1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...



Similar documents
Network Security Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

ULH-IM&T-ISP06. Information Governance Board

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Rotherham CCG Network Security Policy V2.0

How To Ensure Network Security

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Mike Casey Director of IT

Information and Communication Technology. Firewall Policy

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Newcastle University Information Security Procedures Version 3

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How To Protect Decd Information From Harm

U06 IT Infrastructure Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

NETWORK SECURITY POLICY

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Developing Network Security Strategies

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

INFORMATION TECHNOLOGY SECURITY STANDARDS

ADM:49 DPS POLICY MANUAL Page 1 of 5

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Network Security Policy

Policy Document. Communications and Operation Management Policy

NETWORK SECURITY POLICY

University of Liverpool

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Shield Solution Matrix for CIP Security Standards

Information Security Policy

HIPAA Security Alert

1B1 SECURITY RESPONSIBILITY

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

University of Sunderland Business Assurance Information Security Policy

Supplier Security Assessment Questionnaire

Information Security

Central Agency for Information Technology

Information Security Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Information Technology Services

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Payment Card Industry Self-Assessment Questionnaire

Information security controls. Briefing for clients on Experian information security controls

Network Security Policy

Information Security Policies. Version 6.1

ISO27001 Controls and Objectives

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Miami University. Payment Card Data Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy

Wi- Fi settings for Windows XP

ICANWK406A Install, configure and test network security

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

TECHNICAL SECURITY AND DATA BACKUP POLICY

Data Network Security Policy

Codes of Connection for Devices Connected to Newcastle University ICT Network

PCI Requirements Coverage Summary Table

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Payment Card Industry Data Security Standard

ABERDARE COMMUNITY SCHOOL

Information Resources Security Guidelines

PCI DSS Requirements - Security Controls and Processes

Autodesk PLM 360 Security Whitepaper

GE Measurement & Control. Cyber Security for NEI 08-09

Supplier Information Security Addendum for GE Restricted Data

Dublin Institute of Technology IT Security Policy

IBX Business Network Platform Information Security Controls Document Classification [Public]

Network & Information Security Policy

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

ISO Controls and Objectives

PCI v2.0 Compliance for Wireless LAN

Section 12 MUST BE COMPLETED BY: 4/22

NETWORK SECURITY GUIDELINES

Eduroam wireless network Windows Vista

Network Security & Connection Policy

Catapult PCI Compliance

PCI Requirements Coverage Summary Table

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Intel Enhanced Data Security Assessment Form

MSP Service Matrix. Servers

Canterbury College Eduroam Wi-Fi Guide

Transcription:

Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless Network... 6 9 Third Party Access Control to the Network... 7 10 External Network Connections... 7 11 Maintenance, contracts, backup and recovery... 7 12 Protection and Malicious attack... 8 13 Enforcement... 8 Information Services (IT), Edinburgh Napier University Page 1 of 8

1 Purpose 1.1 The sets out the specific responsibilities, conditions and practices to ensure an available, secure and protected Network 1.2 This policy takes into account the requirements of the Data Protection Act and ISO27001:2013 2 Scope 2.1 This policy sets out the requirements, roles and responsibilities for a secure Edinburgh Napier University Network. Edinburgh Napier University, Information Systems will; 2.1.1 Ensure, where reasonably practicable, that the Network supports the diversity of uses and applications required from the University community, its researchers and partners 2.1.2 Ensure availability 2.1.3 Protect the Network from unauthorised access 2.1.4 Protect the Network from accidental disruption 2.1.5 Protect confidentiality 2.1.6 Ensure network access can be audited 2.1.7 Define what the Network may be used for and what is not acceptable 3 Roles and Responsibilities 3.1 Information Security Board will: 3.1.1 Support administrators in defining appropriate user groups and roles to support Role-Based Access Control (RBAC). 3.1.2 Audit user and access lists on a quarterly basis to ensure that unauthorised attempts are identified and for anomalies in Super User access. 3.1.3 Perform annual policy and procedure reviews. 3.2 Network Services & Security Team will: 3.2.2 Create and maintain procedures, and document all necessary Network and Network Security configurations. 3.2.3 Monitor and analyse Network traffic for optimum performance and security. 3.3 All Network Users will act responsibly at all times and be aware of the associated risks and penalties for breaches of this policy. Information Services (IT), Edinburgh Napier University Page 2 of 8

4 Physical & Environmental Security 4.1 All core network switching, management systems and port distribution systems will be housed in a secure location with UPS and access control. These secure areas will; 4.1.1 Allow entry to secure areas housing critical or sensitive Network equipment only to those who are authorised to do so 4.1.2 Have code or card access systems 4.1.3 Only allow visitors or 3 rd party access with IS authorisation. A list of authorised users will be maintained and regularly reviewed. 4.1.4 Have smoking, eating and drinking prohibited 4.2 All visitors or 3 rd party access must have agreed to the University Information Security Policies prior to accessing the secure Network areas and must be made aware of security requirements. 4.3 All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. 5 Access Control to the Network 5.1 Access to the network will require a secure log-on procedure (See Edinburgh Napier University Access Control Policy). 5.2 Registration and de-registration procedure for access to the network will, in the first instance, be driven from the HR System to create employee/staff access and from the Student Records System for student and researcher access. Separate authorisation will be required for remote access to the network. 5.3 Access rights to the network will be allocated on the requirements of the user s job, rather than on a status basis. 5.4 Security privileges (i.e. 'Power user' or network administrator rights) to the network will be allocated on the requirements of the user s job, rather than on a status basis. A list of which will be securely maintained and reviewed regularly. 5.5 Users will be sent a Terms of Use agreement on application, which they must familiarise themselves with. 5.6 All users to the network will have a unique user identification and password. 5.7 Users are responsible for ensuring their password is kept secret (see Edinburgh Napier University Access Control Policy and User Policy) 5.8 User access rights will, upon notification from the HR or Student Records Systems, be removed or reviewed for those users who have left the University. Information Services (IT), Edinburgh Napier University Page 3 of 8

6 Firewall Standards 6.1 A firewall is defined as any hardware and/or software designed to examine network traffic using policy statements (rule set) to block unauthorised access while permitting authorised communications to or from either a network or electronic equipment. 6.2 All network (physical) firewalls installed and implemented, must be implemented by the Network Services & Security Team. 6.2.1 All firewall modification requests must be logged in the Information Services call logging system (RMS) 6.2.2 All changes to firewall rule sets will be documented (recorded in RMS) 6.2.3 All related documentation is to be retained by the Network Services & Security Team and is subject to regular review by the Information Security Board. 6.3 All firewall implementations must adopt the position of "least privilege" and deny all inbound traffic by default (the initial rule set should be set to logging or learning mode to prevent service interruptions). The rule set should be opened incrementally to only allow permissible traffic. 6.4 Firewalls must be installed within production environments where Legally/Contractually Restricted Information is captured, processed or stored, to help achieve functional separation between web-servers, application servers and database servers. 6.5 Firewall rule sets and configurations require annual review to ensure they afford the required levels of protection. 6.6 Network Services & Security Team must review and agree all network firewall rule sets and configurations during the initial implementation process. 6.6.1 Firewalls protecting enterprise systems must be reviewed twice a year; firewall administrators and IS must collaborate on this review. 6.6.2 Firewalls not protecting enterprise systems must be reviewed annually by a responsible firewall administrator. 6.6.3 Firewall administrators must retain the results of firewall reviews and supporting documentation; all results and documentation are subject to regular review by the Information Security Board or University s Auditors. 6.6.4 Firewall rule sets and configurations must be backed up frequently to alternative storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rule sets and configurations and backup media must be restricted to those responsible for administration and review. 6.6.5 Any University entity operating under an e-merchant license is required to have properly configured firewalls in place to protect credit card data and comply with Payment Card Industry/Data Security Standards (PCI/DSS). Information Services TS will not operate any firewalls installed for the purpose of PCI/DSS compliance. University organisations requiring PCI/DSS compliance should contract with a PCIcompliant vendor. Information Services (IT), Edinburgh Napier University Page 4 of 8

6.6.6 Network firewall administration logs (showing administrative activities) and event logs (showing traffic activity) are to be written to alternative storage (not on the same device) and reviewed regularly. 6.7 Network Services & Security Team will execute approved changes to the firewall rule sets on behalf of the University. 7 Wired network 7.1 Only university owned equipment may be connected to the wired University Network. This includes network services supplied to all campuses and University buildings. 7.2 Personal laptops are not eligible for wired network connections. The University does provide wireless networks, which are for mobile computing connectivity including; laptops, mobile phones and smart devices. Where Laptops or mobile devices require physical network connection this must be formally requested and then logged and supported by IS 7.3 Use of network addresses other than those provided by Information Services are prohibited. 7.4 Access to networking equipment in data centres and communications rooms is limited to Information Services staff and authorised personnel only. 7.5 Only one device may be connected to any physical wired network port. No hubs, switches, wireless access points or routing devices may be connected, directly or indirectly, without prior agreement from Information Services. 7.6 Network Services & Security Team has the right to limit network capacity or disable network connections that are affecting available network bandwidth to the detriment of the University. Where possible and depending on the severity of the incident this will be done in negotiation with School or Schools affected; 7.7 No individual may connect a device to the campus wired network that provides unauthorised users access to the network or provides unauthorised IP addresses for users. 7.8 Non IS supported servers configured to provide services for campus users are allowed in exceptional circumstances subject to the following conditions: 7.8.1 A server registration form that has been completed and approved by Network Services & Security Team. 7.8.2 The service is established in support of authorised business and commercial activity 7.8.3 The service is established only for legitimate and authorised support of teaching, research or student services. *Note authorisation is required in the first instance from the Dean of School, and dependant on the required resources, may require authorisation from the Dean and Director of Information Services. Information Services (IT), Edinburgh Napier University Page 5 of 8

7.8.4 The established service must follow the policies and procedures required by the University. 7.8.5 The service will be subject to internal and external auditing. 7.8.6 A responsible owner and their line manager must sign off as Data Controllers and comply with the Data Protection Act for all data stored. *Note: The responsible owner and authorising managers must be aware of their personal and corporate liabilities should their service result in the loss of data 7.8.7 The server owner is responsible for the backups, restores and patching of the server and applications. 7.8.8 The service will be managed effectively to ensure no excessive loading adversely affects the University s wired network bandwidth. 7.8.9 The service will be subject to periodic network security evaluation which will include penetration testing by Network Services & Security Team. 7.8.10 The server authorisation will be reviewed on an annual basis by the Information Security Board. 8 Wireless Network 8.1 The University has established an ubiquitous wireless network across the campuses and locations which is for the use of staff and students and authorised representatives only, to connect University owned IT and user owned devices communications devices and equipment 8.2 The wireless network security standards are as follows: 8.2.1 Access Layer: users will connect to the WLAN via access points, which will provide the 802.11g/n connection standard for the client devices. 8.2.2 Service Set Identifier (SSID2): The SSID for the main wireless network for Edinburgh Napier staff and students is Eduroam. 8.2.3 The SSID for guest access to the Internet only, will be conference and will be broadcast so as to make it easily available to authorised visitors. Access will be granted via the IS Support Desk. This will change when we implement The Cloud. 8.2.4 The Eduroam network will utilise AES (Advanced Encryption Standard) level of encryption. This encryption standard is mandatory to enable the 802.11n network to be supported. 8.2.5 The conference service has no encryption. 8.2.6 For authentication: The authentication protocol used is Protected EAP (PEAP). PEAP is an 802.1X authentication type for wireless networks. 8.2.7 The Eduroam service supports only WPA2 (Wi-Fi Protected Access) which is the preferred security standard. 8.2.8 Unauthorised devices connected to the wireless network will be blocked without warning. 8.2.9 Staff or students are prohibited from connecting additional wireless network hotspots to the University network. Information Services (IT), Edinburgh Napier University Page 6 of 8

9 Third Party Access Control to the Network 9.1 Third party access to the network will be based on appropriate authorisation and compliance with Information Security Policies. 9.2 The Customer Services IT Support Desk is responsible for ensuring all third party access to the network is recorded. 9.3 Access to the internet may be provided for University staff, students or University employed contractors via the IS support desk. Connection to the University Wi-Fi infrastructure may be approved where the appropriate request is made in writing to establish a named account or the appropriate selfregistration process is undertaken. 10 External Network Connections 10.1 Information Services is responsible for implementing all connections to external networks that connect to the primary University and JANET supported Network, ensuring systems conform to the necessary legislative and JANET compliance. 10.2 Information Services is responsible for ensuring all connections to external networks and systems are documented and approved by Information Security Board before they commence operation. 11 Maintenance, contracts, backup and recovery 11.1 Information Services will ensure that maintenance contracts are maintained and regularly reviewed for all essential network equipment. 11.2 The Information Services IT Support Desk is responsible for ensuring that a log of all faults on the network is maintained. 11.3 Information Services will ensure a log of current network and switch configurations. Changes will be maintained and stored securely and backups of switch configurations taken regularly. The Network Services & Security Team will: 11.3.1 Document procedures for the backup process and ensure that it is communicated to all relevant staff. 11.3.2 Document procedures for the storage of backup tapes or media will be produced and communicated to all relevant staff. 11.3.3 Ensure all backup media will be stored securely and a copy will be stored off-site. 11.3.4 Document procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff. 11.4 Users are responsible for ensuring that they backup their own data to the network server using mapped drives or SharePoint. 11.5 Network patches and any fixes will only be applied by the Network Services & Security Team following a suitable change control procedure. Information Services (IT), Edinburgh Napier University Page 7 of 8

12 Protection and Malicious attack 12.1 The Network Services & Security Team will ensure that; 12.1.1 Measures are in place to detect and protect the network from viruses and other malicious software. 12.1.2 They have suitable monitoring of network traffic, network access and intrusion detection in place. 12.1.3 The network will be monitored for potential security breaches. All monitoring will comply with current legislation. 12.2 The Information Security Board reserves the right to access, modify or delete all data stored on or transmitted across the University s network. This includes data stored in personal network folders, mailboxes etc. Data of a personal nature should be stored in a folder marked or called Personal. This does not preclude access or removal of such a folder on the authority of the Information Security Board or a ULT member. 12.3 Information Services reserves the right to disconnect or block any device connected either by physical or wireless means to the network. 13 Enforcement 13.1 Any employee, student or user, found to have violated this policy may be subject to disciplinary or legal action. Disciplinary action may include expulsion for students and the termination of employment for members of staff. Deviation from this policy is permitted only if a valid business case has been provided and subsequently reviewed and approved by the Information Security Board and/or Legal Counsel. Information Services (IT), Edinburgh Napier University Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information