|University of Arkansas at Little Rock|
|Policy Name: Network Security|
|Policy Number: 208.2|
|Effective Date: January 3, 2008|
This document establishes network security and computer usage guidelines for the University of Arkansas at Little Rock (UALR).
- Network Connection Policy
- Minimum Network Hook-up Requirements
- Escalation Procedures for Security Incidents
- Network Naming Conventions
These guidelines incorporate the elements of the UALR Information Technology Acceptable Use (AUP) policy. The purpose of these guidelines is to protect the rights and privacy of UALR campus users, as well as those of UALR faculty and staff.
1.2 Other Applicable Guidelines/Policies
Members of the UALR user community are required to comply with the items outlined in the campus AUP.
Members of the UALR campus faculty, staff, and students require access to servers and systems on the UALR campus. Access is defined as having the logon and password to use an account on a system. The first time a member of the UALR faculty/staff requests access, he or she is asked to read and sign the AUP Agreement. The AUP presents general guidelines for using UALR systems in a responsible and ethical manner, as well as behaviors and practices that are prohibited. The document may be accessed via UALR’s web page, Information technology Services under the title Acceptable Use Policy.
1.3 Privacy of Clients Data/Information
User files and information stored on or in UALR computers are to be protected for privacy. Written consent of the user must be first obtained prior to disclosing any user information. In all cases the user must be advised that his or her file(s) must be viewed or accessed to assist the user in problem resolution.
When assisting UALR users, members of the UALR faculty/staff should use the following guidelines:
- Use and disclose the userâ€™s data/information only to the extent necessary to perform the work required to assist the user. Particular emphasis should be placed on restricting disclosure of the data/information to those persons who have a definite need for the data in order to perform their work in assisting the user.
- Do not reproduce the userâ€™s data/information unless specifically permitted by the user.
- Refrain from disclosing a userâ€™s data/information to third parties unless the user provides written consent.
- Return or deliver to the user, when requested, all data/information or copies thereof to the user or someone they designate.
1.4 Proprietary Information
Due to the nature of the UALR computing and network environment, there is significant potential proprietary information stored on or in UALR computers, laptops, and resources. For example, proprietary information would include vendor programs and source code, benchmark programs, scientific codes, and personnel records. Members of the UALR faculty/staff are responsible for ensuring that proprietary information is protected from disclosure and/or unauthorized access. When dealing with proprietary information, members of the UALR faculty/staff should use the following guidelines:
- Ensure appropriate measures are in place for protecting proprietary information.
- Do not attempt to access proprietary information for which you have not been given authorization.
- Do not make copies of proprietary information unless specifically permitted by the owner of the information.
- Refrain from disclosing to third parties the types of proprietary information you can access.
1.5 Security Investigations
If a member of the UALR faculty/staff discovers evidence of a violation of the UALR campus AUP, he or she must notify the network security officer (NSO) or the UALR chief information officer (CIO) as soon as possible. If the NSO or the CIO determines there is probable cause to believe a security violation has occurred, additional investigation may be authorized. Any additional investigation will normally be performed by the NSO or someone designated by the NSO or the CIO.
If you are requested to participate in an investigation or you must view a userâ€™s files (after receiving consent) during the normal course of your job duties, you must not disclose information about that user or the contents of the userâ€™s files to other people. Information concerning the user should only be disclosed to the NSO, the CIO, or to a law enforcement agency. A detailed record and log of actions under investigation will be maintained by the NSO.
1.6 Summary of Guidelines
To summarize, follow these guidelines:
- Read and follow the campus AUP.
- Do not inspect a userâ€™s files without consent of the user or the proper authorization.
- Inform the proper person when you feel there is evidence of a possible violation.
- When performing an investigation on a user or system, which involves viewing userâ€™s private files/data/information, keep a detailed record/log of why the investigation was initiated and what actions were taken.
2.0 Network Connection Policy
The Network Connection Standard describes the requirements and constraints for attaching a computer, server, and/or printer to the UALR network. All computers installed on the UALR campus network fall under the authority and responsibility of the NSO and, as such, must meet the minimum-security requirements of UALR regulations and policies. The security requirements and practices at UALR are outlined in the UALR campus AUP (included as Appendix I) and this document. The intent of this policy is to ensure that all systems installed on the UALR network are maintained at appropriate levels of security while at the same time supporting the ability of UALR users and faculty/staff to perform their work.
Any UALR faculty/staff with questions or concerns regarding UALR security should send inquires to firstname.lastname@example.org.
3.0 Minimum Network Hook-Up Requirements
The requirements listed below are the minimum requirements, which must be satisfied before a new host can be installed on the UALR campus network.
3.1 Designation of a Responsible Person
Each computer attached to the UALR network must have an assigned individual that provides support for the system and is responsible for ensuring the requirements of this policy are met. In addition, the responsible person ensures that the security of the system is maintained by installing necessary security software, patches and security checking programs. The person who is responsible for support must have full access to the system.
In most cases, the responsible person for a computer would be the faculty and/or staff member that uses the computer in their daily work. Some departments on campus have a technical person responsible for initial problem resolution. The technical person would be the responsible person for the departmentâ€™s computers. In the case of servers, the system administrator is the responsible person for that system.
3.2 Notification of New System Installation
The NSO or his designee must be notified each time a new host requiring a fixed IP address is added to the campus network. Prior to installation on the campus network, the network support group of Information Technology Services must assign a valid IP address number. As part of the IP address request, the requestor must specify the new host, requested domain name, designated administrator, location, and administrative logon and password. The NSO will maintain the logon and password in a secure location accessible only by the NSO and his or her designee.
If the computer system does not require a fixed IP address, the user may set up the computer to acquire an IP address via the campus DHCP server (Dynamic Host Configuration Protocol). Dynamically obtaining an IP address via DHCP does not require notifying Information Technology Services’ network support group.
3.3 Required Account(s)
Each UALR server attached to the campus network must have a system account (administrator ID for logons are not allowed) to allow members of the support team access to the system in the event of a problem. When requested by the NSO, individual campus users must disclose the administrative computer logon and password.
3.4 Security Installation
Each system administrator should review the Appendix III and IV for Windows and/or Unix security installation recommendations. Additional recommendations may be found at www.cert.org.
4.0 Escalation Procedures for Security Incidents
This procedure describes the steps to be taken for network and computer security incidents occurring on the UALR campus. The physical security incidents covered in this procedure include, but are not limited to theft, illegal building and network closet access, and property destruction.
The types of incidents have been classified into three levels depending on severity:
- Level one incidents are least severe and should be handled within one working day after the event occurs. Level one incidents usually require that only the UALR NSO be contacted via telephone or email. Examples of level one incidents are sharing of user accounts, cannot remember password, and computer virus.
- Level two incidents are more serious and should be handled the same day the event occurs (usually within two to fours hours of the event). Level two incidents must be escalated to the UALR NSO. An example of a level two incident is a stolen logon and/or password.
- Level three incidents are the most serious and should be handled as soon as possible. Examples of a level three incident include, but are not limited to computer system break-in, use of UALR campus network or facilities for personal gain, denial of service attacks, or email spamming.
Level two and three incidents may result in notification to a law enforcement agency for possible criminal prosecution. Incident levels are assigned by the NSO and if an incident occurs that is not designated, then the NSO should be notified as soon as possible.
4.1 Network Security Committee
A standing network security committee is established with a term of three years for each member. One third of the members are to be appointed annually by the chancellor. Membership of the committee is comprised of the following organizational members.
- Information Technology Services – CIO/NSO
- Office of Communications
- Office of Human Relations
- Public Safety
- Student Government
The Network Security Committee is a standing committee, which is called into session by the CIO and/or NSO when either person has reason to believe that a security incident has occurred to warrant a coordinated action on behalf of the university. Possible outcomes of security incidents investigations by this committee include:
- Forwarding the information on to a law enforcement organization with a recommendation for criminal prosecution.
- Forwarding the information to appropriate faculty and/or student organizations for censure and discipline. Existing UALR rules, policies, and procedures will be employed for possible action against the individual and/or individuals.
- The information submitted does not warrant further action.
4.2 Computer Security Incidents Procedures
All campus network security incidents require notification to the NSO. The NSO will establish the security incident level and create an incident report. All security violations require incident reporting and closure indicating security resolution.
4.2.1 Level One Incident
- Notify the UALR NSO within one working day. UALR NSO will document all pertinent information on a UALR incident report and if necessary disable appropriate user accounts.
- Change any effective password(s).
- The UALR NSO will call person(s) suspected of account sharing and determine the severity of the incident. In most cases, people who share accounts have a valid need to have their own UALR accounts. In these cases, the UALR userâ€™s account will remain disabled until account request forms are received and processed for the person who was using the UALR userâ€™s account.
4.2.2 Level Two Incident
- Notify UALR NSO within two hours. If the NSO cannot be reached within two hours, contact the CIO.
- Upon request from UALR NSO disable all UALR system accounts for the employee account to prevent further access.
- Change system(s) logon idâ€™s and/or passwords.
- The UALR NSO will call person(s) suspected of account sharing and determine severity of the incident. In most cases, people who share accounts have a valid need to have their own UALR accounts. In these cases, the UALR userâ€™s account will remain disabled until account request forms are received and processed for the person who was using the UALR userâ€™s account.
4.2.3 Level Three Incident
- Isolate infected systems from the remaining UALR network as soon as possible. Consult the UALR NSO to determine the best method to isolate the infected systems from the remaining UALR network.
- Notify UALR NSO within one hour. UALR NSO will report the incident to higher-level management.
- Notify all involved system administrators within two hours.
- The NSO will attempt to trace the origin of attack and determine how many systems (if any) have been compromised. Save copies of system log files and any other files, which may be pertinent to incident.
- UALR NSO will decide what further actions are needed and assign appropriate people to perform the tasks.
- The UALR NSO may activate the Network Security Committee to manage the incident, including reporting to the media and the law enforcement.
- Upon completion of the investigation, the UALR NSO will write an incident summary report and submit to the Network Security Committee.
4.3 Physical Security Incidents
- If an unauthorized person is in a network controlled area, call or page UALR Public Safety immediately. Public Safety will escort the unauthorized person out of the area and notify the NSO.
- The NSO will log the incident and generate a network security incident report.
- Physical security incidents are considered level three security violations.
4.4 Network and/or Personal Computer Property Destruction or Theft
- Notify UALR Public Safety as soon as possible.
- Contact the NSO as soon as possible.
- If destruction involves a UALR computer, notify the system administrator for that system as soon as possible.
- Network and/or personal computer property destruction or theft is considered a level three security incident.
5.0 Network Naming Conventions
5.1 Connecting to the Campus Backbone Network
Naming conventions for microcomputer networks, servers, and other devices that connect to (or will connect to) the UALR Campus Backbone Network will help eliminate unwanted interference across the backbone. All local area networks on campus are encouraged to use the same standards in order to allow for proper network management.
5.2 Administration of TCP/IP Addresses
Every computer attached to the Campus Backbone Network, which uses TCP/IP, must be assigned an IP address. At UALR, IP addresses are of the form 144.167.XX.YY.
XX is called the IP subnet number and is assigned by UALR Networks Services. Computers attached to the same physical network all use the same subnet number. YY is a unique number assigned to each computer on the subnet by the corresponding department and can range from 1 to 254. Therefore, there can be up to 254 computers on a given subnet.
5.3 UALR Domains
5.3.1 Internet Domains
Internet domains (e.g., microsoft.com) refer to a delegated zone from a central authority. UALRâ€™s Internet domain is ualr.edu. Examples of web sites hosted under the UALR domain include: ualr.edu; bweb1.ualr.edu:8001
All Internet sites for this university will reside under that (ualr.edu) domain. Under no circumstances will the university network host a commercial (.com) Internet site.
5.3.2 Windows NT/2000 Domains
Windows NT/2000 domains are a collection of computers grouped for administrative convenience and to apply a consistent security policy. Refer to Appendix III for information regarding Windows security.
The primary administrative domain is BACKBONE. All faculty or staff machines must be members of this domain (or, at a future date, its replacement) except in cases of slow network bandwidth (off-campus location) or where additional security is needed.
All faculty and staff Windows user accounts will likewise reside on the BACKBONE (or its future replacement) domain. Any user account not hosted on the BACKBONE will be denied access to servers, shared files locations, shared printers, and other resources.
To group computers primarily used by students (i.e., labs), a domain dedicated to students, existing or new, will be used.