Network Security policy

The development of the Internet makes the rapid economy development of the whole society. Many enterprises form their own networks and connect to the Internet, in order to fully realize the sharing and use of data resources. With the development of the network, network security has become a growing concern in all sectors. This paper discusses the status of network security and several major network security technologies, and proposes several measures to realize the network security.

The Network Security Policy sets out the specific responsibilities, conditions and practices to ensure an available, secure and protected Network. 3. All Network Users will act responsibly at all times and be aware of the associated risks and penalties for breaches of this policy, including potential disciplinary processes.
3. Physical and environmental security 3.1. All core network switching, management systems and port distribution systems will be housed in a secure location with UPS and access control. These secure areas will: 3.1.1. Allow entry to secure areas with critical or sensitive network equipment only to those who are authorised to do so 3.1.2. Have secure code or card access systems 3.1.3. Only allow visitors or 3rd party access with L&ITS authorisation. A list of authorised users will be maintained and regularly reviewed.
3.1.4. Will not allow smoking, eating and drinking in these spaces is prohibited 3.2. Before any visitor or 3rd party is provided access to secure network areas agreement to all relevant University Policies and will be made aware of security requirements.
3.3. 4.3 All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out.
4. Access control to the network 4.1. Access to the network will require a secure log-on procedure (See the IT Acceptable use policy, section 2).
4.2. Registration and de-registration procedure for access to the network will, in the first instance, be driven from the HR System to create employee/staff access and from the Student Records System for student and researcher access. Separate authorisation will be required for remote access to the network.
4.3. Access rights to the network will be allocated on the requirements of the user's job, rather than on a preference or perceived need.
4.4. Similarly security privileges (i.e. 'Power user' or network administrator rights) to the network will be allocated on the requirements of the user's job. A list of which will be securely maintained and reviewed regularly.
4.5. All users of the network are sent an "ITS Acceptable Use" policy and expected to read and understand their requirements. When logging into University network PCs users are reminded of this before logging in.
4.6. All users to the network will have a unique user identification and password. 5.3. All firewall implementations must adopt the position of "least privilege" and deny all inbound traffic by default (the initial rule set will be set to "logging or learning mode" to prevent service interruptions). The rule set will only be opened incrementally to only allow permissible traffic.
5.4. Firewalls must be installed within production environments where "Legally/Contractually Restricted Information" is captured, processed or stored, to help achieve functional separation between web-servers, application servers and database servers.
5.5. Firewall rule sets and configurations require annual review to ensure they afford the required levels of protection.
5.6. Network & Systems Team must review and agree all network firewall rule sets and configurations during the initial implementation process.
5.6.1. Firewalls protecting enterprise systems must be reviewed twice a year. 5.6.2. Firewalls not protecting enterprise systems must be reviewed annually by a responsible firewall administrator. 5.6.3. Firewall administrators must retain the results of firewall reviews and supporting documentation; all results and documentation are subject to regular review. 5.6.4. Firewall rule sets and configurations must be backed up frequently to alternative storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rule sets and configurations and backup media must be restricted to those responsible for administration and review. 5.6.5. Network firewall administration logs (showing administrative activities) and event logs (showing traffic activity) are to be written to alternative storage (not on the same device) and reviewed regularly. 5.6.6. Network & Systems Team will execute approved changes to the firewall rule sets on behalf of the University. 6. Wired network 6.1. Only university owned equipment may be connected to the wired University Network. This includes network services supplied to all campuses and University buildings.
6.2. Personal laptops are not eligible for wired network connections. The University does provide wireless networks, which are for mobile computing connectivity including; laptops, mobile phones and smart devices. Where Laptops or mobile devices require physical network connection this must be formally requested and then logged and supported by L&ITS.
6.3. Use of network addresses other than those provided by L&ITS are prohibited.
6.4. Access to networking equipment in data centers and communications rooms is limited to L&ITS staff and authorised personnel only.
6.5. Only one device may be connected to any physical wired network port. No hubs, switches, wireless access points or routing devices may be connected, directly or indirectly, without prior agreement from L&ITS.
6.6. Network & Systems Team has the right to limit network capacity or disable network connections that are affecting available network bandwidth to the detriment of the University. Where possible, and depending on the severity of the incident, this will be done in negotiation with the impacted units of the University. 6.7. No individual may connect a device to the campus wired network that provides unauthorised users access to the network or provides unauthorised IP addresses for users.
6.8. 7.8 Non L&ITS supported servers configured to provide services for campus users are allowed in exceptional circumstances subject to the following conditions: 6.8.1. A server registration form that has been completed and approved by Network & Systems Team. 6.8.2. The service is established in support of authorised business and / or commercial activity.
6.8.3. The service is established only for legitimate and authorised support of teaching, research or student services. 6.8.4.
The established service must follow the policies and procedures required by the University. 6.8.5.
The service will be subject to internal and external auditing.
6.8.6. A responsible owner and their line manager must sign off as Data Controllers and comply with all relevant legislation for all data stored. The responsible owner and authorising managers must be aware of their personal and corporate liabilities should their service result in the loss of data 6.8.7.
The server owner is responsible for the backups, restoring and patching of the server and applications. 6.8.8.
The service will be managed effectively to ensure no excessive loading adversely affects the University's wired network bandwidth. 6.8.9.
The service will be subject to periodic network security evaluation which will include penetration testing by Network & Systems Team. 6.8.10.
The server authorisation will be reviewed on an annual basis. 10.3.1.1 Document procedures for the backup process and ensure that it is communicated to all relevant staff. 10.3.1.2 Document procedures for the storage of backup tapes or media will be produced and communicated to all relevant staff. 10.3.1.3 Ensure all backup media will be stored securely and a copy will be stored off-site. 10.3.1.4 Document procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff.
10.4 Users are responsible for ensuring that they backup their own data to the network server using mapped drives, OneDrive or SharePoint.
10.5 Network patches and any fixes will only be applied by the Network & Systems Team following a suitable change control procedure.
11. Protection and malicious attacks 11.1 The Network & Systems Team will ensure that; 11.1.1.1 Measures are in place to detect and protect the network from viruses and other malicious software. 11.1.1.2 They have suitable monitoring of network traffic, network access and intrusion detection in place. 11.1.1.3 The network will be monitored for potential security breaches. All monitoring will comply with current legislation.
11.2 Library & IT Services reserves the right to access, modify or delete all data stored on or transmitted across the University's network. This includes data stored in personal network folders, mailboxes etc. Data of a personal nature should be stored in a folder marked or called 'Personal'. This does not preclude access or removal of such a folder on the authority of the IT Governance Group, the Chief Operating Officer or other member of the University Senior Management Team where the Group are not available for approval.
11.3 L&ITS reserves the right to disconnect or block any device connected either by physical or wireless means to the network 12. Enforcement 12.1 Any employee, student or user, found to have violated this policy may be subject to disciplinary or legal action. Deviation from this policy is permitted only if a valid business case has been provided and subsequently reviewed and approved.