IS08: Network Management Policy
This Policy sets out the responsibilities and required behaviour of those who manage data and communications networks on behalf of the University to ensure on-going security, confidentiality, integrity and availability.
Policy Introduction and Purpose
This Network Management Policy is a sub-policy of the University’s Information Security Policy (IS01).
It sets out the responsibilities and required behaviour of those who manage data and communications networks on behalf of the University.
Scope and Definitions
This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.
All the University’s data and communications networks, whether wired or wireless are in scope, irrespective of the nature of the traffic carried over the networks (data or voice).
A glossary of the terms used throughout the Policy can be found in our Information Management Glossary.
This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.
Responsibilities
Role | Function |
---|---|
Digital Strategy Group representative | Responsible |
Head of Department | Accountable |
Chief Information and Transformation Officer Data Protection Officer |
Consult |
University Information Management Committee representative | Inform |
Principles of the Policy
Management of the Network
The University’s communications networks will be managed by appropriately skilled and authorised staff to oversee their day-to-day running and to ensure their on-going security (confidentiality, integrity and availability).
All staff and departments are required to use the centrally provided network service – any requirement that cannot be met by the standard service where an alternative arrangement is to be used must be documented and approved by the Chief Information and Transformation Officer (CITO).
Network staff are in highly privileged positions and play a key role in contributing to the security of the University’s information assets. They are required to be aware of the University’s Information Security policy in its entirety and must always abide by the policy.
Network staff are authorised to act promptly to protect the security of their networks but must be proportionate in the actions which they take, particularly when undertaking actions which have a direct impact on the users of the network. Any actions which may be potentially invasive of users’ reasonable expectations of privacy must be undertaken in accordance with the University’s Investigation of Computer Use (IS12) policy.
Network staff must immediately report any information security incidents to the CITO.
Network Design & Configuration
The network must be designed and configured to deliver high levels of performance, availability and reliability, appropriate to the University’s business needs, whilst providing a high degree of control over access to the network.
The network must be segregated into separate logical domains with routing and access controls operating between the domains in order to prevent unauthorised access to network resources and unnecessary traffic flows between the domains.
A description of the features, performance and monitoring policies for the network must be published in the relevant service catalogue descriptions and/or SOPs.
Physical Security & Integrity
Networking and communications facilities, including wiring closets, data centres and computer rooms must be adequately protected (appropriate to the potential health and safety, financial or security risk being managed) against accidental damage (fire or flood, for example), theft, or other malicious acts and such arrangements documented.
The network must be resilient to help mitigate the impact of the failure of network components.
Change Management
All changes to network components (routers, firewalls etc.) are subject to IT Services established change management processes and procedures.
Any locally administered network must be managed through a formal, robust change process and such arrangements documented and approved by the CITO.
Connecting Devices to the Network
The University operates a policy of what devices can and cannot be connected to the Network.
You must operate within the requirements of Acceptable Use Policy (IS06), where this is detailed, at all times.
Network Address Management
The allocation of network addresses (IPv4 and IPv6) used on the University’s networks will be managed by IT Services’ Network Team, they may delegate the management of subsets of these address spaces to other teams. Such arrangements must be documented and approved by the CITO.
Network addresses (IPv4 or IPv6) assigned to end-user systems will, be (where possible) assigned dynamically (and will therefore be potentially subject to change).
Network addresses will use private ranges, and public addresses will only be assigned following approval of a Service Request which documents the justification.
Access Controls
Access to network resources must be strictly controlled to prevent unauthorised access.
Access control procedures must provide adequate safeguards through robust identification and authentication techniques.
Access to some segments of the network will be controlled by specific rules. Some segments will require that devices are registered with the University asset register and meet minimum security or specification requirements (or similar arrangement). ITS will ensure all users requesting this access are made aware of these additional requirements.
IT Services is responsible for the management of the gateways which link the University’s network to the Internet. Controls will be enforced at these gateways (and elsewhere across the network) to limit the exposure of University systems to threats or attacks. Controls will be applied to both incoming and outgoing traffic.
Device security is an important aspect of wider network security. Devices will be monitored and assessed for their security profile – devices not meeting minimum security requirements will be segregated and access to resources may be restricted (refer to Mobile & Remote Working Policy – IS10).
Network and IT Systems Monitoring
The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated systems. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).
Where systems or services do not comply with this policy then they may be disabled or access to University resources blocked.
Exemptions
‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.
Compliance Monitoring
Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:
- Non-standard network service arrangements.
- Actions taken by Network managers to remove explicit network security threats.
- Compliance with this policy in approved locally managed services.
- Ad-hoc checks of physical security of university communications facilities.
- Any breaches to this policy.
- Exemption requests and granting of exemptions.
Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.
A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.