Network Security Policy

Transcription

1 KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility for AP, Finance & Estates Review: Date of Next Review: May 2013 Page 1

2 Contents 1 Purpose 2 Scope 3 General Policy 4 Responsibilities 5 System Access Control 6 Log-in/Log-off 7 Process for Granting System Privileges 8 Establishment of Access Paths 9 Computer Viruses, Worms and Trojan Horses 10 Portable Computers 11 Remote Printing 12 Associated Documents 13 Review Date Page 2

3 1.0 Purpose 2.0 Scope The purpose of this policy is to ensure the appropriate protection of Kilmarnock College information handled by computer networks. This policy applies to all employees, contractors, consultants, students and other workers at Kilmarnock College, including those workers affiliated with third parties who access Kilmarnock College computer networks. Throughout this policy, the phrase network user will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by and/or administered by Kilmarnock College. 3.0 General Policy All information travelling over the college computer network that has not been specifically identified as the property of other parties will be treated as though it is a Kilmarnock College corporate asset. It is the policy of Kilmarnock College to prohibit unauthorised access, disclosure, duplication, modification, diversion, destruction, loss, misuse or theft of this information. In addition, it is the policy of the college to protect information belonging to third parties that has been entrusted to Kilmarnock College in a manner consistent with its sensitivity as well as in accordance with all applicable agreements. 4.0 Responsibilities The Head of College Systems & Estates Services, Assitant Principal Finance & Estates, ICT Service Leader and the members of the Curriculum Management team shall be responsible for: A periodic review of the Network Security policy Approving new or modified information security policies The Head of College Systems & Estates Services in conjunction with the ICT Service Leader are responsible for establishing, maintaining, implementing, administering and interpreting organisation-wide information systems security policies, standards, guidelines and procedures. Therefore the Head of College Systems & Estates Services and the ICT Service Leader are also responsible for activities related to this policy. While responsibility for information systems security on a day-to-day basis is every network user s duty, specific guidance, direction and authority for information systems security is centralised for all of the college in the ICT Services Department. Accordingly, this department will perform information system risk assessments, prepare information systems security action plans, Page 3

4 evaluate information security products and perform other activities necessary to assure a secure information systems environment. Curriculum Managers, Heads of Departments and Managers are responsible for ensuring that the appropriate computer and communication system security measures are observed in their areas. Curriculum Managers, Heads of Departments and Managers are also responsible for making sure that all network users within their faculty or department are aware of the college policies relating to computer and communication system security. Network users are responsible for complying with this and all other college policies defining computer and network security measures. Network users are also responsible for bringing all known information security vulnerabilities and violations that they notice to the attention of the Head of College Systems & Estates Services. 5.0 System Access Control End-User Passwords Network users must always choose fixed passwords that are difficult-to-guess. This means that passwords must NOT be related to a user s job or personal life. For example, a car license plate, a spouse s name or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms and slang must not be used. Where such systems software facilities are available, users must be prevented from selecting easily-guessed passwords. Network users can choose easily remembered passwords that are at the same time difficult for unauthorised parties to guess if they: a) String several words together (the resulting passwords are also known as pass phrases ) b) Shift a word up, down, left or right one row on the keyboard c) Bump characters in a word a certain number of letters up or down the alphabet d) Transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word e) Combine punctuation or numbers with a regular word f) Create acronyms from words in a song, a poem or other known sequence of words g) Deliberately misspell a word (but not a common misspelling) h) Combine a number of personal facts like birth dates and favourite colours i) Combine numbers, letters and symbols to create a word Page 4

5 Network users must not construct passwords that are identical or substantially similar to passwords that have been previously employed. Where systems software facilities are available, users must be prevented from reusing passwords. Network users must not construct passwords using a basic sequence of characters that is then basically changed based on the date or some other predictable factor. For example, network users must NOT employ passwords such as X34JAN in January or Z34FEB in February etc. Passwords must not be written down and left in place where unauthorised persons might discover them. Aside from the initial password assignment and password reset situations, if there is a reason to believe that a password has been disclosed to someone other that the authorised user, the password must be immediately changed by the user. Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorised user. To do so exposes the authorised user to responsibility for actions that the other party takes with the disclosed password. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers, and other mechanisms. This policy does not prevent the use of default passwords typically used for the new user ID assignment or password reset situations which are then immediately changed when the user next logs onto the involved system. All passwords must be immediately changed if they are suspected of being disclosed, or known to have been disclosed to anyone beside the authorised user. 6.0 Log-in/Log-off All network users must be positively identified prior to being able to use any multi-user computer or communication system resources. Positive identification for internal Kilmarnock College networks involves both a user-id and a fixed password, both of which are unique to an individual user. 7.0 Process for Granting System Privileges Requests for new user-ids and changed privileges must be in writing and approved by the user s manager before an ICT Service Leader fulfils these requests. To help establish accountability for events on the related systems, documents (usually in electronic form) reflecting these requests must be retained for a period of at least a year. Page 5

6 Individuals who are not Kilmarnock College employees must not be granted a user ID or otherwise be given privileges to use Kilmarnock College computers or networks unless advance written approval of a Department Head, Curriculum Manager and Manager had first been obtained. Privileges granted to users who are not Kilmarnock College employees must be granted for periods of 90-days or less. As needed, users who are not Kilmarnock College employees must have their privileges re-authorised by the sponsoring department head every 90 days. Network users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the Head of College Systems & Estates Services. Incidents involving unapproved system cracking (hacking), password cracking (guessing), file decryption, bootleg software copying, or similar unauthorised attempts to compromise security measures may be unlawful, and will be considered serious violations of Kilmarnock College policy. Customer requests that Kilmarnock College security mechanisms be compromised must NOT be satisfied unless: a) The Head of College Systems & Estates Services approves this in advance; or b) The college is compelled to comply by law Likewise, short-cuts bypassing systems security measures are absolutely prohibited. The system privileges granted to users must be re-evaluated by college management every six months. In response to feedback from college management, the ICT Service Leader must promptly revoke all privileges no longer needed by users. College management must promptly report all significant changes in a network user s duties or employment status to the Head of College Systems & Estates Services. Human Resources must also issue a status change to the ICT Service Leader who might be responsible for a system on which the involved network user might have a user-id. 8.0 Establishment of Access Paths Changes to Kilmarnock College internal networks including loading software, changing network addresses, reconfiguring routers, adding dial-up lines etc. With the exception of emergency situations, all changes to Kilmarnock College computer networks must be approved in advance by the ICT Services Department except as explicitly delegated by ICT Services Department. Page 6

7 Emergency changes to Kilmarnock College networks must only be made by persons who are authorised by the Head of College Systems & Estates Services. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorised disclosure of information, and other problems. This process applies not only to network users as defined in the Scope section of this policy, but also to vendor personnel. Network users must NOT establish electronic bulletin boards, local area networks, FTP servers, web servers, modem connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of the Head of College Systems & Estates Services. Likewise, new types of real-time connections between two or more in-house computer systems must not be established unless such approval has been obtained. This policy helps to ensure that all Kilmarnock College systems have the controls needed to protect other network-connected systems. Security requirements for a network-connected system are not just a function of the connected system; they are also a function of all other Kilmarnock College connected systems. Participation in external networks as a provider of services that external parties rely on is expressly prohibited unless two conditions are first fulfilled. Specifically, Kilmarnock College legal advisorsl must identify the legal risks involved, and then the Assitant Principal Finance & Estates must expressly accept these and other risks associated with the proposal. Acting as an Internet node is an example of such participation. 9.0 Computer Viruses, Worms and Trojan Horses A computer virus is an unauthorised program that replicates itself, attaches itself to other programs and spreads onto various data storage media (floppy disks, magnetic tapes, random access memory etc) and/or across a network. The symptoms of virus infection include much slower computer response time, inexplicable loss of files, changed modification dates for files, increased file sizes and total failure of computers. To assure continued uninterrupted service for both computers and networks, all microcomputer (Apple Mac and PC) users must keep approved virus screening software enabled on their computers. This screening software must be used to scan all software coming from either third parties or other Kilmarnock College departments. This scanning must take place before the new software is executed. Users may not bypass scanning processes that could stop the transmission of computer viruses. Users are responsible for eradicating viruses from all microcomputer systems under their control whenever viruses have been detected using software installed by Kilmarnock College staff. As soon as a virus is detected the involved user(s) must immediately contact the ICT Services Department to ensure that no further infection takes place. Page 7

8 10.0 Portable Computers Network users in the possession of a portable, laptop, notebook, palmtop and other transportable computers containing secret or confidential Kilmarnock College information, should not leave these computers unattended at any time unless the information is stored in encrypted form. To prevent unauthorised disclosure, network users in the possession of transportable computers containing unencrypted secret or confidential Kilmarnock College information must not check these computers in airline luggage systems, with hotel porters etc. These computers must remain in the possession of the traveller as hand luggage. Whenever secret or confidential information is written to floppy disk, magnetic tape, smart card or other storage media, the storage media must be suitably marked with the highest relevant sensitivity classification. When not in use, this media must be stored in a locked safe, locked furniture or similarly secured location Remote Printing Printers must not be left unattended if secret or confidential information is being printed or will soon be printed. The persons attending the printer must be authorised to examine the information being printed. Unattended printing is permitted if the area surrounding the printer is physically protected such as that persons who are not authorised to see the material being printed may not enter. All network or systems software malfunctions must be immediately reported to the ICT Services Department and/or the involved external information system service provider. Ignoring these malfunctions could lead to serious problems such as lost or damaged information as well as unavailable network services Associated Documents Staff Disciplinary Procedure Data Protection Policy USB Memory Stick Policy KC/PM2/OP39 KC/QM/016 KC/QM/064 Page 8

9 13.0 Review Date This policy will be reviewed in May 2013, the review will be lead by the assistant Principal for Fiance & Estates Page 9