New: In July 2012 an Information Security Policy was approved by Council and this will be implemented across the University. For further information about this IS Policy please see the Information Security pages from the InfoSec project in the IT Services department. This Toolkit is intended to help you implement the new IS Policy in your unit.
We are developing an online Information Security Toolkit with example policies and suggested technical solutions, as part of the new Information Security Policy documentation. The toolkit provides best practices and further guidance in support of the new policy and aims to be a viable starting point in terms of unit policy - the example policies can be tailored to suit the individual needs of your department, college or hall.
The toolkit focuses on the areas below, each section sets out the recommended best practices menionted in the University's Information Security Policy. These best practices are split into sectinons targeted at specific user groups. Following the best practices below is University policy.
Further Guidance is provided to put the best practices into context and to give practical advice and guidance on how the best practices can be implemented
Suggested technical solutions and example local policies can be found here.
1. IT Management Structure
It is the University's policy that responsibility for the security of information within departments, colleges and other units rests with the head of department, college or unit.
1.1. Internal Organisation
Each unit (department, faculty, college or hall etc.) should have in place an information security policy, in accordance with that of the University, which is approved by management, published and communicated to all relevant parties. The Head of Department, College, Hall or other administrative unit should establish a management framework to initiate and control the implementation of the information security policy, and all aspects of ICT, within the unit. The information security policy should identify the unit's information security goals and organisational requirements, and should be approved by management. The unit's management are also responsible for the assignment of specific roles and responsibilities for information security within the unit, and for coordinating and reviewing the implementation of security within the unit. The unit's approach to the management and implementation of ICT/information security should be reviewed at regular intervals, or if significant changes occur.
1.2. External Parties
Agreements with third parties involving accessing, processing, communicating or managing the unit's information, or information systems, should cover all relevant security requirements, and be covered in contractual arrangements. Before any data are transferred to a third-party, or held on a third-party system as part of an outsourcing contract, an appropriate risk assessment should be carried out and, where relevant, permission obtained from the University Data Protection Office.
2. Personnel, Recruitment and Training
All staff, students, contractors, conference guests and other parties must comply with the information security policies of the local unit and of the University. Roles and responsibilities of staff, students, contractors, conference guests and others should be defined and documented in accordance with the unit's ICT/information security policy.
All staff, students, contractors, conference guests and others with access to the unit's network, computer systems or data, should sign up to the unit's and the University's policies and be reminded of these on a regular basis. A formal disciplinary process should be in place for dealing with breaches of University regulations.
IT staff responsible for the operation of the unit's ICT systems should receive appropriate training to ensure that the operation of those systems is efficient and does not compromise the unit's and/or University's information security policies. All staff, students and, where relevant, contractors and other parties, should receive appropriate awareness training and regular updates in policies and procedures, as relevant for their role. The need for further training should be reviewed regularly.
Roles and responsibilities for performing necessary duties upon termination of employment, contracts or agreements, for all users, should be clearly defined and assigned. There should be procedures in place to ensure that all employees, contractors and third party users return all of the unit's assets in their possession upon termination of their employment, contract or agreement. Robust procedures should be in place to ensure that if an authorised person leaves the unit, or otherwise becomes ineligible, any access rights are reviewed and, where authorisation is withdrawn access is barred without delay.
3. Operations
The University of Oxford operates a devolved ICT structure in which responsibility for the management of computer systems and networks within departments and colleges rests with those departments and colleges. Support for the use of ICT facilities is provided by the department and/or college to which they belong. All units are free to choose a model for implementation that best meets their individual needs in accordance with University policy.
All information and ICT systems should be managed by suitably trained and qualified staff to oversee their day to day running and to preserve their security and integrity in collaboration with individual system owners.
Procedures for the operation and administration of the unit's business systems and activities should be documented, maintained and made available to all users who need them. Such documentation should include the IT infrastructure and connectivity of all network switches, routers, etc. Any system documentation should be protected against unauthorised access.
Backup copies of information and software should be taken and tested regularly in accordance with an agreed backup policy in order to ensure that any essential information and software can be recovered in the event of a disaster or media failure.
The circumstances under which the University may monitor use of its ICT systems, and the levels of authorisation required for this to be done form part of the "Regulations Relating to the use of Information Technology Facilities". Appropriate levels of monitoring for individual systems should be carried out in all units. Audit logs recording user activities, exceptions and information security events should be produced and kept for a minimum period of 60 days (and for longer where advised by OxCERT ) to assist in future investigations and access control monitoring. Individual units should be able to monitor their internal network to detect unauthorised use and to investigate the causes of such traffic. Each multi-user system should log information about who has used that system, the times of access and any source address, etc.
Access to operating system commands and the use of system utilities - such as administrator privilege - that might be capable of overriding system and application controls, should be restricted to those persons who are authorised to perform systems administration or management functions.
Appropriate controls should be implemented to protect against malicious code including detection, prevention and recovery and appropriate user awareness procedures.
4. Network Management
The University of Oxford operates a devolved ICT structure in which responsibility for the management of computer systems and networks within departments and colleges rests with those departments and colleges. OUCS manages the backbone network, which connects departments, colleges and central services, and provides connectivity to the Internet through the UK Education and Research Network (JANET). Access for individual members is provided by the department and/or college to which they belong. All units are free to choose a model for implementation that best meets their individual needs in accordance with University policy.
Units' networks should be managed by suitably authorised and qualified staff to oversee its day to day running and to preserve its security and integrity in collaboration with individual system owners. Networks should be adequately managed and controlled to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Networks and communications systems should all be adequately configured and safeguarded against both physical attack and unauthorised intrusion.
Power, telecommunications and network cabling carrying data, or supporting information services, should be protected from interception or damage.
Appropriate network security devices (e.g. firewalls) should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the unit or University. The security and configuration of network equipment (switches, routers, firewalls etc.) should be regularly reviewed and maintained. Security features, service levels and management requirements of all network services should be identified and included in any network services agreement, whether they are provided in-house or outsourced.
5. Access Control
Access to all computing resources and information systems should be strictly controlled in accordance with a defined access control policy, to prevent unauthorised physical and logical access. Access control policies should be reviewed on a regular basis. Access control procedures should provide adequate safeguards through robust identification and authentication techniques, and access to all computing and information systems and peripherals should be restricted unless explicitly authorised.
All users should have a unique identifier for their personal use only, and suitable authentication techniques should be chosen to substantiate the claimed identity of users. Password management systems should be interactive and ensure suitable quality of passwords. Where authentication of all system users is not appropriate (e.g. general access kiosk machines) adequate steps should be taken to ensure that any misuse can be prevented or otherwise traced.
Appropriately secure authentication methods should be used to control access by remote users. Remote access connections to the network should only be permitted for authorised users.
Controls should be in place to ensure that inactive sessions are shut down after a defined period of inactivity.
Procedures should be implemented to ensure that access to operating systems is controlled by a secure log-on procedure. Physical and logical access to diagnostic and configuration ports should also be controlled.
Data that are not for public dissemination and are to be accessed from outside the collegiate University should be protected by authentication procedures that require identification specific to each user and are at a level commensurate with the identified risk. Wherever possible, data of a confidential or sensitive nature should be kept on on-site systems, and users who need to access this data from outside the collegiate University should do so by secured network access. Wherever possible all data transfers should be made by an appropriately secure network connection.
6. User Management
Users should only be provided with access to services that they have been specifically authorised to use.
A formal user registration and de-registration procedure should be implemented for granting and revoking access to all information systems and services. Procedures should exist to ensure the allocation of privileges is restricted and controlled. Users' access rights should be regularly reviewed and procedures should be established for all information systems to ensure that users' access rights are adjusted appropriately, and in a timely manner, whenever there is a change in operational need, role change or a user leaves the unit. Systems should be audited for unwanted/redundant accounts and when users leave access should be revoked and the user de-registered.
Users should be made aware of their own responsibilities for information security. All users should have a unique identifier (user ID) for their personal and sole use for access to the unit's information services. The user ID should not be used by anyone else and associated passwords should not be shared with any other person for any reason. Allocation of passwords should be controlled through a formal management process and users are required to follow good security practices in the selection and use of passwords. Users should be advised to take appropriate steps (such as screen-locking, clearing desks) to prevent unauthorised access to machines, accounts and private information.
Visitors to the University should be provided with a specifically assigned IP address space and should be appropriately authenticated.
7. Information Handling
All units should clearly identify their information assets and an inventory of all major assets should be maintained. Assets to the University include information, software, physical assets, services, people and intangibles (e.g. reputation). Ownership of all information assets should be defined and clearly stated. Information assets should be classified in terms of their sensitivity and criticality to the unit/University. Guidance for the classification of information will be issued under the authority of the PRAC ICT sub-committee. Where appropriate, information assets should be labeled and handled in accordance with their classification. Rules for the acceptable use of information assets should be identified, documented and implemented.
To determine the appropriate level of security control that should be applied to information assets, a process of risk assessment should be carried out in order to define the security requirements and identify the probability and impact of security breaches. Owners of information assets are responsible for undertaking risk assessments and issuing appropriate guidelines to all relevant users.
Information owners should ensure that appropriate backup and system recovery procedures are in place. Backup copies of all important information assets should be taken and tested regularly in accordance with such an appropriate backup policy.
Procedures should be in place for the management of removable media in order to ensure that they are appropriately protected from unauthorised access.
Procedures should exist for the secure and safe disposal of media when it is no longer required. When permanently disposing of equipment containing storage media, all confidential/sensitive data and licensed software must be irretrievably deleted before the equipment is moved off-site using procedures authorised by the PRAC ICT sub-committee.
Removal off-site of the University's information assets should be properly authorised by the information owner. Prior to the authorisation, a risk assessment based on the criticality of the information asset should be carried out. Procedures for the handling and storage of such information should be established to protect it from unauthorised disclosure or misuse. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries. Where appropriate, data in transit should be encrypted.
Controls should be implemented to ensure that electronic messaging is suitably protected. Email should be appropriately protected from unauthorised access and should only be used to send information and attachments that are not considered to be confidential or sensitive in accordance with the classification of that information. Where appropriate, encryption may be considered in order to send confidential or sensitive information to trusted recipients though this should be authorised by the information owner. Any information received by email should be treated with care owing to the inherent security risks.
A policy on the use of cryptographic controls for the protection of information should be developed and implemented. Recommendations and guidance for levels of cryptographic control appropriate to various classes of data, will be issued under the authority of the PRAC ICT Sub-committee, and will be revised and updated as necessary to ensure the adoption of best practice and compliance with legal requirements. [See University of Oxford Classification Scheme]
Confidential or sensitive information should only be taken away from the University in an encrypted form unless its confidentiality can otherwise be assured. Where appropriate according to its classification, information being transferred on portable media, or across networks, should be protected by the use of encryption techniques. Appropriate encryption should be used on all remote access connections to the University's network and resources.
Key management procedures should be in place to support the use of cryptographic techniques and to ensure that only authorised personnel may gain access to sensitive University information.
Where units implement their own solutions involving cryptographic controls advice should be sought on policy and key management, to ensure that data are appropriately secured and that all legal and regulatory requirements have been considered.
System planning and acceptance
A risk assessment should be carried out as part of the business case for any new ICT system that may be used to provide shared services, or to hold critical or sensitive data. The risk assessment should be repeated periodically on any existing systems.
8. Physical and Environmental Security
Procedures should be in place to ensure that secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Security perimeters should be defined to protect areas that contain confidential or sensitive information and/or information systems. Appropriate physical security for offices, rooms, facilities etc. should therefore be implemented and offices housing systems containing non-public data should be kept locked. Where appropriate, physical protection should be provided against damage from natural, or man-made disasters, such as fire, flood, explosion etc. All users are required to ensure that systems are not left open to access by intruders to buildings, or by unauthorised colleagues.
Procedures should be in place to ensure that equipment hosting data not open for public access are not accessible in public areas. Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries.
Procedures exist to ensure that equipment, information or software is not taken off-site without prior authorisation. Security should be applied to off-site equipment taking into account the different risks of working outside the University/unit's premises. Procedures should exist to ensure that any sensitive data and licensed software have been removed or securely overwritten when equipment is sold on, transferred or scrapped.
9. Incident Handling
Responsibility for network security within the University lies with the Oxford University Computer Emergency Response Team (OxCERT). Based within the Networks and Telecommunications Group at OUCS, the team exists primarily to ensure the security of the University backbone network. Specifically, security incidents are handled centrally by OxCERT and it is the University's policy to ensure that any compromised hosts are blocked from accessing the network until such a time that they are no longer considered a threat by OxCERT.
OxCERT are responsible for identifying compromised or potentially compromised systems within the University network, and taking appropriate measures to prevent malicious network traffic, from such systems, traversing the backbone network. OxCERT are also responsible for liaising with local IT staff to ensure that security incidents are dealt with promptly, and to ensure that compromised systems are fully cleaned and patched against known vulnerabilities before being reconnected to the network. Responsibility for blocking machines on the local network, and for the subsequent cleanup process is devolved to the local unit.
OxCERT are responsible for providing guidance for incident handling which can be found at http://www.oucs.ox.ac.uk/network/security/incidents.xml.ID=intro. Individual units are responsible for responding to security incidents in a timely manner, for following the advice and guidance given by OxCERT, and for ensuring that incidents are dealt with to the satisfaction of OxCERT.
Where OxCERT cannot impose a block on individual machines (e.g. behind NAT devices) units are expected to respond within 4 working hours. Failure to respond in such circumstances may lead to appropriate blocks on the NAT device in order to protect the integrity of the backbone network and users’ information.
Units should ensure they have sufficient contingency plans in place for dealing with security incidents. Appropriate procedures should be in place to ensure that information security events are reported through appropriate channels as quickly as possible. All employees, contractors and third party users of information systems and services are required to note and report any observed or suspected security weaknesses in systems or services. Breaches of security, such as system compromises and unauthorised access to data, should be reported to OxCERT.
Responsibilities and procedures should be established to ensure that security incidents are dealt with in a timely manner. This includes isolation of any system that is compromised and suspension of access for any person who may be responsible for misuse. Where possible, units should nominate at least two people who can be contacted by OUCS if action is required because of a network failure, system compromise, etc. and should provide a standard IT contact email address to which information, notices etc. can be sent by OUCS. Where it is not possible to have two people available, alternative contacts, who can take responsibility for the unit's ICT systems, should be provided. For all units, contingency plans should be in place to cover absence of the primary contact. Units should be able to respond to email or phone requests within 4 working hours.
Procedures should be in place to ensure that the necessary documentation is made available to OUCS if required to investigate a network or other failure or any compromise within the unit that impacts on other parts of the University. Any abusive or malicious network traffic should be easily traceable to a specific device and, where appropriate, user. The source of any such traffic should be isolated from the network. OxCERT are responsible for providing guidance on the appropriate levels of logging required.
Individual units are responsible for keeping, maintaining and testing the appropriate levels of logging. Units should be able to trace and isolate the source of any activity, identified by OxCERT, on request and are expected to respond within 4 working hours. Where a response is not received within the specified time frame, OxCERT may take appropriate action (including the possibility of blocking access to NAT devices etc.) in order to protect the integrity of the backbone network. Guidance on the levels of logging required can be found at http://www.oucs.ox.ac.uk/network/security/logging.xml.ID=logging.
Mechanisms should be in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. OUCS maintain a register of security incidents relating to the backbone network, which is available for audit and summarised in regular reports to the PRAC ICT sub-committee. The PRAC ICT sub-committee is responsible for receiving reports on breaches of security.
When dealing with incidents involving potentially illegal material the following guidelines should be observed http://www.ict.ox.ac.uk/oxford/rules/soaguidelines.xml. Where it is necessary to collect evidence, procedures should be in place to ensure that it is collected, retained, and presented to conform to the relevant rules for evidence. Expert guidance should be sought and will be provided under the authority of the PRAC ICT sub-committee.
10. Business Continuity Planning
Threats to business continuity include consequences of disasters, security failures, loss of service availability and loss of staff.
A risk assessment process should be conducted to classify all systems according to their level of criticality to the unit and to determine where business continuity planning is needed. Events that can cause interruptions to the business of the unit (such as system failure, loss of data or unauthorised access) should be identified, along with the probability and impact of such interruptions and their consequences for the unit and the University as a whole. Acceptable time periods for the restoration of services should be considered. Where appropriate, controls should be implemented to reduce those risks and limit the consequences of damaging incidents. In accordance with the appropriate risk assessment, plans should be developed to restore operations to an acceptable level within the required time following an interruption to, or failure of, critical business processes.
All relevant staff should be made aware of their roles and responsibilities with respect to business continuity plans and should receive appropriate training where necessary. Arrangements should be in place to ensure that systems are adequately supported during planned or unplanned absence of staff.
Business continuity plans should be periodically tested depending on the level of criticality of the system.
11. Compliance
These policies have been approved by Council and therefore form part of the Terms and Conditions of Employment for the University. Heads of department, college, or other unit are responsible for ensuring that information systems within their unit are implemented in compliance with these policies.
The PRAC ICT Sub-committee is responsible for ensuring that all members of the collegiate University are aware of the University's information security policy and for monitoring compliance within all units of the University. Units should ensure that all new staff, students, contractors and others with access to the unit or its network or computer systems or data, are given a copy of the University's information security policy, and of any associated unit policies and procedures. They should be reminded of these on a regular basis. Compliance with these policies should form part of any contract with a third-party that may involve access to network or computer systems or data. All users should be made aware that the requirement for compliance is devolved to them, and that they will be held individually responsible for any breach of law. Information security incidents resulting from non-compliance may result in appropriate disciplinary action.
Other statutory obligations on all members of the University are defined in the "Regulations Relating to the use of Information Technology Facilities" as approved by Council. This includes the definition of the circumstances under which the University may monitor use of its ICT systems, and the levels of authorisation required for this to be done. Guidelines can be found at http://www.ict.ox.ac.uk/oxford/rules. Procedures should be implemented to ensure the privacy of data belonging to users is maintained, and system administrators do not access a user's data without the user's permission, except as laid out in the "Regulations Relating to the use of Information Technology Facilities". If routine monitoring or recording is carried out of data or web sites accessed, etc., this should be made clear to all users of the system.
Procedures must exist to ensure data protection and privacy laws are upheld as required in relevant legislation, regulations and, if applicable, contractual clauses. If data are to be transferred outside the European Economic Area, appropriate controls must be implemented to ensure the provisions of the Data Protection Act 1998. Cryptographic controls must be used in compliance with all relevant agreements, laws and regulations. When dealing with incidents involving potentially illegal material the following guidelines should be observed: http://www.ict.ox.ac.uk/oxford/rules/soaguidelines.xml.
Individual units should ensure that all relevant statutory, regulatory and contractual requirements and the unit's approach to meet these requirements are explicitly defined, documented and kept up to date. Procedures must be implemented to ensure the unit abides by all UK legislation and relevant legislation of the European Union.
- The Computer Misuse Act (1990)
- The Data Protection Act (1998)
- The Regulation of Investigatory Powers Act (2000)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations (2000)
- The Freedom of Information Act (2000)
- The Special Educational Needs and Disability Act (2001).