Human Resources

Network security policy

Introduction

General policy

Responsibilities of systems administrators

Responsibilities of central computing services

Responsibilities of users

Other policies

Implementation of the policy and sanctions

Introduction

The IT network and the computer systems connected to it are critical to administrative, teaching and learning, and research activities of the College.

The network permits high-speed connections to the Internet and is at present operated with a minimum of restrictions to enable flexibility of communications between connected computers. This flexibility of operation, however, poses potential security risks. In order to safeguard the stability, integrity and security of the College IT network, steps need to be taken by CCS and each School/Department to ensure that machines under their control are properly managed to minimise the risks.

The objectives of this policy are to:

  • ensure that the College’s IT network and computing facilities are adequately protected against misuse or abuse;

  • create across the College awareness that appropriate security measures must be implemented to safeguard the effective operation of the IT network;

  • ensure that all system administrators and users understand their own responsibilities for protecting the IT network;

  • to ensure the high availability of an effective network and to facilitate the rapid tracking down and resolution of any network problems by CCS and others;

  • to protect Birkbeck’s reputation;

  • help preserve the integrity and privacy of users’ information; and

  • to reduce interruptions to the service, and unnecessary calls on support staff.

back to top

General policy

The following general policy statement apply to all computers in the College:

  • Every computer connected to the Birkbeck College network must be subject to formal system administration.

  • Responsibility for administration and security of computers should be assigned to a suitably trained and technically competent member/s of staff.

  • The staff assigned to the system administrator role must have adequate time in which to undertake the maintenance of computers under their control.

  • Adequate provision of cover during sickness or holidays should be made where key systems may be affected.

  • Access to any network connected computer must be via a logon process that identifies and authenticates the user, except where read-only access is given to certain systems (e.g. the Library Catalogue), or unprivileged access is normal and appropriate safeguards are in place (e.g. Web browsers in kiosk mode, access to a contained website).

  • Any networked system which will be unused for extended periods (typically several days or more) should be switched off.

  • Accounts which remain unused for five months should be disabled where possible.

  • Accounts used by system administrators should be cancelled immediately on

  • departure of member of staff.

  • No shared accounts will be created, except where absolutely necessary, and under the condition that a list is kept of the users of the account, and that they are jointly responsible for any action taken using the account.

  • Accounts should not be re-used, except where absolutely necessary, and under the condition that a details are kept of the users of the account.

  • Lists of users and their data (such as userids) must not be available to anonymous users or, where possible, to other users and systems administrators.

  • Computers in open areas should be physically secured.

  • Computers in other areas should be accessible only by authorised persons, and security imposed as appropriate.

  • Computers offering services external to the College (e.g. web, email, ftp etc), must be authorised by School or CCS support staff.

  • Details of any networked system which is operating as a server (including file serving, print serving, web serving, ftp serving, or applications server) must be given to CCS Systems staff or to School support staff in the cases of Schools responsible for maintaining their own servers (e.g. Computer Science and Information Systems, Crystallography, Economics and Statistics, Geography and the Library).

  • Access to equipment should be possible at all times (in the event of a report being received by CCS or School support staff out of hours) unless precluded by Health and Safety requirements.

  • Personal equipment may not be connected to the College network except where the connection is made to a School or Departmental network with the written authorization of the School/Department System Administrator.

In addition to the general policy above, the following sections suggest the responsibilities of three distinct groups:

  • Systems Administrators

  • Central Computing Services

  • Users

back to top

Responsibilities of systems administrators

A nominated Systems Administrator should be appointed by Schools and Departments who is responsible for the secure operation of their computers. This may be an individual responsible for a collection of systems, or the user who normally uses the system (in particular for office equipment). The responsibilities of system administrators should include:

  • Install and maintain the operating system and network connection in order to reduce the chance of unauthorised access.

  • Ensure that systems security patches are kept up to date where possible and such that the service is not adversely affected.

  • Systems must be monitored in order to detect breaches in security. In the event of any breach CCS Systems staff must be alerted.

  • Users including systems administrators, should normally login with userids without unnecessary (“superuser”) privileges. Privileged accounts should be used only for systems administrative work and monitoring.

  • When undertaking systems work demanding privileged user status, administrators should login in under their own account before assuming privileged status (to maintain audit information).

  • Administrators must ensure that all software is properly licensed.

  • Administrators must ensure adequate backup procedures are in place.

  • Adequate virus protection software must be installed.

  • Ensure that passwords are changed regularly and knowledge of the super-user password should be restricted.

  • Superuser and system administrator passwords should be passed to CCS or School/Dept Computer staff for use in emergency.

  • Logging, and in particular a record of logins on the computer, should be maintained for one year.

  • Administrators must not amend any audit or system information which may be used as part of an audit trail in cases of security breach.

  • If necessary to protect or maintain service, administrators will disconnect a system, individual workstation, or software from the School.

  • Monitor activity and/or record traffic on the network if appropriate, including periodic intrusion detection testing either internally or by third party.

  • Ensure that adequate security (such as dial back) is utilized when connecting modems to allow remote management/troubleshooting.

Administrators should also operate within the guidelines of the Charter for System and Network Administrators currently (November 2001) being prepared by UKERNA.

back to top

Responsibilities of central computing services

In addition to the above (for systems maintained by CCS), CCS will also:

  • Liaise with external organizations (such as UCL Network Group and UKERNA) in the development and maintenance of the network.

  • Inform system administrators of security information, hacking attempts, tools etc via an email list.

  • Provide information and good practice guidelines.

  • Assist School/Dept Systems Administrator to correct a security or breach, especially where the integrity of the network may be at risk, or it is affecting systems elsewhere.

  • If necessary to protect and maintain service, disconnect a system, individual workstation, software, School network or building from the wider College network.

  • Monitor activity on the network, including periodic intrusion detection testing either internally or by third party. If during a scan an obvious weakness is found, CCS will provide advice and assistance to the appropriate systems administrator.

  • If no administrator is available, depending on the nature of the loophole, the offending system may be disconnected from the network.

  • Maintain central checking of malicious code, including of email passing through central mail systems.

  • Maintain site licences of virus protection software.

  • Coordinate the development and maintenance of the security policy.

  • Provide assistance in developing router-filtering rules if required.

CCS may implement site wide router filtering rules appropriate to protect the College’s computer infrastructure. CCS will also investigate and implement a border firewall at the earliest opportunity, in order to limit, at a network protocol level, unnecessary traffic passing into or out of the College, and monitor the nature of the traffic. At this time a firewall policy will also be necessary.

back to top

Responsibilities of users

Authorised users have access to computing facilities, software, electronic mail and network services located at Birkbeck and other sites. With these facilities there are direct and implied responsibilities on the part of the College and on the user. Some of the following are highlighted here, but may be more appropriate in an Acceptable Use Policy or an Email and Web Policy.

Userid/Password

  • Authorised users are allocated a username and password, and must ensure that nobody else uses it. The user is responsible for the confidentiality of the username and password.

  • Users must not use anyone else’s username/password.

  • Users must not obtain or try to obtain anyone else’s password.

  • Users must inform CCS immediately if they suspect someone else of using their userid/password.

  • Office computers must not be left unattended when logged in unless a password protected screen-saver is used.

  • Shared computers must not be left unattended when logged in.

Filestore

  • Users must not gain access or attempt to gain access to any files owned by someone else unless the owner has specifically granted access.

  • Users must not use equipment in contravention of the law.

  • Users must use anti-virus products and must not introduce malicious code including viruses, network worms, Trojan horse, logic bombs etc

  • User must not download or install software/hardware which could be used to scan, attack or compromise security or service.

  • Users must not install software on shared equipment which may interfere with the normal operation of that equipment.

Email

  • Email should be treated in the same way as ordinary mail and the same standards of behaviour apply.

  • Email which is confidential or of a sensitive nature should not be sent unless appropriate precautions are taken.

  • Users must not transmit email that causes “annoyance, inconvenience, or needless anxiety to other people”.

  • Users must not send or attempt to send forged electronic mail.

  • Users should contact CCS if they receive mail which they find offensive. The original message should not be deleted.

Network

  • Users must not deliberately interfere or attempt to interfere with the operation of the network or computer systems.

  • Users must not connect equipment to the College network without first receiving the authority from School Systems Support staff or Computer Representatives.

  • Users must not operate any equipment or software designed to eavesdrop on network communications.

back to top

Other policies

The following College Policies, or national guidelines are also relevant to this policy, and all users are required to be familiar with them:

Birkbeck College Computing Regulations

Data Protection Policy

JANET Acceptable Use Policy, issued by the United Kingdom Education and Research Networking Association (UKERNA)

Code of Conduct on the Use of Software and Datasets, issued by the Joint Information Systems Committee (JISC)

back to top

Implementation of the policy and sanctions

The responsibility for implementing this policy rests with Heads of Schools, Academic Services and Central Administration. Any breach of network security should be reported to the relevant systems administrator who will ensure that appropriate action is taken. In the event of a suspected or actual breach of security, the systems administrator may remove the affected system from the network.

Failure of an individual student or member of staff to comply with this policy may lead to the instigation of the relevant disciplinary procedures for students and staff. This could result in suspension of students or dismissal of staff. In the event of a serious infringement the College may also decide to institute legal proceedings under civil or criminal law relating to computer misuse.

back to top
The HR team is based on the first floor of Egmont House
Postal address: Human Resources, Birkbeck, University of London, Malet Street, London WC1E 7HX
Email: humanresources@bbk.ac.uk