Rabu, 19 Oktober 2011

SECURITY POLICY

IT Security Policy

Version 1.1; 5 November 2008

1. Introduction

The purpose of this policy is to define a framework on how to protect the University of Bath's computer systems, network and all data contained within, or accessible on or via these computer systems from all threats whether internal, external, deliberate or accidental.
It is the policy of the University to ensure that:
  • All central computer systems and information contained within them will be protected against unauthorised access.
  • Information kept in these systems is managed securely, not only to comply with relevant data protection laws, but also in a professional and dependable manner.
  • All members of the University are aware that it is their responsibility to adhere to this policy.
  • All parties accept total responsibility for maintaining , adhering to and implementing this policy within their areas.
  • The integrity of all central computer systems, the confidentiality of any information contained within or accessible on or via these systems is the responsibility of Computing Services.
  • All regulatory and legislative requirements regarding computer security and information confidentiality and integrity will be met by Computing Services and the University.
  • All breaches of security will be reported to and investigated by a a nominated security coordinator usually within Computing Services.
  • The primary role of the University's function regarding education and research is not hindered.

2. Statement of Authority, Scope and Responsibilities

Standard statement applies
In addition all users have a responsibility to report promptly (to Computing Services) any incidents which may have a security significance to the University.

3. The Computing Environment

Computing Services plan, maintain and operate a range of central computing servers, core network switches, edge network switches, backup systems, and the overall network infrastructure interconnecting these systems.
The computing environment is defined as all central computing resources and network infrastructure managed and overseen by Computing Services and all computing devices that can physically connect, and have been authorised to connect, to this environment. All are covered by this policy, including computing hardware and software, any University related data residing on these machines or accessible from these machines within the campus network environment and any media such as CD-ROMs, DVD-ROMs and backup tapes that may at times be accessible.
Computing Services also considers all temporary and permanent connections via the University network, casual laptop docking points, the Wireless network, the Virtual Provate Network and the RAS modem pools to be subject to the provisions of this policy.
Computing resources not owned by the University may be connected to the University's network. However, all such resources must function in accordance with University regulations governing the use of computing resources.
Computing Services reserves the right to monitor, log, collect and analyze the content of all transmissions on networks maintained by both Computing Services and individual departments and organisations at any time deemed necessary for performance and fault diagnostic purposes. Any network monitoring will be performed in accordance with the Computer Systems Scanning and Monitoring Policy.

4. Physical Security

Computing Services provides a secure machine room with protected power arrangements and climate controlled environment. Primarially for the provision of central computing and network facilities individual departments and, if appropriate, individuals are encouraged to make use of the facility for applicable teaching or research projects.
Any computer equipment in general office enviroments should be within physically secure rooms outside of general office hours.
Desktop machines in public areas should contain a device or mechanism for securing and protecting the main components and contents of the computer from theft.
The above is in accordance with The University's insurance policy .

5. Access to Systems

Computer and network systems access is only via individual user accounts. Please refer to the user accounts policy for further details and account eligibility.

5.1 Email

Accounts provide access to email facilities. Use of email is governed by Computing Services' Email policy.

5.2 File Storage

All users have access to the centrally managed file storage. Use of the file storage is governed by Computing Services' User Filestore policy.
It should be appreciated for most applications the security of files on the server is considered to be adequate. However files held on a Network File Server (NFS) should never be considered completely secure. For this reason Computing Services do not recommend that you hold sensitive information such as exam papers or results on the central server (or on any NFS file server for that matter).

5.3 The Web

All users have the right to publish their own web pages under the appropriate subdomain of bath.ac.uk. Individual users will be responsible for content in these areas and the University reserves the right to remove access to any material which it deems inappropriate, illegal or offensive. Users should not in any way use their personal web space for commercial purposes.
Users shall not in any way use personal web space to publish material which deliberately undermines IT security at the University or elsewhere. Users shall not publish any information regarding open accounts, passwords, PINs, illegally obtained software licenses, hacking tools, common security exploits or similar unless there are specific and legitimate reasons to do so. E.G - in order to demonstrate a problem to enable a fix, or similar.

5.4 Internet Access

The campus network is connected to the Internet via SWERN and JANET. Computing Services operate and maintain a firewall with the aim of protecting the campus network and Computer systems from unauthorised or illegal access or attack from the external environment.

5.5 Campus Network

Individuals must seek permission from local support representatives before connecting any machine to the LAN. Particular attention must be paid to the Host Connection & IP Address Allocation Policy before any connection is made. Computing Services may disconnect any unauthorised host from the network without warning if discovered.

6. Remote Access to Systems

Remote access is defined as accessing systems from a physically separate network. This may include:
  • Connections direct across the Internet
  • VPN Connections
  • Direct dial connections to the RAS (Remote Access Service)
Any user with a valid University of Bath computer account may access systems as appropriate. Remote access is allowed via secure methods only. Remote connections to any campus IT services are subject to the same rules and regulations, policies and practices just as if they were physically on the campus.
Computing Services shall provide the only VPN and dial-in service that can be used. All connections via these services will be logged. No other remote access service shall be installed or set up, including single modems connected to servers or workstations. Any active dial-in services found to be in existence will be removed from the network.

7. Data Security

The University holds a variety of sensitive data including personal information about students and staff. If you have been given access to this information, you are reminded of your responsibilities under data protection law.
You should only take a copy of data outside the University's systems if absolutely necessary, and you should exhaust all other options before doing so. This includes putting sensitive data onto laptops, memory sticks, cds/dvds or into emails. If you do need to take data outside the University, this should only be with the authorisation of the University's data protection officer. As part of this you should perform a risk assessment on the implications of it falling into the wrong hands, and take appropriate steps to mitigate against this. This will almost certainly include encrypting the information, and checking the data protection statements of any recipients of the data.
There are a variety of methods of remote access to systems available (in particular using VPN and remote desktop or terminal services) which allow you to work on data in-situ rather than taking it outside the University, and these should always be used in preference to taking data off-site.
Computing Services offers a variety of information and support to help you keep data secure. If you are uncertain about any aspect of data security, you must contact us for advice.

8. Anti-Virus Security

Computing Services will provide means by which all users can download and install current versions of site-licensed virus protection software.
Users must ensure that they are running with adequate and up-to-date anti-virus software at all times. If any user suspects viral infection on their machine, a complete virus scan should be performed. If Computing Services detect a machine behaving abnormally due to a possible viral infection it will disconnected from the network until deemed safe. Reconnection will usually be after liaison with the

9. Related Documentation

University Regulations
Computing Service' s Acceptable Use Policy

http://www.bath.ac.uk/bucs/aboutbucs/policies/itsecuritypolicy/index.html
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)