ISD Policy Document

Information Services Division

www.isd.salford.ac.uk

Network Security & Connection Policy

Contents

1.Introduction ...........................................................................................................................2
2.Purpose ..................................................................................................................................2
3.Scope......................................................................................................................................2
4.Responsible Authorities ....................................................................................................... 3
5.Policy Statements ................................................................................................................. 3
5.1 Users of the Network............................................................................................................3
5.2 Modifiers of the network .......................................................................................................3
5.3 Network devices...................................................................................................................3
5.4 User devices ........................................................................................................................3
5.5 Uses of the Network.............................................................................................................4
5.6 ISD’s Management Authority ...............................................................................................4
5.7 ISD’s powers of detection, prevention and restitution..........................................................4
6. Legislation ............................................................................................................................5
7. Sanctions ..............................................................................................................................5
8. References ............................................................................................................................5

Document Control Information

Document Ref: Network Security & Connection Version: 1.1
Policy
Classification: Unrestricted Status: Issued
Effective from: August 2005 Review Date: August 2006
Originated by: Q&P Unit, ISD Date: 01/10/04
Approved by: ISD Date: 23/01/06
Authorised by: Information Services Division Date: 23/01/06
Issued by: Director, ISD Date: 23/01/06
Change History: Section 5.6 - Reference to Date: 23/01/06
client devices
Change Forecast: Further changes are expected Date:
at each annual review, and
more frequently if new security
threats demand new measures
Circulation: All ISD staff via the ISD All University staff & The general public via the
Website students via the University web site
University intranet

IT Security Co-ordinator
Enquiry point : University of Salford
Information Services Division
Clifford Whitworth Building
SALFORD
M5 4WT
Std: 0161 295 5910
Mobile:
Fax:

Doc ref: Network Security & Connection Policy Page 1 of 5 Version: 1.1
This document is issued by Information Services Division (ISD). The only definitive version is that held and
controlled on the ISD website. It is not under document control when copied or printed
1. Introduction
This document sets out University policies for enabling access to and assuring the security of
the data communications network at the University of Salford. It establishes the
responsibilities of Information Services Division (ISD) in managing the network and users’
responsibilities in using it, as well as ISD’s authority in taking action to foresee, detect, prevent
or rectify security risks which threaten the activities of the University and its members.

2. Purpose
As a key part of its role Information Services Division (ISD) is responsible for the ownership,
development, installation, operation and maintenance of the data communications network on
behalf of the University and its members. With this responsibility comes the authority to take
action necessary to safeguard the security of the network to minimise and contain potential
risks to the University and its members, both operational and legal, from the consequences of
network-related security violations and misuse. In this context, the purpose of this policy is to
state clearly both ISD’s responsibility and authority for the University’s network infrastructure
and devices connected to that infrastructure, and users’ responsibilities in using such devices.

3. Scope
The coverage of this policy includes:
• the University’s internal data communications network, devices connected to it and
supplied by, or otherwise approved for, connection by ISD, and the network’s
connection to JANET and the internet . i.e.

o University network segments linked directly and indirectly to the Peel Park
campus infrastructure
o University network segments linked via Net North West
o University network segments linked via wireless technology

• all devices utilising this infrastructure, including those connecting via wireless
technology
• all users of such devices
• the protection, detection and action against threats, including but not restricted to:
o virus attacks
o denial of service attacks
o hacking internally or from external sources
o downloads and uploads of unacceptable material (as defined
by the JANET Acceptable Use Policy1)
o unacceptable content of outgoing email
o unsolicited bulk email
o theft, corruption or loss of data or software from external
sources
o theft of bandwidth
o breaches of the JANET AUP1
o unauthorised connection of devices to the network

The coverage of this policy includes threats from but excludes risks to:
• on-campus devices not approved for network connection by ISD
• on-campus devices connected both to the University’s network and to
external network connections
• on-campus networks not installed or approved by ISD
• off-campus networks and devices

Doc ref: Network Security & Connection Policy Page 2 of 5 Version: 1.1
This document is issued by Information Services Division (ISD). The only definitive version is that held and
controlled on the ISD website. It is not under document control when copied or printed
 Also excluded are:
• IT security aspects not involving networks
• Other security aspects not specifically involving IT.
• the CCTV system

4. Responsible Authorities
The term “Designated ISD Authority “ used in this policy means the Director of Information
Services or his authorised delegate.
This policy is issued under the authority of the Director of Information Services who as an
Officer of the University is responsible for enforcing sanctions where necessary to safeguard
the University and its members. The IT Infrastructure is managed by the Head of IT
Infrastructure & Operations who is responsible for the prevention and detection of ICT misuse.
This policy is managed by the Head of Quality & Processes who is responsible for investigating
incidents of ICT misuse.

5. Policy Statements

The University’s network policy addresses the following:

• who can and cannot make use of the University’s data communications network
• who can and cannot extend, remove or change the cabling or fibres that constitute the
University’s data communications network either within or between University buildings
• what connections or changes can or cannot be made to the network
• what devices can and cannot be attached to the network
• who can and cannot attach such devices
• what they can and cannot use it for
• how ISD manages the control of the network and the approval of connections both from
devices and from other networks
• how ISD is able to foresee, detect, or prevent security threats and rectify the
consequences of those threats to the network
• what sanctions are available to ISD when threats and misuse are encountered, to deter
further misuse of the network.
5.1 Users of the Network
As defined in the ISD regulations3, only registered users (i.e. those holding valid ISD
usernames and passwords) or those given permission by the Designated ISD Authority are
permitted to use the University of Salford data network.
5.2 Modifiers of the network
Only ISD and University approved data communications contractors are permitted to modify
the network infrastructure.
5.3 Network devices
Network devices are defined as active equipment required to connect and operate the
University’s data network. Examples are switches, routers, firewalls and wireless access
points. Only ISD and University approved data communications contractors are permitted to
install such devices which will be solely managed by ISD. These devices will be located in ISD
data cabinets. No other equipment will be housed within these cabinets.
5.4 User devices
Any device, other than network devices defined above, is defined as a user device. User
devices fall into two categories – client and non-client equipment. A non-client device e.g. a
server is defined as equipment which provides a service to one or more users. University
owned non-client devices may be connected to the network by competent users once it has
been registered with ISD by completing ISD’s Server Registration Form4 and the recognised
owner of the equipment agrees to keep it updated in terms of Anti – Virus updates and

Doc ref: Network Security & Connection Policy Page 3 of 5 Version: 1.1
This document is issued by Information Services Division (ISD). The only definitive version is that held and
controlled on the ISD website. It is not under document control when copied or printed
 Operating System Security patches.
Client devices are defined as equipment generally used by one person. Examples are PCs,
Macintoshes or PDAs. Network connectivity is achieved by either plugging this equipment
directly into an activated data point on the University network or indirectly by enabling a
connection via a wireless access point.
University owned client devices may be connected to the network by any user of the University
provided the equipment is used in accordance with the aims and policies of the University (as
defined in the ISD regulations3) and JANET’s AUP1 , JANET’s Security Policy2 and for no other
purpose.
Users wishing to connect their own equipment may do so only in ISD’s designated areas (e.g.
approved areas within ISD libraries and student accommodation) and after ISD approval.
5.5 Uses of the Network
The University’s data network may be used for any purpose that is in accordance with the aims
and policies of the University (as defined in the ISD regulations3) and JANET’s AUP1, JANET’s P

Security Policy2 and for no other purpose.

5.6 ISD’s Management Authority
ISD are responsible for managing and being accountable for access to the JANET Network by
the University’s users. ISD are also responsible for managing the risks of any network device
connected to the network and implementing any necessary security measures to protect the
network.
ISD manages the provision of IP addresses; protection via the central firewalls and access
lists; user registration; authorisation and authentication; and data point activation. Any
approved University owned device may be connected to the campus network and will be
automatically assigned an IP address which gives access to internal resources. External
resources must be accessed through ISD’s proxy servers wherever possible. Exceptions must
be authorised by ISD.
Any non-client device e.g. servers, must be registered with ISD by completing ISD’s server
registration form4.
Users wishing to connect their own client devices e.g. PC’S / Laptops may do so only in ISD’s
designated areas (e.g. approved areas within ISD libraries and student accommodation) and
after ISD approval.
ISD holds sole authority and responsibility for the connections of networking equipment within
the University e.g. hubs, switches, routers and wireless equipment.
Traffic entering the University of Salford network will be monitored and managed by ISD.
It is the responsibility of the owners of any equipment connected to the network to ensure that
all machines have the latest level of anti-virus software and security patches installed, and that
these are kept up to date.
5.7 ISD’s powers of detection, prevention and restitution
ISD proactively monitors the data network for performance issues, abnormal loading, port and
IP scanning. The consequences of these are counter measured by regularly updating
firmware and configuration files of firewalls and routers, and adding security patches and anti-
virus updates when necessary.

Doc ref: Network Security & Connection Policy Page 4 of 5 Version: 1.1
This document is issued by Information Services Division (ISD). The only definitive version is that held and
controlled on the ISD website. It is not under document control when copied or printed
6. Legislation

The University has obligations under which it must comply with relevant UK and European
Community legislation including (but not exclusively):

• The Data Protection Act 1998

• The Human Rights Act 1998
• The Computer Misuse Act 1990
• The Copyright, Designs and Patents Act 1988
• The Freedom of Information Act 2000
• The Regulation of Investigatory Powers Act 2000

The use of the computing and networking facilities is permitted by the University on the
condition that all users will comply with the conditions stated in the JANET Acceptable Use
Policy AUP1 and JANET’s Security Policy2. Users should note that the University’s access to
the Internet is solely through the JANET network and that violations of the JANET policies
could potentially lead to this access being withdrawn.
All users of the university network are required to comply with the approved University Policies,
Standards, relevant legislation and contractual requirements and should seek appropriate
advice when in doubt.

7. Sanctions

ISD, on behalf of the University are responsible for investigating, containing and resolving
breaches of security and may disconnect, block traffic to / from, impound, or log information
about any machine using the data network. Under University disciplinary procedures, ISD are
authorised to initiate investigations of users who abuse this policy. Such investigations may
result in ISD banning users without prior notice, pending resolution of the incident and
dependent upon the nature of the offence may involve the Police.

8. References

(1) The JANET Acceptable Use Policy can be viewed on

http://www.ja.net/services/publications/policy/aup.pdf
(2) The JANET Security Policy can be viewed on
http://www.ja.net/services/publications/policy/security-policy.pdf
(3) ISD Regulations : http://www.isd.salford.ac.uk/governance/regulations/isdfullregs.pdf
In addition, when accessing computers abroad, the rules of that country apply.
It is the user’s responsibility to ensure his/her activities comply with these laws.
The use of the University’s information systems facilities is also subject to the Code of Conduct
for Students detailed at : http://www.salford.ac.uk/policies_procedures/display.php/?id=143
(4) Server Registration Regulations:
http://www.isd.salford.ac.uk/governance/security/server.doc

Doc ref: Network Security & Connection Policy Page 5 of 5 Version: 1.1
This document is issued by Information Services Division (ISD). The only definitive version is that held and
controlled on the ISD website. It is not under document control when copied or printed