University of Essex Homepage Information Systems Services - Go to Home Page
. . . .
ISS HOME   |   AVMS   |   COMPUTING SERVICE   |   MIS   |   WaLT   |   SEARCH
. . . .

 
Electronic Information Security Policy

This document lays out the University’s policy for maintaining the security of information held on its electronic information systems. The objective is to protect the University’s information assets, and to provide a secure and reliable working environment for staff and students.
 

Introduction

The University, its staff and its students rely to a great extent on information held, managed and accessed on computers, networks and electronic media. We need ready access to the information we depend on. We also need to know that the information is what it is intended to be — that it has not been tampered with — and we need reasonable assurances that confidential information has remained confidential.

We are also conscious however of the threats to the availability, integrity and confidentiality of electronic information. These threats derive from failures of computer hardware or software, from harmful computer viruses or similar malicious pieces of software, or from malevolent human acts. The potential for such damage, particularly malicious damage, means that controls need to be placed on the use of and access to information systems in the University.

On the other hand it is important that the University’s role as an intellectually open institution be preserved as much as is possible, and that information systems be made as easy to use as is possible. We need to strike a balance between openness and ease of use on the one hand, and the need for reasonable guarantees of security on the other.

There is much that can be done centrally (in particular in Information Systems Services) to provide a reasonable level of security. However not everything can be done centrally. Departments and individuals need to take some responsibility themselves for security of systems they manage and information they hold, and for adopting a reasonably security-conscious approach to handling electronic information.

This policy summarises information security controls that are imposed, outlines responsibilities, and gives guidance on getting further information. It also states the University’s policy on the monitoring of electronic information on computers and networks. It is accompanied by guidelines on best practice in maintaining electronic information security.

The policy does not cover the security of paper-based information or of the telephone system.
 

Definitions

In this policy information security is understood to mean the preservation of:

  • the availability of information: ensuring that information is available to authorised users when required;

  • the integrity of information: ensuring the completeness and accuracy of information;

  • the confidentiality of information: protecting information from unauthorised access.

In this policy, the term "department" is taken to cover academic departments, sections, centres, institutes and other independent units.
  

Responsibilities

The Information Systems Services section (ISS) is responsible for:

  • ensuring the security of central information systems and the University data network, and of the basic hardware and operating system software on departmental systems under maintenance contract with ISS;

  • backing up data on central systems;

  • providing advice and guidance on information security;

  • providing a CERT ("Computer Emergency Response Team") function in the University;

  • liasing with the national JANET-CERT, and distributing CERT alerts;

  • ensuring the physical security of central systems and networks, in collaboration with Estate Management.

Departments of the University are responsible for:

  • ensuring the security of departmental information systems, and networks where applicable;

  • registering with ISS equipment attached to the University network for which the department is responsible;

  • backing up data on departmental systems;

  • notifying ISS of security problems that may arise on departmental systems, and responding in a timely manner to security alerts put out by ISS;

  • encouraging good information security practice among staff and students

  • ensuring the physical security of departmental systems, and networks where applicable, in collaboration with Estate Management.

Individual users of University information systems are responsible for:

  • taking reasonable steps to ensure security on their desktop machines, or on private computers which they attached to the University network either directly (for example in student accommodation) or over a dial-up connection;

  • registering with ISS equipment attached to the University network for which they are personally responsible;

  • backing up data on their desktop or private machines;

  • notifying ISS of security problems that may arise on their personal systems, and responding in a timely manner to security alerts put out by ISS;

  • taking reasonable steps to ensure there is no unauthorised access to systems they are responsible for;

  • preserving the confidentiality of passwords;

  • complying with the Guidelines for Use of IT facilities.

The Registrar and Secretary has overall responsibility for compliance with the law in the operation of University information systems. On a day-to-day basis the Registrar delegates this responsibility to the Director of Information Systems or the Data Protection Officer as appropriate.

The Information Systems Strategy Committee is responsible for formulating policy on electronic information security and for making recommendations on information security to Senate and Council.
  

Security Contacts

Contacts in ISS for computer and network security

Primary security contact:

Bret Giddings, Systems Manager

Other security contacts:

Bryan Walls, Systems Programmer
Andrew Larkin, Network Manager
John Fell, MIS Manager (administrative application security)

Data protection contact

Sara Stock, University Records Manager  

Security Mechanisms and Procedures

Firewalls

A firewall is a system that controls and limits access from one part of a data network to another, or from a network to a computer. The University maintains a firewall at the point at which the campus network connects to the national academic network JANET, and also at crucial points within the campus network.

The campus boundary firewall is set to "default deny", that is, a given type of network protocol has to be enabled explicitly before it is allowed through the firewall. The firewall rules are constantly reviewed, and may be changed at short notice to counter emerging network threats, or conversely to extend access permissions. There is more information on the policy for the campus boundary firewall in the Security policy for the campus firewall.

A firewall imposes controls on traffic from the student residence network to the main campus network, and routes web access via a caching proxy.

Central administrative systems are protected by firewalls. As part of the registration procedure granting staff access to central administrative applications, access through the firewall is granted for named desktop systems.

From time to time the University may implement additional firewalls or add firewall functionality to network components or to attached computers.
 

Authentication

The University maintains a single campus-wide password system for password-protected network resources. The system requires users to change their passwords at regular intervals, and forbids passwords which are easily "guessed" by password-cracking software. There is more information on passwords on the Computing Service web pages.

Access to restricted web pages is controlled either by password or by limiting access to computers connected to the campus network.
 

Registration of systems

Computer and network equipment that is to be attached to the University data network must be registered with ISS, so that the identity of the equipment can be entered into ISS databases. Equipment not so registered will have network access denied.

The University tries to keep to a minimum the number of different servers handling off-campus traffic for potentially insecure network protocols, and encourages departments to use central servers for such protocols rather than setting up their own.

Departmental servers which are connected to the network and which need to be visible from off campus must in addition be registered as servers, so that access can be assured through the campus firewall.

Further registration of internally visible servers, or of hosts which are allowed access to services may be required in future if additional firewalls are implemented.

There is more information on the registration of equipment and servers in the Policy for Connection to University Data Network.
 

Data backup and recovery

The data and operating systems held on central systems, including central filestore, email and web pages, are backed up daily and copies held remotely. The primary purpose is to allow for recovery in case of loss through malfunction, physical damage or other disaster.

Departments and individuals are responsible for backing up data not held on central systems.

There is more information on backup and recovery in the Policy for data backup and recovery.
 

Virus protection

Viruses currently represent one of the most visible threats to information security, not so much through breach of confidentially as by denial of access or destruction. The University maintains virus protection on a series of levels. Email attachments of types which pose a particular threat are not allowed onto the campus; there is virus scanning on all central email servers, with virus profiles updated daily; the central filestore is scanned and viruses or infected files are removed; and support is provided for virus protection on desktop systems. However it remains a responsibility of individuals to maintain virus protection on their own machines, in particular private computers, and to exercise caution in dealing with suspect files.

There is more information on virus protection on the Computing Service web pages.
 

Other security mechanisms

Additional security mechanisms will be implemented in a timely manner as the need arises, for example as part of the implementation of new technologies.

Other security mechanisms may be implemented at short notice should new security threats emerge, though in practice as much notice will be given as possible.
  

Personal Data

Personal data held on information systems at the University (as well as paper-based data) is subject to the provisions of the Data Protection Act. There is more information on the University’s Data Protection web pages, and in the Data Protection Handbook.

The content of personal information gathered by the University is accessed and modified only by those authorised to do so, in compliance with the Data Protection Act.
 

Control and Monitoring

The University reserves the right to exercise control over all activities on its IT facilities and networks, including examining the content of data or messages as permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, in particular to establish the existence of facts, to ascertain compliance with regulatory or self-regulatory practices or procedures or to ascertain or demonstrate standards which are or ought to be achieved (quality control and training), to prevent or detect crime, to investigate or detect unauthorised use of telecommunication systems or, to secure, or as an inherent part of, effective system operation.

The content of users’ electronic information held centrally, including emails and data files, is examined only with the authority of the Director of Information Systems as the delegate of the Registrar and Secretary, and a record is kept of what is done.

The content of users’ electronic information held on departmental systems, including emails and data files, is examined only with the authority of the head of the department.
  

Related Policies Etc.

Web URLs are given here in good faith. However it is possible that changes may be made in the location of web pages that are not reflected here.

University policies and guidelines

Guidelines for Use of IT Facilities http://www2.essex.ac.uk/cs/about/regulations/proper_use.html

Policy for Connection to University Data Network
http://www2.essex.ac.uk/iss/policies/connection-policy.htm

Eligibility for access to central computing facilities http://www2.essex.ac.uk/iss/policies/eligibility.html

Campus data network infrastructure support policy
http://www2.essex.ac.uk/iss/policies/net-policy.htm

Security policy for the campus firewall http://www2.essex.ac.uk/iss/policies/firewall_policy.htm

Electronic data backup policy
http://www2.essex.ac.uk/iss/policies/data-backup.htm

Guidance on best practice in electronic information security http://www2.essex.ac.uk/iss/policies/security-guidance.htm

Other University information

Data protection
http://www2.essex.ac.uk/dataprotection/

Data protection handbook
http://www2.essex.ac.uk/dataprotection/data.htm

External policies

JANET Acceptable Use Policy
http://www.ja.net/documents/use.html

 

J.S.P. ISS
19.02.03

 

. . . .

 

Document last modified by Bret Giddings
(e-mail: bret; non-Essex users should add @essex.ac.uk to create full e-mail address)
on 13 January 2010.