Policy2 Nsp

8/12/2019 Policy2 Nsp

1/29

2014

NAME: STACY DSOUZA (1146129)

COURSE: HR POLICY DEVELOPMENT

INSTRUCTOR: SYED JAHANGIR ALI

DATE: 28TH

JUNE 2014

Network Security Policy of Shaheed

Zulfiqar Ali Bhutto Institute of Scienceand Technology


2/29

2014-June-27 Network Security Policy

SZABIST

Page 2

Network Se


3/29


SZABIST

Page 3

Contents

PREFACE: .......................................................................................................................................................................................... 5

Introduction ................................................................ .............................................................. ........................................................... 6

Scope................................................................................................................................................................................................... 7

Goals ............................................................................................................................................................................................... 7

Purpose ........................................................................................................................................................................................... 8

Who Needs to Know This Policy .................................................................................................................................................... 8

Policy Statement ................................................................................................................................................................................. 9

Definition: ....................................................................................................................................................................................... 9

Policy Interpretation and Management ............................................................................................................................................... 9

Physical Security Policy ................................................................................................................................................................... 10

User Responsibility ........................................................................................................................................................................... 10

Remote Access Policy....................................................................................................................................................................... 11

Policy Issues ..................................................................................................................................................................................... 11

Operational Functions ....................................................................................................................................................................... 12

1. Network Operations (NetOps) .................................................................................................................................................. 12

2. Academic and Administrative Departments ............................................................................................................................. 13

3. System Administrators .............................................................................................................................................................. 13

Network Users ................................................................................................... ............................................................... ................ 14

Proper Use of Computing Resources ................................................................................................................................................ 14

Authorization/Grant access and approve usage permission .............................................................................................................. 15

Network Administrators.................................................................................................................................................................... 15

Virus Protection Policy ..................................................................................................................................................................... 16

The policy relates to: ............................................................. ................................................................. ................................... 16

CISCO Responsibilities ................................................................................................................................................................ 16

Network Support Group Responsibilities ............................................................................................................. ........................ 17

Technical Support Group (TSG) Responsibilities: ....................................................................................................................... 17

End Users Responsibilities............................................................................................................................................................ 18

Noncompliance ................................................................ ............................................................... .............................................. 18

Self owned Computers .................................................................................................................................................................. 18

Usage Policy ..................................................................................................................................................................................... 19

Web Cache/Proxy Policy .............................................................................................................................................................. 20

Web Server Policy ........................................................................................................................................................................ 20

Network Documentation and Access Control (cabling, labeling etc.) ....................................................... ................................... 21

Firewall Management Policy ............................................................................................................................................................ 21

Qualification of the Firewall Administrator ............................................................... .............................................................. ..... 22

Firewall Administration ................................................................................................................................................................ 22

User Accounts ............................................................................................................................................................................... 22

Firewall Backup ............................................................................................................................................................................ 22

Data back up and redundancy Policy ....................................................... ................................................................. ........................ 23


4/29


SZABIST

Page 4

Disaster Contingency Policy ......................................................... ................................................................. ................................... 23

Vendors Managed/Under Warranty Hosts ........................................................................................................................................ 24

Bi-Annual Report/Review of Monitoring and Management of Network ........................................... .............................................. 24

Awareness and Training ................................................................................................................................................................... 24

Users must be trained on regular basis for the implementation of this policy.............................................................. ..... 24

Critical IT Resources ........................................................................................................................................................................ 24

Emailing Policy .......................................................... .............................................................. ......................................................... 25

Software Licensing ........................................................................................................................................................................... 26

Enforcement ...................................................................................................................................................................................... 26

Policy Violation ................................................................................................................................................................................ 27

Determining the Response to Policy Violation(s) ......................................................................................................... ................ 27

Action when Local Users Violate the Policy of a Remote Site ....................................................... .............................................. 28

Action when Remote Users Violate the Policy of the University ................................................................................................. 28

Services ............................................................................................................................................................................................. 28

Unmanaged Hosts ............................................................................................................................................................................. 29

Thanks ............................................................. ............................................................... .............................................................. ..... 29

Contact .............................................................................................................................................................................................. 29


5/29


SZABIST

Page 5

Network Security Policy of Shaheed Zulfiqar Ali Bhutto Institute of Scienceand Technology (SZABIST)

PREFACE:

Today, the university is highly dependent upon networking and computing technologies. Our infrastructure

must continue to be protected in order to ensure continuity of services for our core functions-research,

education, and business processes required to run the university. It is crucial that we state and enforce a

clear network security policy to protect our students, faculty, and staff from internal and external threats

inherent in network usage. This document states the policy we currently practice which successfully

protects our network, information resources, and users. We accomplish this by looking for anomalies in

network use patterns and looking for security vulnerabilities on the devices connected to our network.

This document establishes the network security policy for SZABIST.

The network security policy is intended to protect the integrity of campus networks and to mitigate the risks

and losses associated with security threats to campus networks and network resources.

Like many other universities, SZABIST has experienced and will continue to experience security incidents

encompassing a broad scope of severity. These incidents range from individual virus infections to loss of

network connectivity for entire departmental zones due to denial of service attacks. The management of

these incidents is a responsibility of the University. Failure to meet that responsibility could result in a

tarnished reputation as well as potential legal liability.

Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption

of data or unauthorized disclosure of information on research and instructional computers, student records,

and financial systems could greatly hinder the legitimate activities of University staff, faculty and students.

The University also has a legal responsibility to secure its computers and networks from misuse. Failure to

exercise due diligence may lead to financial liability for damage done by persons accessing the network

from or through the University.

Moreover, an unprotected University network open to abuse might be shunned by parts of the larger


6/29


SZABIST

Page 6

network community. This policy will allow the SZABIST to handle network security effectively.

This policy is subject to revision and will be evaluated as the University gains experience with this policy.

Procedures and guidelines associated with this policy will be posted on the Computer Security

Administration web page.

A prior version of this policy was reviewed and approved by the president in June 2014. This policy was

endorsed by the IT Head and approved by the President in February 2014.

Introduction

Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology acknowledges an obligation to ensure

appropriate security for all Information Technology data, equipment, and processes within the University.

This security policy tends to ensure that the security and services of computing resources required by the

Institution are purposefully implemented and followed by its esteemed computing population. It identifies

exactly what services need to be provided to the world, and what services need to be provided to the

University. This security policy is formulated to reflect how SZABIST wishes to use the Intranet and

Internet, while minimizing the risk of attack.

The computing resources are intended for University related purposes, including direct and indirect support

of the University's Academic, Research and Service missions; University Administrative functions; Student

and campus life activities; and the free exchange of ideas within the University community and among the

University community and the wider local, national, and world communities.

This policy applies to ALL in the University, and to all uses of those resources, whether on campus or from

remote locations. This policy is intended to help protect network confidentiality, integrity, availability,

accountability, and assurance.


7/29


SZABIST

Page 7

Scope

SZABIST conducts significant portions of its operations via wired and wireless networks. The

confidentiality, integrity and availability of the information systems, applications, and data stored and

transmitted over these networks are critical to the universitys reputation and success. SZABIST systems

and data face threats from a variety of ever-changing sources. SZABIST is committed to protecting its

systems and data from these threats, and therefore has adopted the following objectives to achieve a

reasonable degree of information technology security:

o To enable all members of the university community to achieve their academic or administrative workobjectives through use of a secure, efficient, and reliable technology environment.

o To protect academic, administrative and personal information from current and future threats by

safeguarding its confidentiality, integrity and availability.

o To establish appropriate policies and procedures to protect information resources from theft, abuse,

misuse, or any form of significant damage while still enabling community members to fulfill their

roles.

o To establish responsibility and accountability for information security within the organization.

o To encourage and support management, faculty, staff and students to maintain an appropriate level

of awareness, knowledge and skill to enable them to minimize the occurrence and severity of

information technology security incidents.

Goals

The goals of this network security policy are:

a) To establish policies to protect the University's networks and computer systems from abuse and

inappropriate use

b) To establish mechanisms that will aid in the identification and prevention of abuse of University

networks and computer systems


8/29


SZABIST

Page 8

c) To provide an effective mechanism for responding to external complaints and queries about real or

perceived abuses of University networks and computer systems

d) To establish mechanisms that will protect the reputation of the University and will allow the University to

satisfy its legal and ethical responsibilities with regard to its networks' and computer systems'

connectivity to the worldwide Internet.

e) To establish mechanisms that will support the goals of other existing policies, e.g.

Staff / Faculty / Students Emailing Policy

Student Handbook

Purpose

SZABIST provides an extensive computing network infrastructure to support the Universitys teaching,

research, and service missions. This policy is an extension to the existing Student Misuse Policy and the

Employee Misuse Policy, and focuses on network connectivity.

The campus has seen an increase in malicious network scans and subsequent attacks against vulnerable

equipment. Therefore, it is the purpose of this policy to help protect the assets of SZABIST from these

intrusions, while maintaining an open computing environment.

Computing and network communications technology is changing rapidly and this policy may be amended at

any time to meet security challenges to ensure SZABISTs teaching, research, and service missions are not

impacted. These changes will be communicated via area Consultants and TSPs in addition to being posted

on the Web. Campus units may create guidelines that clarify or supplement, but not lessen, this policy.

Who Needs to Know This Policy

Faculty, staff and students


9/29


SZABIST

Page 9

Policy Statement

ALL WHICH IS NOT EXPLICITLY PERMITTED IS PROHIBITED.

Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology provides network resources to its students,

faculties and departments in support of its Academic Mission. This policy puts in place measures to prevent

and minimize the number of security incidents on the campus network without impacting the academic

mission.

The responsibility for the security of the University's computing resources rests with the CISCO, who

manages these resources. CISCO will help Network Administrators to carry out these responsibilities

according to this policy.

Definition:

Individuals: access to the network requires an authorized relationship with the university, normally

evidenced by the existence of current credentials within the system. In addition users must:

Agree to abide by all applicable policies.

Cooperate with the process of registering each device used for network access, including desktop

and laptop computers.

Familiarize themselves with the operating procedures and unique requirements of the devices and

software applications they use.

Policy Interpretation and Management

Manager CISCO will interpret the Security Policy in coordination with the Groups of CISCO.

A body comprising of Dean(s), General Manager(s) and HoDs will serve to review, interpret, and revise the


10/29


SZABIST

Page 10

policy as and when needed after taking feedback from the end users whenever necessary.

Approval of the Network Security Policy is vested with the Head of IT of the University. Advice and opinions

on the Policy will be given by:

a) Computer Resource Committee (CRC)

b) Value and Ethics Committee (V&EC)

c) Disciplinary Committee (DC)

Physical Security Policy

The physical security of the Computing Resources will concentrate on:

a) Critical communications links

b) Key servers

c) Key PCs

The resources will be located in physically secure areas. The keys to these areas shall reside with Security

Staff (Labs and CISCO Area) at the main gate of University and will be issued against the signature of the

CISCO Representative. The keys to the Servers will reside in CISCO and will be issued by Network

Support Group. The keys of the PCs will reside in CISCO and will be issued by Technical Support Group.

User Responsibility

Users are responsible for all activities on their user id or from activities that originate from their systems.

Users are encouraged to use strong passwords and maintain their virus protection software and system

software at current levels.


11/29


SZABIST

Page 11

Remote Access Policy

The remote access means the accessing of Shaheed Zulfiqar Ali Bhutto Institute of Science and TechnologyNetwork resources from site other than SZABIST (including residential areas). CISCO will coordinate the

establishment of all external network connections for SZABIST Network. CISCO and the related

Department must properly document and note the entry points to the SZABIST Network.

All remote access to SZABIST Network, whether via dial-up or Internet access, must use encryption

services to protect the confidentiality of the session. Information regarding access to SZABIST computer

and communication systems, such as dial-up modem phone numbers, is considered confidential. This

information must not be posted on electronic bulletin boards, listed in telephone directories, placed on

business cards, or made available to third parties without the written permission of CISCO.

NSG will periodically scan direct dial-in lines to monitor compliance with policies and may periodically

change the telephone numbers.

Policy Issues

The assets that must be protected include:

a) Computer and Peripheral Equipment

b) Computing Premises

c) Supplies and Data Storage Media

d) System Computer Programs and Documentation

e) Application Computer Programs and Documentation


12/29


SZABIST

Page 12

Operational Functions

1. Network Operations (NetOps)

To accomplish the goals of this policy, the WPI NetOps group will perform the following functions.

Monitor network traffic, as necessary and appropriate, for the detection of network problems,

intrusions, and policy violations.

o When a security problem is identified, NetOps will seek the cooperation of the appropriate

contacts for the systems and networks involved in order to resolve such problems. If

necessary, NetOps will act unilaterally to contain the problem by isolating systems and their

services from the network, and promptly notify the responsible system administrator when

this is done.

Publish security alerts, vulnerability notices, patches, and other pertinent information in an effort to

prevent security breaches.

Execute and review the results of automated network-based security scans of the systems and

devices on university networks in order to detect vulnerabilities or compromised hosts.

o NetOps will inform the departmental system administrators of planned scan activity. They

will also provide detailed information about the scans, including time of scan, originating

machine, tests performed and vulnerabilities tested. The security, operation, or functionality

of the scanned machines should not be endangered by the scan.

o NetOps will report the results of scans that identify security vulnerabilities only to the

departmental system administrator contact responsible for those systems.

o NetOps will help individual system administrators improve their skill sets if recurring

vulnerabilities over multiple scans appear.

o If identified security vulnerabilities, deemed to be a significant risk to others, are not


13/29


SZABIST

Page 13

addressed in a timely manner, NetOps may take steps to disable network access to those

systems and/or devices until the problems have been rectified.

o Prepare summary reports of NetOps network security activities on a quarterly basis.

o Prepare recommendations and guidelines for network and system administrators, to be

posted on the NetOps web page of the WPI website at http://www.wpi.edu/+netops.

o Provide security assistance and advice to system administrators.

o Cooperate in the identification and prosecution of activities contrary to university policies and

the law. Actions will be taken in accordance with relevant university policies, codes, and

procedures with, as appropriate, the involvement of the Campus Police and/or other law

enforcement agencies.

o Abide by the Code of Conduct for IT Administrators.

2. Academic and Administrative Departments

In support of this policy all academic and administrative department heads will provide the Information

Technology Division (IT) with the following information and keep it up to date:

The names of all system administrators and e-mail addresses for these contacts.

Registration of all departmental networked devices with full information provided at the network

registration Web page.

If no contact person exists, or is provided to IT, NetOps will assume responsibility for system security.

3. System Administrators

System Administrators will perform the functions listed below:

Protect the systems and services for which they are responsible.


14/29


SZABIST

Page 14

Employ recommended practices and guidelines where appropriate and practical.

Cooperate with NetOps in addressing security problems identified by network monitoring.

Address security vulnerabilities identified by NetOps scans deemed to be a significant risk to others.

Report significant computer security compromises to NetOps for assistance in tracking and

containing intrusions.

Abide by the Code of Conduct for IT Administrators.

Network Users

Faculty and Staff Members, Research and Teaching Support Staff, Students, Guest Users and Dial in

Users are the network users of SZABIST.

They are responsible for understanding and respecting the security rules of the systems they have access

to. Misuse of computing resources will constitute an abuse in terms of system performance. Some of the

responsibilities include:

a) Users should change their passwords regularly after at least 14 days

b) The data backup should be made by the user at his own end

c) No password sharing

d) No FULL RIGHTS open sharing of files and directories

e) Abide by the appropriate use of this policy

f) Abide by the Departmental policies governing connection to departmental networks (where applicable)

Controversial emails, postings to mailing lists and/or discussion groups (obscenity, harassment, etc.), email

spamming are strictly prohibited and will constitute violation of the rules and will be dealt with as per the

existing Values & Ethics rules.

Proper Use of Computing Resources

The proper use of computing resources will be exclusive of the following:


15/29


SZABIST

Page 15

a) Breaking into accounts or bypassing security

b) Cracking and/or Sharing of passwords

c) Disrupting of service(s)

d) Modification of another user file(s)

e) Sharing of accounts

f) Downloading and accessing of all pornographic, X rated and objectionable material or of text

documents containing abusive or profane language and all other prohibited material which comes under

section 31(h) of Pakistan Telecommunication (Re-organization) Act 1996.

g) Downloading of files that can choke the network bandwidth

h) Playing on-line games from the Internet.

Authorization/Grant access and approve usage permission

Manager Information Technology Support Services (CISCO) and Network Administrators are the authorized

personnel to grant access to SZABIST computing services. Special access like Internet and dial in shall be

granted on the approval and permission of the Dean(s) and/or Head of the Department.

Extra privileges (read, write, scan, delete etc.) on the files, system volumes, directories or systems shall be

granted to the users only by the permission of the HoDs in case of staff or Teaching Assistant/Research

Associate and Project Director/Dean (s) in case of students.

Exceptional cases like Senior Year Projects or Research Projects shall be provided with root access or

rights for the local machines for a limited period only by TSG.

The permission of Dean(s) or Manager CISCO will be required in case the user data/content of file(s) is to

be monitored for system integrity/requirements.

Network Administrators

The Network Administrator will have access to system administration privileges and passwords for services.

He/she will monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection

of unauthorized activity and intrusion attempts. He will also:


16/29


SZABIST

Page 16

a) Publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to

prevent security breaches

b) Carry out and review the results of automated network-based security scans of the systems and

devices on University networks in order to detect known vulnerabilities or compromised hosts

c) Inform the Departmental System Coordinator of planned scan activity providing detailed information

about the scans, including time of scan, originating machine, and test and vulnerabilities tested for

d) Provide assistance and advice to the users to the extent possible with available resources

e) Monitor or list a user's files for any reason depending upon the requirement of the system security and

integration.

Virus Protection Policy

The policy relates to:

a) Prevent all infections

b) Prevent the loss of information/data and software on University-owned computers and minimize the

cost of computing maintenance and network downtime by virus outbreaks

c) Create, train, motivate, and empower TSG to implement virus protection software, to monitor virus

outbreaks, for computers associated with SZABIST.

d) Distribute updates of virus protection software and other important campus-supported software to all

University-affiliated computer users

e) Provide and continue to support the best virus protection solution that SZABIST can support

f) Require a minimum of end-user responsibilities in regard to computer virus protection practices.

CISCO Responsibilities

a) Acquire the licenses for anti-virus software that have been decided on for use

b) Procure software and updates from the vendor as they are made available


17/29


SZABIST

Page 17

Network Support Group Responsibilities

a) Install and maintain anti-virus software on the servers

b) Execute the appropriate level of scanning (on-demand vs. active)

c) Administrators of SMTP servers will install email attachment filters, if available, to intercept well known

viruses

d) Seek assistance or training from software company directly

e) Maintain log files and other records of virus scans. Rotate logs on a regular basis and will retain old logs

and records for a period of 3 months.

f) Submit annually, a report to Manager CISCO that details the number and nature of virus incidents as

well as the steps taken to remove the viruses.

g) Upon finding a computer propagating a virus, immediately notify the end-user and TSG responsible for

the system requesting that the suspect computer be shutdown.

Technical Support Group (TSG) Responsibilities:

a) Provide the initial setup for campus computers

b) Distribute virus protection updates. The anti-virus software will be available for SZABIST users to install

on computers on the SZABIST Network.

c) TSG have the responsibility to disconnect any client known to be an infecting agent. Such a

disconnection is an emergency action.

d) Provide documentation for users

e) Provide end-users with information on how to acquire the current anti-virus software and, how they

work, and how to use them.

f) Provide a central repository of information regarding infections by viruses of University owned

computers allowing effective reporting and analysis.


18/29


SZABIST

Page 18

End Users Responsibilities

Computer systems owned by SZABIST will run anti-virus software, and it should be active at all times. Theprimary user of a computer system is responsible for keeping the computer system compliant with this virus

protection policy and should:

a) Install and maintain current virus protection software

b) Be certain that the software is running correctly. If these responsibilities appear beyond the end-user's

technical skills, the end-user is responsible for seeking assistance from TSG

c) Initiate disinfecting procedures or seek assistance from TSG

d) Perform regular backups of data

Noncompliance

SZABIST faculty, staff, and students not complying with this policy leave themselves and others at risk of

virus infections which could result in:

a) Damaged or lost files

b) Inoperable computer resulting in loss of productivity

c) Risk of spread of infection to others

d) Confidential data being revealed to unauthorized persons

Self owned Computers

A computer system owned by a faculty, staff member, or student which is on campus and is directly

connected to SZABIST Net will be treated the same as a University-owned computer.


19/29


SZABIST

Page 19

Usage Policy

SZABIST have an Internet Bandwidth Connection of 10 Mbps with connection of Pakistan Education and

Research Network (PERN 2), through the Digital Cross Connect Technology. Following rules will apply to

all:

a) Monitoring and recording of all Internet usage will be done by NSG. CISCO reserves the right to monitor

the usage at any time. Manager CISCO will review Internet activity and analyze usage patterns, and

they may choose to publicize this data to assure that company Internet resources are devoted to

maintaining the highest levels of productivity.

b) The display of any kind of sexually explicit image or document on any company system is a violation of

SZABIST policy on sexual harassment. In addition, sexually explicit material may not be archived,

stored, distributed, edited or recorded using our network or computing resources.

c) NSG may block access from within SZABIST network to all such sites that are known. If someone find

connected incidentally to a site that contains sexually explicit or offensive material, he/she must

disconnect from that site immediately, regardless of whether that site had been previously deemed

acceptable by any screening or rating program.

d) SZABIST Internet facilities and computing resources must not be used knowingly to violate the laws

and regulations of the Islamic Republic of Pakistan.

e) Internet facilities will not be used to deliberately propagate any virus, worm, Trojan horse, or trap-door

program code, disable or overload any computer system or network, or to circumvent any system

intended to protect the privacy or security of another user.

f) Each member of SZABIST Internet community using the Internet facilities of SZABIST shall identify

himself or herself honestly, accurately and completely (including ones affiliation and function where

requested) when participating in chats or newsgroups, or when setting up accounts on outside

computer systems.


20/29


SZABIST

Page 20

Web Cache/Proxy Policy

The web caching used for the enhancement of web traffic for SZABIST Internet traffic is through THREE

proxies:

ISA Firewall/Proxy for Faculty, Staff, RA and TA

ISA Firewall/Proxy for STUDENTS of Hostels

Squid Proxy for students in Labs and guests in the REC Lab

The cache will be monitored and administered in the following manner:

Monthly reports of the proxy servers will be made using the recommended software and kept for future

reference. One month log will be kept on across the server hosts for further study and investigation if and

when required.

Monthly report of the staff/faculty proxy with reference to TOP TEN USERS will be sent to the concerned

department(s) without the history.

History will only be issued on the written request of the concerned HoD to Manager CISCO

Web Server Policy

a) Everyone is permitted to have a Web site.

b) No offensive or harassing material may be made available via SZABIST Web sites (relates to main,

student, staff, faculty, ra or ta sites)

c) No personal commercial advertising may be made available via SZABIST Web sites.

d) The personal material on or accessible from the Web site is to be minimal.

e) Users are not permitted to install or run Web servers.

f) All network applications other than HTTP should be disabled (e.g., SMTP, ftp, etc.)

g) All content on SZABIST WWW servers connected to the Internet must be approved by and installed by


21/29


SZABIST

Page 21

the Web Master.

h) No confidential material may be made available on the Web site

i) There shall be no remote control of the Web server (i.e., from other than the console.) All administrator

operations (e.g., security changes) shall be done from the console. Supervisor-level logon shall not be

done at any device other than the console.

All Web sites may be monitored as part of the company's network administration function. Any user

suspected of misuse may have all their transactions logged for possible disciplinary action.

Any internal WWW servers supporting critical company applications must be protected by internal firewalls.

Sensitive, confidential, and private information should never be stored on an external WWW server.

Network Documentation and Access Control (cabling, labeling etc.)

Physical access to servers and network equipment should be limited to authorized individuals like Network

Administrators and Equipment Maintenance Group (EMG). The keys should be under lock and security of

University. Network cables should be organized, labeled, and protected from interference. Network

documentation must be maintained to identify network node and network cable color coding as well.

Firewall Management Policy

NSG is responsible for managing the firewall. Firewall administrator shall provide their home phone

number, pager number, cellular phone number and other numbers or codes in which they can be contacted

when support is required.


22/29


SZABIST

Page 22

Qualification of the Firewall Administrator

a) Sound understanding of network concepts and implementation.

b) Hands-on experience with networking concepts, design, and implementation so that the firewall is

configured correctly and administered properly.

Firewall Administration

a) The username/password of administrative accounts must be strongly protected.

b) Strong physical security around the firewall host and to only allow firewall administration from an

attached terminal.

User Accounts

The only user accounts on the firewall should be those of the firewall administrator and any backup

administrators. In addition, only these administrators should have privileges for updating system

executables or other system software. Only the firewall administrator and backup administrators will be

given user accounts on the SZABIST firewall. Any modification of the firewall system software must be

done by the firewall administrator or backup administrator and needs approval of NSG Team Leader.

Firewall Backup

To support recovery after failure or natural disaster, a firewall like any other network host has to have some

policy defining system backup.

a) Data files as well as system configuration files need to be have some backup plan in case of firewall

failure.


23/29


SZABIST

Page 23

b) The firewall (system software, configuration data, database files, etc. ) must be backed up daily, weekly,

and monthly so that in case of system failure, data and configuration files can be recovered.

c) Backup files should be stored securely on a read-only media so that data in storage is not over-written

inadvertently and locked up so that the media is only accessible to the appropriate personnel.

d) At least one firewall shall be configured and reserved (not-in-use) so that in case of a firewall failure,

this backup firewall can be switched in to protect the network.

Data back up and redundancy Policy

All the Servers (Windows and UNIX) will have the WEEKLY/MONTHLY and QUARTERLY BACKUP for the

System and DATA level information.

All the proxy servers will have a MONTHLY LEVEL BackUP.

All the CRITICAL Server(s) will have a redundant BACK UP server ready all the time so that the services

are not interrupted for longer duration of time.

Disaster Contingency Policy

Each Department must maintain a disaster contingency plan. There must be written plans detailing

procedures for various disaster scenarios, both natural and man made. To guard against disaster, critical IT

resources must be preserved against loss or corruption by appropriate backup procedures after registering

them with CISCO.


24/29


SZABIST

Page 24

Vendors Managed/Under Warranty Hosts

Vendors that manage hosts on SZABIST network must comply with this Security document. They are

encouraged to use private IP and should access their host through SZABIST firewall by Network Support

Group. Secure encrypted authentication and communication such as SSH is encouraged; avoid using clear

text protocols such as FTP or Telnet on vendor managed hosts. CISCO must maintain contact informationfor all vendors managing hosts on SZABIST network.

Bi-Annual Report/Review of Monitoring and Management of Network

Bi-Annual reports of the following will be submitted to Manager CISCO:

a) Firewall Report

b) Proxy Usage Report

c) Network Management Report

d) Web Statistics Report

e) Printing Report

Awareness and Training

CISCO members should be trained on regular basis from within and outside country to make a team of

individuals with HIGH PERFORMANCE TEAM infrastructure.

Users must be trained on regular basis for the implementation of this policy.

Critical IT Resources

Some IT resources may need special consideration with respect to risk assessment, filtering, and

notification. The relevant Department should submit a written request to register them as critical IT resource

with CISCO in advance. All submissions for classification as a critical IT resource will be reviewed by the


25/29


SZABIST

Page 25

security committee and considered for approval by CISCO.

Registered critical IT resources must have IT personnel resources available 24 hours per day, 7 days per

week. An incident response plan must be filed with the CISCO by the relevant Department that describes

risk assessment, filtering, and notification procedures. Systems classified as critical IT resources must have

a documented disaster recovery plan on file within the Department.

Emailing Policy

Electronic mail should be used properly, to reduce the risk of intentional or inadvertent misuse, and to

assure that official records transferred via electronic mail are properly handled.

Use of electronic mail services for purposes constituting clear conflict of SZABIST interests or in violation of

SZABIST policies is expressly prohibited.

Use of SZABIST email to participate in chain letters or moonlighting is not acceptable. Use of electronic

mail is for business purposes. Limited personal use is acceptable as long as it doesn't hurt SZABIST.

The policies as advertised for Staff/Faculty and Students will stand valid and following will add to them:

a) All will have an email account.

b) Email address directories can be made available for public access.

c) The contents of email messages will be considered confidential, except in the case of criminal

investigations.

d) Confidential or company proprietary information will not be sent by email.

e) Only authorized email software may be used (Web Outlook, Eudora, Outlook)

f) Anyone found to be deliberately misusing email will be disciplined appropriately.

g) The email system will provide a single externally accessible email address for employees. The address

will not contain the name of internal systems or groups.

h) All electronic messages created and stored on SZABIST computers or networks are property of


26/29


SZABIST

Page 26

SZABIST and are not considered private.

i) SZABIST retains the right to access employee electronic mail if it has reasonable grounds to do so. The

contents of electronic mail will not be accessed or disclosed other than for security purposes or as

required by law.

j) Users must not allow anyone else to send email using their accounts. This includes their supervisors,

secretaries, assistants and any other subordinates.

k) If confidential or proprietary information must be sent via email, it must be encrypted so that it is only

readable by the intended recipient

l) No visitors, contractors, or temporary employees may use SZABIST email.

m) Email servers shall be configured to refuse email addressed to non-SZABIST systems.

n) Email clients will be configured so that every message is signed using the digital signature of the

sender.

Software Licensing

CISCO and the relevant Department has the responsibility to request the removal of software that does not

comply with licensing agreements or copyright law, but it is the responsibility of the user to comply with

licensing agreements and copyright law.

Any software or files downloaded via the Internet into the SZABIST network become the property of

SZABIST. Any such files or software may be used only in ways that are consistent with their licenses or

copyrights. No one can use SZABIST facilities knowingly to download or distribute pirated software or data.

Enforcement

Any member of the University who fail to adhere to this policy may be subject to penalties and disciplinary

action, both within and outside the university. Violations will be handled through the university disciplinary

procedures applicable to the relevant Department or School where applicable.

The University may temporarily suspend, block or restrict access to IT resources, IT staff, and/or segments

independent of such procedures, when it reasonably appears necessary to do so in order to protect the


27/29


SZABIST

Page 27

integrity, security, or functionality of University or other IT resources or to protect the university from liability.

The University may also refer suspected violations of applicable law to appropriate law enforcement

agencies.

Policy Violation

In case a violation occurs owing to an individual's negligence, accidental mistake, having not been properly

informed of the current policy, or not understanding the current policy, the course of action will be initiated

with an "investigation". The Network Administrator will determine how, when, who and why the violation

occurred so that an appropriate action can be taken in consent with Manager CISCO.

When a security problem is identified, NSG will seek the co-operation of the appropriate contacts for the

systems and networks involved in order to resolve such problems. However, in the absence or

unavailability of concerned individuals, may need to act unilaterally to contain the problem, up to and

including temporary isolation of systems or devices from the network.

The type and severity of action varies depending on the type of violation that has occurred. This will be

reported to the Values and Ethics Committee, disabling of network resources, rigorous fine etc.

Determining the Response to Policy Violation(s)

Domain or hosts falling within the IP classes:

a)203.128.0

b)203.128.1

c)203.128.4

Shall be considered as INTERNAL and all others will be considered as EXTERNAL.


28/29


SZABIST

Page 28

The response to policy violations will depend on the boundaries implying what type of action must be taken

to correct the offending party; from a written reprimand to pressing legal charges.

Action when Local Users Violate the Policy of a Remote SiteIn the event that a local user violates the security policy of a remote site, the offender will be dealt as per

the user group and appropriate action as per the V&E Committee or Administration Policies of the

organization will be taken.

Action when Remote Users Violate the Policy of the University

In the event that a remote user violates the security policy of the University, the offender will be dealt as per

the University Policy and appropriate action in coordination with Manager CISCO and Administration

Policies of the University. An official letter/email will be also sent to the suspected site host master for the

logging of complain and appropriate action there upon.

Services

The "firewall" should provide the following services:

a) In/Out bound Electronic Mail (SMTP)

b) World Wide Web (http and https) through the respective proxy servers with the efforts of blocking X

Rated sites as per the laws of PTCL, PTA and GoP.

c) Secure Shell (SSH) access to SZABIST.edu.pk servers/hosts around the world except for X rated.

d) DNS requests for In/Out bound Electronic Mail (MX records) and information about externally/internally

visible hosts.

The "firewall" should block the following services:

a) Ping of Death daemons (incoming)

b) Chatting (MIRC/ICQ for students)


29/29


SZABIST

Page 29

c) Spoofing

d) Denial of Service Attack and/or Smurfing etc.

e) Port scans and probes

Unmanaged Hosts

Unmanaged hosts are hosts that are not owned or managed by the university such as personal laptops,

computers and other devices used at housing, hostels, and classrooms. The responsibility of CISCO for

unmanaged hosts ends at the wall plate. CISCO has the responsibility to identify a user at a given address

at any given time. In response to an incident, CISCO must be able to investigate disruption of service to the

network due to this host.

Thanks

Thanks to ALL those who contributed in completing this policy.

Contact

Room:Timing :

Support Days:Phone :Email :

ZABNET, Head of I.T.

90, Clifton campus, ground floor room 14.10:00 - 18:00

Monday - Saturday(92-21) 5824461-3 Ext.118 and [email protected]

Policy2 Nsp

Documents

Transcript of Policy2 Nsp