the incident should be informed. Depending on the nature of the incident, appropriate further action will be taken. Usually, any system which is suspected to have been compromised will be taken off the network and isolated for examination, during which time staff have no access. It is a policy that if examination shows any server to have been compromised, it will undergo a complete operating system reinstallation Routine security updates DEPARTMENT servers run operating systems which allow security updates to be installed very easily. Every server will be kept up-to-date with security updates as they are released by the operating system vendor. Computing Staff are subscribed to the appropriate mailing lists so that they are immediately aware when this is necessary. This procedure is especially important for public-facing systems in the DMZ. Core software on Desktop PCs is kept up-to-date with security patches and fixes on a regular basis Summary Routine, planned maintenance will be carried out with minimal disruption to staff and will be advertised in advance; Unusual log messages will be inspected by Computing staff; Servers and desktops will be kept up-to-date with security updates. 1 To date, this has never been necessary 23