Network and Server Security Management Policy
- Related Documents: Network and Server Security Management Procedure and Annex, Minimum Cybersecurity Controls
- Owner: Computing and Communications Services (CCS)
- Approver: Provost and Vice-President, Academic; Vice-President, Administration and Operations
- Approval Dates: March 2007
Purpose
IT resources and services accessed through the Ryerson Information Network (RIN) are essential to Ryerson’s research, teaching and administrative activities. This policy is to protect the integrity of and mitigate the risks and losses associated with security threats to Ryerson’s IT resources, including their data that are connected to the RIN. It recognizes the primacy of teaching and research and the creation of deliverables thereof, as legislated in the Ryerson University Act (Ryerson University Act 1977, Section 3, page 2).
Scope
This policy’s scope is:
· To minimize any vulnerability from threats to the integrity and availability of IT resources, within Ryerson’s ‘primacy of function’ mandate recognized above.
· To block by default access to IT resources that can be scanned or compromised, leading to ethical or legal liability, as well as injury to Ryerson’s reputation, while at the same time accommodating a system flexibility that permits Ryerson’s ‘primacy of function’ mandate.
· To implement efficient IT security measures to detect attacks.
· To recover from damage done by such attacks, protecting the majority of IT resources from becoming infected with malicious code or unauthorized access.
· To provide processes that respond to queries and complaints about actual and perceived abuses, whether internal or external, and to take action to resolve the incident and to minimize the likelihood of recurrence.
Policy
IT resources deployed by units at Ryerson must not disrupt or compromise the ability of the University to deliver its ‘primacy of function’ mandate, or other Ryerson or remote resources and services.
By default computers and other networked devices at Ryerson must not be accessible to network connection requests and broadcast attacks initiated outside of Ryerson. This does not mean that computers within Ryerson cannot access the Internet. However, it does mean that where campus-based systems such as Web, E-mail, FTP, Streaming Media, and other services, servers or network segments must be accessible to the Internet, special steps are required to make them accessible.
Any IT resource will be subject to periodic vulnerability assessments by Computing & Communications Services (CCS) and/or contracted third-party IT security companies. Review of any vulnerabilities found will be the responsibility of the ACAC Technical Working Group.
Primary responsibility for the security of the University's IT resources resides with those at Ryerson who operate, maintain and/or support any IT resource.
Detailed security processes and procedures for IT resources reside with the Technical Support Contact and Management Contact, who operates, maintains and/or supports IT resources.
Jurisdiction
This policy falls under the jurisdiction of the Provost and Vice President, Academic and the Vice President, Administration and Finance. The application and interpretation of the policy, and its associated procedures, is the responsibility of the Director, Computing and Communications Services, and the Chair of ACAC under direction of ACAC.