Conditions for Connection to Centrally provided IT infrastructure
version: 20 April 2009
(38.ODIT.PWJ.AAG conditions for connection to centrally provided IT)
The University of Oxford operates a devolved ICT structure ( www.ict.ox.ac.uk/odit/ITcoordination/ODITOxford'sComputingModel.pdf), in which responsibility for management of computer systems and networks within departments and colleges rests with those departments and colleges. The University manages the backbone network, which connects departments, colleges and central services, and provides connectivity to the world-wide internet through the UK Education and Research Network (JANET). Access for individual members, and support for their use of ICT facilities, is provided by the department and/or college to which they belong.
Further details about IT co-ordination and policy may be found at the website of the Office of the Director of IT ( www.ict.ox.ac.uk/odit/ITcoordination/)
The devolved nature of the ICT structure of the collegiate University means that many areas of responsibility for the management and security of the computer systems and networks must also be devolved to departments and colleges. However, it is essential that common standards are accepted and implemented throughout the collegiate University. Without adherence to common standards for computer management, the University ICT systems would be vulnerable to compromise - a term used to mean any security violation brought about by 'hacking' - from both within and outside the University. Such compromises can result in incidents such as loss of data, breaches of confidentiality and network flooding, bringing all internal network traffic to a halt. Compromised computers may also be used to initiate attempts to compromise other computers outside the University, or to launch floods of 'spam' email - bringing disrepute to the University and the real possibility of some or all of the University's computer systems being placed on the international 'blacklists' used to block access and email from suspect locations. This would affect the University as a whole, not just the department or college within which the compromise took place.
While it is essential that departments and colleges within the University use robust management practices to achieve the best possible levels of security for their computer systems, the University recognises that departments and colleges must be able to choose a model for implementation that best suits the type of work that they are carrying out, that conforms to accepted national or international standards for a particular academic discipline, or is otherwise constrained by necessary practical considerations.
Statement of University Policy
The University devolves responsibility for implementation and management of computer systems and networks within departments and colleges to those units. Within normal constraints of auditing, accounting and value-for-money, and with due regard to University guidance on environmental issues, the department or college may choose the ICT systems that it decides will best enable it to carry out its goals.
In order to maintain the highest standards of security and integrity for the computer and network systems of the University as a whole, all departments and colleges connecting ICT systems to the University backbone network must conform to the University's connection policy, as laid out in this document. This policy applies to all systems and networks connected directly to the University backbone network, and should be applied as far as possible to systems in use for any purpose. In some circumstances where full verification of systems is impracticable, while direct connection to the backbone is not permitted, other means, such as the Eduroam facility, may be used to provide an indirect connection to a point outside the University firewall.
The unit must have in place a structure to manage all aspects of its use of ICT. This will normally consist of a departmental/college IT Committee or equivalent, chaired by a senior member of the department/college and reporting either directly to the Head of the unit or to its highest-level management/governance body. For smaller departments this may be subsumed within a structure organised at a divisional or faculty level. This committee will be responsible for ensuring compliance with all sections of these Conditions of Use. Where responsibility for any part of the ICT provision is delegated to a third party, e.g. the University's ICT Support Team, the responsibilities of each party for compliance with these Conditions must be defined by appropriate Service Level Agreements.
2. Recruitment and Training of Staff
IT staff responsible for operation of the unit's ICT systems must be competent to undertake these tasks, and the need for further training must be regularly reviewed. There must be arrangements in place to ensure that systems are adequately supported during planned or unplanned absence of staff.
The unit must nominate at least two people who can be contacted by OUCS if action is required because of a network failure, system compromise, etc. While it is recognised that smaller units may not be able to have available two people with technical expertise, contacts must still be provided who can take responsibility for the unit's ICT systems - i.e. they will be able to take action themselves, or to arrange for action to be taken by others. In normal circumstances the unit should be able to respond to email or phone requests within 4 working hours. However, in the event of a situation arising that requires urgent action, units must be aware that if contact cannot be made speedily, or if the unit is unable to act, OUCS will, at its discretion, take all necessary steps to protect the integrity of the University systems, which may result in some or all of the unit's computer systems being blocked from network access.
The unit must also provide a standard IT contact email address to which information, notices etc. can be sent. It will be assumed that this email address will be monitored at least once every working day, and that all messages sent to it will be acted on.
4. Internal Network/IT infrastructure - documentation
Documentation must be maintained detailing the unit's network and IT infrastructure, including connectivity of all network switches, routers, etc. It is essential that this documentation is available in a way that remains accessible in the event of any network or systems failure within the unit, e.g. in hardcopy form. This documentation must be made available to OUCS if required to investigate a network or other failure or any compromise within the unit that impacts on other parts of the University.
5. Network Connection - standards
Connection to the University backbone network is usually by means of a 'FRODO' box. This connection marks the boundary of the responsibility of OUCS to maintain the backbone network - all connections on the unit's side of the FRODO box are the responsibility of that unit. Units must follow the advice and directions for use of this connection as issued by the Central Computing Services (OUCS).
6. Network Connection - security, monitoring, and firewall
The unit is responsible for maintaining security within its own network, monitoring for improper usage and preventing unauthorised access. OUCS operates a firewall between the University network and the internet (JANET) connection, but a unit may choose to operate its own firewall(s) to provide additional security at the boundary of its network or on individual systems. The unit should be able to monitor its internal network to detect systems generating excessive amounts of traffic, either locally or onto the internet, and to investigate the causes of such traffic.
7. Patch state; virus checking
All systems that are accessible to the network (including programmable devices such as switches and 'intelligent' peripherals) must be maintained in an adequate patch state, with security-related patches applied promptly both to the operating system and all applications. Where appropriate to the platform, systems must run software to check for viruses and other 'malware', which must be kept up-to-date. (Exceptions may be made for systems which run 'locked-down' software and so are not liable to compromise.)
The unit must operate and enforce a data security policy in accordance with the University's Data Security Policy. This policy lays down comprehensive standards that must be adopted for management, control and disposal of data, and access to that data.
The unit must ensure that its users are regularly reminded of the University's Regulations Relating to the use of Information Technology Facilities ( www.admin.ox.ac.uk/statutes/regulations/196-052.shtml) . The unit will be expected to take disciplinary action against any person found to be in breach of these regulations.
The unit is responsible for ensuring that only authorised persons are allowed access to its systems and networks. Access with systems administrator privileges must be restricted to specifically authorised ICT staff. Any access requirement to systems holding confidential or critical data must be assessed and only permitted if required for the work of the unit.
Wherever possible, 'public access' facilities should be provided using IP address space which is specifically assigned for use by visitors to the University. Use of any such facility must either be controlled by an authentication procedure (such as those for OWL or EDUROAM) or monitored (for example by staff being present in the room or by CCTV).
11. User accountability and logging
Any multi-user system must log information about who has used that system, times of access, source address, etc. Communication systems that enable connection to the network using IP numbers not directly allocated to an individual (e.g. NAT, DHCP) must also retain adequate logging information so that the connecting system can be traced. This information must be retained for a period of at least 60 days, and for a longer period where advised by OxCERT ( www.ict.ox.ac.uk/oxford/compsecurity/oxcert/ ).
All other systems must be protected from unauthorised use, usually by a password requirement or other method of access control. This includes any computer, including individual desktop machines, that has access to the internet, so that individual responsibility for any access to the internet can be established. Individuals should be advised to take steps (such as screen-locking) to prevent unauthorised access to unattended computers.
12. Privacy and monitoring of use
Privacy of data belonging to users must be maintained, and system administrators must not access a user's data without the user's permission, except as laid out in the Regulations Relating to the use of Information Technology Facilities. If routine monitoring or recording is carried out of data or web sites accessed, etc., this must be made clear to all users of the system.
Systems administrators must report any breach of security, unauthorised access to data, etc., to appropriate bodies in the University. This will always include the OxCERT team at OUCS. If activity of a criminal nature is suspected, it must be reported to the University Marshal, who will advise if involvement of the Police is required.
14. Response to incidents, copyright violations, etc.
The unit must have procedures in place to deal with security incidents in a timely manner. This will include isolation of any system that is compromised, and suspension of access for any person who may be responsible for misuse. The unit must also have procedures to deal with outside complaints of breach of copyright, etc. (often received in the form of a "cease and desist" notice served on the University or on JANET(UK)), to ensure that the system concerned is cleared of any infringing material, and to take action against the user concerned.