The Provider (Used as a generic term to signify a Ryerson faculty, school, research group, an individual researcher or professor, department or staff member) will:
· plan and implement only those IT resources that are known by current industry standards to be as secure as possible; and
· take action appropriate to the threat and risk if a system becomes compromised and/or infects other IT resources as detailed in the procedures table in this document.
Technical Support Contact (Refers to the individual who is responsible for system and network support for network resources) will:
· plan and implement only those IT resources that are known by current industry standards to be as secure as possible;
· take action appropriate to the threat and risk if a system becomes compromised and/or infects other IT resources as detailed in the procedures table in this document;
· address security vulnerabilities identified by scans which are deemed to be of significant risk to others;
· have detailed security processes and procedures that ensure the network resources connected to the RIN are as secure as possible including but not limited to the application of regular security updates as identified by CCS and vendors;
· endeavour to protect the network resources for which they are responsible, both with respect to the operation and the impact on others;
· co-operate with CCS in addressing security problems identified by network monitoring or external complaints;
· report significant security compromises to CCS;
· endeavour to employ either CCS recommended practice and guidelines or industry standard guidelines or other security measures, whichever provides the highest level of security where appropriate and practical; and
· provide their name, phone numbers and E-mail addresses for the Emergency Response Management Service (ERMS) and keep their information current.
Management Contact (Refers to the individual who is responsible for the Ryerson faculty, school, research group or department) will:
· designate a Technical Support Contact(s) for their faculty, school, research group or department’s IT resources;
· authorize the Technical Support Contact(s) to take action appropriate to the threat and risk when IT resources become compromised and pose a threat to other IT resources; and
· provide their name, phone numbers and E-mail addresses for the Emergency Response Management Service (ERMS), and keep the information current.
IT Resource User (An individual who uses an IT Resource at Ryerson) will:
· abide by Ryerson’s Information Protection Policy; and
· abide by any other policies specific to any network-enabled applications used.
Computing & Communications Services will:
· be available to provide advice on meeting compliance requirements;
· monitor RIN traffic for anomalies possibly indicating unauthorized activity or intrusion attempts;
· either carry out or commission certified third parties to carry out network-based security scans in order to detect known vulnerabilities or compromised systems and, review the results of those scans with the ACAC Technical Working Group and the system administrators for the resource in question; with the ACAC Technical Working Group, prepare summary reports of IT security incidents for Providers and Ryerson Executives;
· co-operate with the technical support contacts in maintaining the security of systems for which they are responsible;
· maintain management and technical contact information for the ERMS;
· work with Providers to keep these procedures current;
· monitor, identify and publish security alerts, incidents, software vulnerabilities, notices, recommendations and guidelines on a timely basis for technical contacts in an effort to minimize security vulnerabilities on the ACACTECH Listserv and/or Campus News Listserv;
· provide assistance and advice to technical support contacts to the extent possible within available resources; and
· provide technical training to Providers if requested.
Monitoring and Privacy
CCS will monitor the RIN, and CCS and Providers will routinely monitor network resources attached to the RIN, but will not monitor the activities of individuals. Read access to CCS’s monitoring systems will be made available to system administrators to encourage a more proactive and collaborative response to system abuses.
Collection of various types of information is a necessary aspect of normal network management. This information includes, but is not limited to, statistics on types and volume of traffic between sources and destinations, login information, server performance, and application and process logs, but no information is routinely collected on the information content of network traffic.
When network problems occur, the appropriate staff members are authorized to collect additional information or network traffic as necessary to solve the problem and/or to protect the network resources connected to the RIN. The staff members are instructed to treat any information that turns out to be unrelated to the problem, as confidential.
In cases of suspicion of abuse, written Vice President authorization is required before any staff member can provide access to confidential information beyond the system administration staff investigating a problem.
Municipal, Provincial and Federal Law Enforcement Agencies or other Law Enforcement Agencies will be given access to such information, if the University is served with a search warrant. Off campus complaints from other networked sites will be investigated and infractions will be dealt with in the same manner as on-campus incidents, as a condition of the University's participation in the Internet.
Registration of IT Resources to CCS
Any IT resource that requires visibility to off-campus systems must be registered with CCS. Once a resource (which may include anything from a port on a server to all ports on an entire subnet) is registered, CCS in turn will endeavor to provide timely turnaround for firewall change requests such as the opening or closing of ports. This may be facilitated using either existing firewall registration where active protocols and ports are already catalogued, or via an online registration service run by CCS. In the event that a specific research or teaching function requires random and/or possibly insecure ports being opened, the machines will be isolated onto their own subnet(s) and isolated from the rest of the campus.
Responding to Disruptions or Compromises
Disruptions or compromises (abuse) of IT resources frequently come from a malfunctioning or compromised computer/server whose owner is unaware that the computer/server that they are responsible for is being used for abuse such as mail-relay, propagation of viruses, unauthorized port scans, traffic flooding, hacking, denial of service attacks and intrusions.
The primary threat is the impact the abuse is having on other schools/departments and/or the university. Therefore, the risk level as identified in the ACAC RISK RESPONSE TABLE that the abuse is causing will determine the action taken. It is recognized that certain types of abuse do not have the same threat level as others (such as denial of services attacks or infections).
When an abuse is detected by CCS or by a network administrator or an IT user, the parties involved will follow the ACAC RISK/RESPONSE TABLE outlined in the Network and Server Security Management Procedure annex below. The responsibility then lies with (1) the network administrator and IT user where the abuse resides and (2) CCS, to follow the protocols and time lines specified in the ACAC Risk/Response Table.
RIN (Ryerson Information Network): The RIN is a fault-tolerant, redundant, non-blocking, high-speed gigabit backbone installed across campus that supports Ryerson’s teaching, scholarly, and research functions, and the administrative systems required for their operation.
IT Resource: IT resources include the RIN, computing and communications devices (including servers, peripheral equipment, workstations and personal computers and communication devices, modems, etc.).
IT Resource User: An individual who uses an IT Resource at Ryerson.
Provider: Used as a generic term to signify a Ryerson faculty, school, research group, an individual researcher or professor, department or staff member.
Management Contact: Refers to the individual who is responsible for the Ryerson faculty, school, research group or department. In some instances this may be a single person, while in others the responsibility may be shared by several individuals, some of whom may be at different organizational levels. If the Provider is an individual researcher, then the Provider would be the management contact.
Technical Support Contact: Refers to the individual who is responsible for system and network support for network resources. In some instances this may be a single person, while in others the responsibility may be shared by several individuals, some of whom may be at different organizational levels.
ERMS: Emergency Response Management Service.
Abuse: Refers to any use of a computing device that threatens the RIN and its users. These include, but are not limited to, ftp servers, mail-relay, propagation of viruses or other pathogens, unauthorized port scans, traffic flooding, hacking, denial of service attacks, installations of software where such software is not permitted by system administrators, and intrusions of any description where not authorized by this policy or by the policies and procedures of the various subnet managers.
This procedure falls under the jurisdiction of the Provost and Vice President, Academic and the Vice President, Administration and Finance. The application and interpretation of the policy, and its associated procedures, is the responsibility of the Director, Computing and Communications Services, and the Chair of ACAC under direction of ACAC.