Policy Introduction and Purpose

This System Management Policy is a sub-policy of the Information Security Policy (IS01).

It sets out the responsibilities and required behaviour of those who manage computer systems on behalf of the University.

Scope and Definitions

This Policy applies to any “administrator” who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

An “administrator” is anyone who uses administrator (or elevated) privileges on any University multi-user computer system (server) to administer the system or the services running on the system.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Principles of the Policy

Duties of System & Service Managers

The University’s computer systems will be managed by appropriately skilled staff to oversee the day-to-day running of the system and ensure on-going security (confidentiality, integrity and availability). These system managers will undertake their duties in collaboration with individual technical service managers whose services are running on these computer systems.

Systems must be registered in the central asset register and each system must identify a named System Owner.

System owners must assess the criticality of any system, as well as any processes or services supported by the system. Depending on the level of criticality they are responsible for ensuring appropriate business continuity and security measures are in place to protect against events which might otherwise result in loss of service or data.

System Owners must obtain from relevant Information Asset Owners a confidentiality level for any data that will be stored or processed by the system and record that in the central asset register.

System Owners should indicate the suitability, or otherwise, of using any individual system for the storage or processing of different categories of University data (see the Information Handling Policy – IS04). This is in order to allow Information Asset Owners to make informed decisions as to whether the system meets the security requirements of the University and the data being handled.

System Owners must deploy systems to agreed standard configuration as published in relevant service catalogues or service descriptions. Such configurations must include appropriate security baselines. Baselines will be agreed with University CITO Organisation. Baselines and overall system configuration must be reviewed in order to accommodate changing requirements.

System Owners are responsible for ensuring the on-going security of their systems and must apply software patches, or other security or maintenance measures, in a timely manner. High priority changes must be applied in accordance with software suppliers' recommendations (or requirements) or within 10 working days of release, whichever is the shorter. If it is not possible to patch within this time period, other compensatory control measures must be taken (and evidenced) to mitigate risk.

Managers are authorised to act promptly to protect the security of their systems but must be proportionate in the actions that they take, particularly when undertaking actions which have a direct impact on the users of their systems. Any actions which may be potentially invasive of users’ reasonable expectations of privacy must be undertaken in accordance with the University’s Investigation of Computer Use policy (IS12) and the associated “Guidelines for system and network administrators” document.

System Owners must immediately report any information security incidents to the CITO Organisation (helpdesk@warwick.ac.uk).

Change Management

All changes to computer systems must be managed according to an appropriate and thorough change procedure. IT Services operate a standard change procedure, and this must be used, or replicated locally, wherever possible.

If local or alternative change control procedures are used, then they must be documented, and System Owners must demonstrate the procedure is effective.

Access Controls

Access to all computer systems must be via a secure authentication process, with the exception of read-only access to publicly available information.

Access must only be granted in strict accordance with the User Account Management policy (IS05).

Administrator accounts and accounts with elevated privileges must only be used when necessary in order to undertake specific tasks which require the use of these accounts. At all other times, the principle of “least privilege” should be followed.

Access to administrator accounts (whether direct or indirect) from untrusted networks (from home, for example) or when using personally owned devices should be protected by two-factor authentication wherever possible.

All elevated access accounts must be reviewed periodically and checked for relevance, necessity and accuracy.

Monitoring & Logging

IT Services provide a central logging service together with associated standard operating procedures.

System Owners must use this service and the SOP wherever possible. If, for any reason, this service cannot be used, or alternative local services are required, then this must be documented and approved by the Chief Information and Digital Officer.

The use and attempted use of computer systems must be logged. The data logged should be sufficient to support the security, compliance and capacity planning requirements of the system but should not be unnecessarily intrusive.

Users of systems should be given clear information of what information is recorded, the purposes of the recordings and the retention schedule of the data collected. This information should be made available to users in the form of a system specific privacy policy and published in the relevant service catalogue item.

System Owners are required to ensure that log files are recorded on a different system, and administered by different operators, from the system being monitored. Any exception to log reporting must be documented and approved by the CITO.

Audit logs must be configured to record any actions undertaken using administrator or elevated privileges. Audit logs must be secured to protect them from unauthorised modification.

Vulnerability Scanning

All systems must be subject to regular vulnerability scans (at least monthly) and penetration testing (at least every 12 months and after any significant change has been made to a system). These scans may only be undertaken by appropriately skilled University staff or by approved external assessors.

Business critical systems and other systems which are used to process, or store data classified as ‘restricted’ or above must be subject to regular (at least annual) penetration testing by an approved external assessor.

System Owners must be able to demonstrate and evidence that appropriate vulnerability and penetration testing has been applied.

System Clocks

All system clocks must be synchronised to reliable time sources. These sources will be the University’s official internal time servers, with the exception of these official internal servers themselves which must be synchronised with official JANET time servers.

Network and IT Systems Monitoring

The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated systems. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Where systems or services do not comply with this policy then they may be disabled or access to University resources blocked.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Information Security Incidents
• Elevated Access Accounts – Number, Reviews and resulting actions
• Use of non-standard monitoring and logging services
• Creation and Management of Central Asset Register
• Suitability of continuity plans for systems based upon criticality
• Auditing of patch update procedures – how many went over the 5-day rule
• Auditing of the level of system vulnerability and penetration scans and the reporting thereof
• Reporting of any incidence of non-compliance that have resulted in a system or service disablement
• Exemption reporting

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.