Computer Security Policy
Definitions:
1) The "Physics and Astronomy Local Network", also referred to as "the Local
Network" is considered to consist of any and all devices that can communicate
with other devices within the Allen Building. Although a device is not
considered to be part of the Local Network while it is not actually connected
to or otherwise communicating with the Local Network, if it is subsequently
connected or in any way communicates with any part of the Local Network, e.g.
through some form of wireless connectivity, over the internet or through
reading a disc, it must be fully compliant with the policies outlined in this
document.
2) For the purpose of this policy, a "machine" refers to any device (e.g.
computer, workstation, PC, laptop computer, printer, scanner, etc),
regardless of operating system or applications, that will be networked or
allowed to share data with any other Departmental or University machines
regardless of the medium employed (network or removable storage medium etc).
3) The "Principal User" of a machine is taken to be the person having the
primary responsibility for or being the main user of a machine.
4) "Technical Staff", also referred to as "technical support staff", refers
to the Information Technology Group of the Department of Physics and
Astronomy.
Preamble:
The Department of Physics and Astronomy prefers that people using machines
consult the technical support staff for set-up and ongoing maintenance of
all machines used on the Local Network. This should not be taken to imply
that support staff will be responsible for all aspects of ensuring the
ongoing integrity of all devices on the Local Network. Some aspects of
setup, maintenance and security are necessarily the responsibility of the
users who must exercise due diligence to ensure that the machines they are
using do not pose a hazard to other users of the Local Network.
It is recognized that there may be cases where more control of a machine by
the Principal User or a third party may be required to deal with exceptional
situations in a timely manner. Nevertheless, even when the Principal User
plays a significant role in the administration of the machine, whenever the
machine is attached to the Local Network or otherwise communicates with or
through it, the machine must adhere to the policies stated below.
Policy:
1) Information concerning security-related problems and updates for the
applicable software will normally be obtained and communicated to users on a
regular basis by the technical support staff. It is the PRINCIPAL USER'S
RESPONSIBILITY to ensure that the recommended solutions to security problems
are implemented, with assistance from the technical support staff, where
necessary. This includes installation and maintenance of appropriate
antivirus software on all applicable systems.
2) Installation of all vendor-supplied, security-related software updates or
patches will be done on a timely basis. This is primarily the responsibility
of the technical support staff, but they must have reasonable access to
machines in order to carry out the necessary operations.
3) Installation of machines must be done in conjunction with and following
consultation with the technical support staff, to assure that potential
problems are addressed. Technical support staff must also be consulted
whenever the Principal User or maintainers of the machine are unsure of what
security or maintenance procedures should or need to be followed. The Head,
in conjunction with the Department Computing Committee, will make available a
list of such security and maintenance procedures.
4) Technical support staff must always be consulted for authorization prior to
any changes in machine configuration which may impact the network or other
machines. Examples: setting up network services, file sharing services (WWW,
FTP) or any other similar services. A more complete list will be made
available by the Head, in conjunction with the Department Computing
Committee.
5) Technical support staff will perform security analysis using appropriate
network monitoring and scanning tools, periodically or as required.
Technical support staff will report any vulnerabilities thus discovered to
the machine's Principal User and to the Department Computer Committee. The
technical support staff will assist the Principal User to rectify the
problem(s) in an appropriate and timely manner.
6) In the event of a significant security problem being discovered, the
technical support staff may, at their discretion and without prior notice to
the Principal User, deal with the problem in an appropriate manner. The Head,
in conjunction with the Department Computer Committee, will establish and make
available an appropriate hierarchy of responses to be followed in the event of
a significant security problem. In the event of an emergency, however, the
final decision regarding the application of the policy and hierarchy of
responses will rest with the technical support staff.
7) It is recommended that all administrator passwords be stored in the Office
safe and made available to the technical support staff so that it may be
possible to address some problems without removing a machine from the local
network. In the event of an emergency, if the administrator password for a
particular machine is not available, the technical support staff may, at their
discretion, remove the machine from the local network.
8) Reasonable access control mechanisms will be used to ensure that the machine
is accessible only to authorized users. This could include any or all of (i)
controlling physical access to the machine, (ii) use of secure and private
passwords by all users, (iii) disabling any vulnerable accounts, such as guest
accounts or other similar initial accounts with weak passwords or no passwords
at all, (iv) disabling all unnecessary services, and (v) whatever other access
control is appropriate for the software being used. THIS IS THE PRINCIPAL
USER'S RESPONSIBILITY.
9) It is recognized that for some devices, there may be external security
requirements by other collaborating institutes that may have to be taken into
account. In these cases, the decision as to whether or not any requirements
stated herein can be waived will reside with the Department Head.
10) Failure by the Principal User or designated third parties to comply with
this policy can result in removal of the affected machine(s) from the network,
and/or other actions deemed appropriate by the Department Head.
These measures may include, but are not necessarily limited to:
i) removing a particular machine or portion of the local network from the
rest of the local network
ii) powering down a particular machine or portion of the local network
iii) locking a particular account, especially if the account appears to
have been accessed in an unauthorized fashion
iv) reporting the problem to other authorities. (This is a University
requirement.)