Network Security

Operations and General Administration

Responsibility: Associate Vice-President, Information and Communications Technology
Authorization: Board of GovernorsUniversity Council
Approval Date: Jun 22, 2007

Purpose

The University’s Research and Educational Network (the Network) is a shared resource that is critical to teaching, learning, research, University operations and service delivery. The Network is critical to University communications, which includes data, text, voice and video.

  • To help ensure the reliable operation of the Network so that instructors, students, prospective students, researchers, staff, and other members of the University community have access to the network resources they require.
  • To help reduce the University’s liability and risk of litigation due to inappropriate or illegal use of the Network. Such usage includes but is not limited to distributing materials protected by copyright, illegal materials, confidential information and personal information.
  • To help protect the University’s reputation from harm resulting from inappropriate or illegal use of the Network.
  • To define the responsibilities with respect to ICT security of Network users and University providers of information and communications technology (ICT) services.

 

Principles

  • The Network is a critical University resource.

  • Everyone who uses the Network has a role in maintaining a secure network and computing environment, including students, instructors, researchers, staff and authorized guests. 

  • University ICT security measures must balance security (limiting opportunities for and the impact of network attacks) with network functionality and user productivity.

  • Users of the Network have a reasonable expectation that their communications are private.  This privacy is subject to the University’s legal obligation for disclosure and its business requirement to ensure a reliable Network service and to protect its users.

  • Information Technology Services (ITS) is responsible for the Network.

Scope of this policy

This policy applies to the Network at all University locations. The Network encompasses wired and wireless network connections in offices, libraries, student computing facilities, research laboratories, University residences and other University locations. It includes connections to external networks such as provincial, Canadian, and international research and educational networks as well as the Internet.

This policy applies to all members of the University of Saskatchewan community and authorized guests of the University:

  • who connect network-capable devices to the Network (wired or wireless) on campus;
  • who access resources or services that are located on the Network from off campus (their home or anywhere else on the Internet).

A network-capable device is any device that can connect to the Network with either a wired or wireless connection. Network-capable devices include, but are not limited to, desktop computers, laptop computers, tablet computers, printers, copiers, servers, personal digital assistants, cameras, security system equipment, robots, research equipment and VoIP phones. 

This policy governs the ICT security practices for any and all network-capable devices that use the Network regardless of whether the devices are personally owned, owned or leased by the University, acquired through a research grant or contract, or acquired by the University through some other contractual agreement (such as a gift).

This policy governs the use of equipment located at University facilities using the unlicensed radio communications spectrum whether or not it is connected to the Network, and whether or not the equipment is owned by the University. This includes, but is not limited to, wireless access points and cordless telephones. This spectrum includes the 2.4GHz and 5GHz bands used for 802.11a/b/g and 802.11n communications and any other spectrum allocation for similar purposes.

The policy has been developed in the context of, and is designed to complement:

  • existing University policies and guidelines, particularly the Computer Use Policy and policies governing the use of University property and services, privacy, security and copyright;
  • existing University policies and guidelines relating to student discipline and appeals, including Student Appeals in Academic Matters, Student Academic Dishonesty and Non-Academic Student Discipline and Appeals;
  • collective agreements.

Colleges, departments, administrative units or individual researchers may develop supplementary ICT security policies that provide additional detail or introduce specific restrictions regarding the appropriate use of the computing facilities for which they are responsible.

Policy

University students, instructors, researchers and staff are authorized to connect network-capable devices of an approved type to the Network. Instructors, researchers and staff may extend this authorization to guests on a temporary basis if they judge that so doing supports the University’s mission, but in so doing they assume responsibility for their behaviour. Authorization and access to the Network may be withheld or withdrawn with cause.

Only approved devices and device configurations may be connected to the Network. Information about, and configuration requirements for approved devices will be maintained and provided by ITS.  Equipment that does not comply with these requirements may not be connected to the network.  Exceptions to these requirements may be authorized to meet the academic needs of the University.

Activities that interfere with the reliable operation of the Network are prohibited. These include, but are not limited to: operating network-capable devices that attack other network-capable devices, users of the Network and the Network itself; operating wireless access points, cordless phones and other devices using the unlicensed radio communications spectrum; and impersonating or interfering with Network equipment or Network services.  Devices that interfere with the Network may be disconnected and/or removed.

Scanning and mapping the Network, as well as monitoring Network traffic, are prohibited unless authorized by ITS.   Units are authorized to scan and monitor only the equipment they are responsible for maintaining, subject to this activity not interfering with the Network or others’ use of the Network.

ITS may scan devices connected to the Network for security issues and vulnerabilities. Network traffic may be monitored to help ensure a reliable Network service and to protect Network users. Devices suspected to be in violation of this policy may be disconnected from the Network.

Responsibilities

Individuals or departments who develop and/or purchase network-capable devices for use by themselves or others are responsible for ensuring that these devices meet the ICT Security Requirements. This includes computer labs and special-purpose devices such as VoIP telephone sets, network-connected debit machines and self-service kiosks.

Students, instructors, researchers and staff are responsible for ensuring that the network-capable devices they connect to the Network or use from off-campus to access resources or services located on the Network, meet University ICT Security Requirements.

Guests of the University, who are authorized to connect network-capable devices to the Network, are also responsible for ensuring that those devices meet University ICT Security Requirements. Members of the University community who authorize guests to connect to the Network are responsible for making them aware of this policy and their obligations under this policy.

Users of the Network must:

  • use University computing facilities and services in a responsible manner and only for the purpose for which use has been authorized. Resources are not to be used in such a way as to deny or restrict access to others;
  • comply with all University policies, regulations and guidelines regarding use of University computing facilities and services, including the Computer Use Policy;
  • respect the policies of external networks and remote sites;
  • comply with all laws.

ITS is responsible for designing, implementing and managing the Network and maintaining efficient and effective operation. This includes:

  • monitoring the Network (wired and wireless) to help ensure reliable performance as well as to detect unauthorized activity, intrusion attempts or other security risks;
  • scanning the Network and network-connected devices to detect vulnerabilities and compromised equipment;
  • disconnecting devices that are not compliant with this policy or do not meet the University’s IT Security Requirements;
  • blocking some forms of Network traffic to reduce the damage caused by viruses and other Internet-based attacks;
  • managing the allocation of the Network resource when users’ needs for Network service conflict or when the capacity of the Network is insufficient to meet the needs of all users;
  • managing the allocation of the unlicensed radio communications spectrum in University locations. 

ITS will develop, in consultation with the University community, the Approved Devices and Configurations Requirements. These requirements will address the ICT security and configuration requirements that must be met by all equipment connected to the Network, and identify configurations that are prohibited.  ITS will communicate these requirements to the University community along with information about security alerts, vulnerability notices, security patches, and other pertinent information.

ITS may authorize exceptions to the Approved Devices and Configurations Requirements to meet specific academic or research needs of the University.

Procedure

ITS will develop and maintain procedures related to this policy and make these available on the ITS website.

Suspected security compromises, incidents and problems should be reported to ICT_Security@usask.ca.

Non-compliance

If there is reason to suspect that laws or University policies have been, or are being violated, or that continued access poses a threat to the Network, network-connected devices, users, the liability of the University or the reputation of the University, access to the Network may be restricted or withdrawn.

Following due process, the University may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:

  • revocation of access to the Network or parts of it;
  • disciplinary action for students under either Council Regulations on Academic Dishonesty or Senate Non-Academic Disciplinary regulations;
  • disciplinary action for employees;
  • legal action that could result in criminal or civil proceedings.

Related Documents

There are no other documents associated with this policy.

Contact Information

Contact Person: Associate Vice-President, Information and Communications Technology
Phone: 306-966-8408