Network Security and Management (Guidelines and Procedures)

Topic: Financial and Operations
Approval Authority: President

Description: Pursuant to Policy on Computing and Information Technology Facilities


Purpose

These guidelines and procedures are meant to ensure the availability and security of the shared network resources which support the learning, teaching and research mission of the University and the administrative activities that underpin this mission.

These guidelines and procedures supplement and clarify the principles set out in the Policy on Computing and Information Technology Facilities as they apply to the York University centrally managed network infrastructure and the operation of systems therein.

Roles and Responsibilities

Users: Those using University network resources.

System Administrators: Those responsible for installing and maintaining software and/or equipment attached to or operating via the central network infrastructure.

System Managers: Those who own and/or have management authority for Information Technology systems attached to or operating via the central network infrastructure.

Central Computing Support Group: Computing and Network Services (CNS) is responsible for the management of the University’s central information technology services. This includes Central Network Management and Information Security.

Central Network Management: The department within CNS with responsibility for the operation of the University data network infrastructure including network-authoritative services.

Information Security: The department within CNS with responsibility for the overall security of the University Information Technology systems and data.

Definitions

University Network: The University-owned network infrastructure which is managed by the Central Computing Support Group. This includes the University network backbone, networks for individual buildings, modem pools, and wireless access points.

Network-Attached Device: Any type of computer system, network equipment, or other device which operates on the University network infrastructure. This includes personal computers, servers, network-enabled printers, network hubs or switches, and any other device which uses the network.

Network-Authoritative Service: Network services which are required for the integrity and stability of the central network infrastructure, including DNS, DHCP, and routing.

Network Access Point: A device which allows network traffic to flow from any external source to the University central network infrastructure. This includes wireless access points, modems, wired network drops, and routers connected to external networks not operated by the University.

Vulnerability Analysis: Any interaction with, or observation of a system which is used for determining security vulnerabilities present. Examples include network scanning, encryption cracking, and system information gathering.

Guidelines

  1. Network Access Points: All points of access to the University Network (including network drops and wireless access points) require authorization by the Central Computing Support Group. Operators of wireless access points shall also conform to the University guidelines for usage of unregulated radio spectrum bands.
  2. Network Traffic Types and Limits: The Central Computing Support Group will control bandwidth limits and the types of inbound and outbound network traffic permitted through the Internet gateway and other points within the University network. Decisions about the permitted types of traffic and bandwidth limitations will be based on the business and academic goals of the University and the security exposure involved.
  3. Network Monitoring: The Central Computing Support Group will monitor network traffic as necessary and appropriate to detect unauthorized activity or intrusion attempts, and for diagnostic purposes. All monitoring will be carried out in accordance with the University Policy on Computing and Information Technology Facilities. Interception or monitoring of network traffic without authorization from the Central Computing Support Group is prohibited.
  4. Baseline Security Configurations: The Central Computing Support Group will establish and provide recommended baseline configuration standards for selected operating systems. System Managers are responsible for ensuring that systems under their responsibility are configured in a secure manner, making use of the baseline standards at minimum.
  5. Vulnerability Analysis: System Administrators or System Managers are authorized to perform vulnerability analysis on systems for which they are responsible for. Information Security, or its designee, is authorized to perform vulnerability analysis of any device on the University Network at any time. All other vulnerability analysis of systems on the University Network requires prior approval of Information Security.
  6. IP Addresses: The Central Network Management assigns IP addresses to networked systems either at system installation time, or dynamically depending on the system and area of the network it is located. Using or attempting to use a different IP address than the one assigned is prohibited.
  7. 7. Domain Names: All IP addresses within the University Network are assigned within the "yorku.ca" domain name. Using or attempting to use a non-"yorku.ca" domain name to resolve to a York University IP address without authorization from the Central Computing Support Group is prohibited.
  8. Network Abuse: Interfering or attempting to interfere with the normal operation of networks and systems within or external to the University is prohibited. Examples of this type of abuse include unreasonable use of resources, denial of service, scanning, monitoring, interception, impersonation, or modification of systems or data without authorization or consent of the system or data owner.
  9. Network Authoritative Services: Operation of network-authoritative services (DNS, DHCP, and routing-related services) without authorization by Central Network Management is prohibited.
  10. Malicious Software Use: Use or transmission of malicious software such as computer viruses which could provide unauthorized access and/or infect systems is prohibited. Computers infected with malicious software are considered a security compromise.
  11. Commercial Use: Use of University Network connections to host services for unauthorized commercial purposes is prohibited.
  12. Inappropriate Use: Use of the University Network must not violate the University Policy on Computing and Information Technology Facilities . Such violations include copyright violations, distribution of computer viruses or other malicious programs, unauthorized access, or other unlawful use.
  13. Incident Response: In the event of a known or suspected incident of unauthorized access or other system security compromise, or in response to a violation of any guideline specified here, Information Security, or its designee, is authorized to investigate any device on the University Network in accordance with the Incident Response and Investigation procedures contained herein. This may involve disconnection of the system from the University Network, copying of system data, and/or physical collection of the device for examination.

Procedures

Attaching to the Network

  1. Contact Information: All network-connected devices must have a Management and System Administrator point of contact registered with the Central Computing Support Group. An additional backup contact is required if the manager/system administrator are the same individual. Incomplete and/or incorrect contact information may result in termination of network service without notice.
  2. System Placement: The University network is divided into zones with varying degrees of security and functionality. Before operating a system on the network, the logical placement of the system within the network (i.e. zone) shall be decided in consultation with the Central Computing Support Group according to the function and sensitivity of the system.
  3. System Configuration and Operation: System Administrators shall follow existing recommended practices and/or standards for configuration and operation of equipment where these are available.
  4. System Updates: System Administrators shall apply relevant security patches in a regular and timely fashion as well as running up-to-date anti-virus software where applicable.

Incident Response and Investigation

  1. Complaints of Alleged Violations: Complaints regarding violations of law or University policy may be directed to System Managers, and/or to the Central Computing Support Group as appropriate. Complaints reported to the Central Computing Support Group will be investigated by Information Security which will (if appropriate) refer the matter to appropriate University authorities and/or law enforcement agencies.
  2. Reporting Security Compromises: All System Administrators and System Managers shall report security compromises which involve misuse or unauthorized access to University systems and/or data to the Central Computing Support Group. Information Security will coordinate investigations into any alleged computer or network security incident.
  3. Vulnerability Analysis: Systems which pose a significant risk to the security, integrity, or availability to other systems or the University Network due to a suspected security vulnerability will be investigated by Information Security and/or by the responsible System Manager.
  4. Access to System Information: System Administrators and/or System Managers shall provide access and/or information from a system which is the subject of a current investigation to Information Security upon request. Information required may include system logs, configuration information, a complete system image, and/or physical access depending on the type of incident and needs of the investigation.
  5. Disconnection: Systems operating in violation of law; these guidelines; or which pose a risk to the security, integrity, or availability of systems or the University Network may be disconnected from the network by Central Network Management or Information Security. Appropriate contact information will be used for notification in advance of disconnection when possible. Systems may be disconnected prior to notification of the affected contacts when such systems are the source of (or need to be protected from) an immediate and/or unacceptable risk, or if no appropriate contact can be notified.
  6. Reactivation: A system previously disconnected as a result of incident response may only be reactivated with the consent of Information Security.
Legislative History: Approved by the President: 2004/04/28; Reviewed by UEC