Network and Server Security Management Procedure and Annex

Related Documents: Network and Server Security Management Policy
Owner: Computing and Communications Services (CCS)
Approval Dates: March 2007
Currently under review

Procedure

Responsibilities

The Provider (Used as a generic term to signify a Ryerson faculty, school, research group, an individual researcher or professor, department or staff member) will:

· plan and implement only those IT resources that are known by current industry standards to be as secure as possible; and

· take action appropriate to the threat and risk if a system becomes compromised and/or infects other IT resources as detailed in the procedures table in this document.

Technical Support Contact (Refers to the individual who is responsible for system and network support for network resources) will:

· plan and implement only those IT resources that are known by current industry standards to be as secure as possible;

· take action appropriate to the threat and risk if a system becomes compromised and/or infects other IT resources as detailed in the procedures table in this document;

· address security vulnerabilities identified by scans which are deemed to be of significant risk to others;

· have detailed security processes and procedures that ensure the network resources connected to the RIN are as secure as possible including but not limited to the application of regular security updates as identified by CCS and vendors;

· endeavour to protect the network resources for which they are responsible, both with respect to the operation and the impact on others;

· co-operate with CCS in addressing security problems identified by network monitoring or external complaints;

· report significant security compromises to CCS;

· endeavour to employ either CCS recommended practice and guidelines or industry standard guidelines or other security measures, whichever provides the highest level of security where appropriate and practical; and

· provide their name, phone numbers and E-mail addresses for the Emergency Response Management Service (ERMS) and keep their information current.

Management Contact (Refers to the individual who is responsible for the Ryerson faculty, school, research group or department) will:

· designate a Technical Support Contact(s) for their faculty, school, research group or department’s IT resources;

· authorize the Technical Support Contact(s) to take action appropriate to the threat and risk when IT resources become compromised and pose a threat to other IT resources; and

· provide their name, phone numbers and E-mail addresses for the Emergency Response Management Service (ERMS), and keep the information current.

IT Resource User (An individual who uses an IT Resource at Ryerson) will:

· abide by Ryerson’s Information Protection Policy; and

· abide by any other policies specific to any network-enabled applications used.

Computing & Communications Services will:

· be available to provide advice on meeting compliance requirements;

· monitor RIN traffic for anomalies possibly indicating unauthorized activity or intrusion attempts;

· either carry out or commission certified third parties to carry out network-based security scans in order to detect known vulnerabilities or compromised systems and, review the results of those scans with the ACAC Technical Working Group and the system administrators for the resource in question; with the ACAC Technical Working Group, prepare summary reports of IT security incidents for Providers and Ryerson Executives;

· co-operate with the technical support contacts in maintaining the security of systems for which they are responsible;

· maintain management and technical contact information for the ERMS;

· work with Providers to keep these procedures current;

· monitor, identify and publish security alerts, incidents, software vulnerabilities, notices, recommendations and guidelines on a timely basis for technical contacts in an effort to minimize security vulnerabilities on the ACACTECH Listserv and/or Campus News Listserv;

· provide assistance and advice to technical support contacts to the extent possible within available resources; and

· provide technical training to Providers if requested.

Monitoring and Privacy

CCS will monitor the RIN, and CCS and Providers will routinely monitor network resources attached to the RIN, but will not monitor the activities of individuals. Read access to CCS’s monitoring systems will be made available to system administrators to encourage a more proactive and collaborative response to system abuses.

Collection of various types of information is a necessary aspect of normal network management. This information includes, but is not limited to, statistics on types and volume of traffic between sources and destinations, login information, server performance, and application and process logs, but no information is routinely collected on the information content of network traffic.

When network problems occur, the appropriate staff members are authorized to collect additional information or network traffic as necessary to solve the problem and/or to protect the network resources connected to the RIN. The staff members are instructed to treat any information that turns out to be unrelated to the problem, as confidential.

In cases of suspicion of abuse, written Vice President authorization is required before any staff member can provide access to confidential information beyond the system administration staff investigating a problem.

Municipal, Provincial and Federal Law Enforcement Agencies or other Law Enforcement Agencies will be given access to such information, if the University is served with a search warrant. Off campus complaints from other networked sites will be investigated and infractions will be dealt with in the same manner as on-campus incidents, as a condition of the University's participation in the Internet.

Registration of IT Resources to CCS

Any IT resource that requires visibility to off-campus systems must be registered with CCS. Once a resource (which may include anything from a port on a server to all ports on an entire subnet) is registered, CCS in turn will endeavor to provide timely turnaround for firewall change requests such as the opening or closing of ports. This may be facilitated using either existing firewall registration where active protocols and ports are already catalogued, or via an online registration service run by CCS. In the event that a specific research or teaching function requires random and/or possibly insecure ports being opened, the machines will be isolated onto their own subnet(s) and isolated from the rest of the campus.

Responding to Disruptions or Compromises

Disruptions or compromises (abuse) of IT resources frequently come from a malfunctioning or compromised computer/server whose owner is unaware that the computer/server that they are responsible for is being used for abuse such as mail-relay, propagation of viruses, unauthorized port scans, traffic flooding, hacking, denial of service attacks and intrusions.

The primary threat is the impact the abuse is having on other schools/departments and/or the university. Therefore, the risk level as identified in the ACAC RISK RESPONSE TABLE that the abuse is causing will determine the action taken. It is recognized that certain types of abuse do not have the same threat level as others (such as denial of services attacks or infections).

When an abuse is detected by CCS or by a network administrator or an IT user, the parties involved will follow the ACAC Risk/Response Table outlined in the Network and Server Security Management Procedure annex below. The responsibility then lies with (1) the network administrator and IT user where the abuse resides and (2) CCS, to follow the protocols and time lines specified in the ACAC Risk/Response Table.

Definitions

RIN (Ryerson Information Network): The RIN is a fault-tolerant, redundant, non-blocking, high-speed gigabit backbone installed across campus that supports Ryerson’s teaching, scholarly, and research functions, and the administrative systems required for their operation.

IT Resource: IT resources include the RIN, computing and communications devices (including servers, peripheral equipment, workstations and personal computers and communication devices, modems, etc.).

IT Resource User: An individual who uses an IT Resource at Ryerson.

Provider: Used as a generic term to signify a Ryerson faculty, school, research group, an individual researcher or professor, department or staff member.

Management Contact: Refers to the individual who is responsible for the Ryerson faculty, school, research group or department. In some instances this may be a single person, while in others the responsibility may be shared by several individuals, some of whom may be at different organizational levels. If the Provider is an individual researcher, then the Provider would be the management contact.

Technical Support Contact: Refers to the individual who is responsible for system and network support for network resources. In some instances this may be a single person, while in others the responsibility may be shared by several individuals, some of whom may be at different organizational levels.

ERMS: Emergency Response Management Service.

Abuse: Refers to any use of a computing device that threatens the RIN and its users. These include, but are not limited to, ftp servers, mail-relay, propagation of viruses or other pathogens, unauthorized port scans, traffic flooding, hacking, denial of service attacks, installations of software where such software is not permitted by system administrators, and intrusions of any description where not authorized by this policy or by the policies and procedures of the various subnet managers.

Jurisdiction

This procedure falls under the jurisdiction of the Provost and Vice President, Academic and the Vice President, Administration and Finance. The application and interpretation of the policy, and its associated procedures, is the responsibility of the Director, Computing and Communications Services, and the Chair of ACAC under direction of ACAC.

Security Procedure Annex

1. Network and Server Security Management Procedure

a. When the abuse is detected by CCS, CCS will follow the ACAC RISK/RESPONSE TABLE below which pertains to all IT resource owners and users of IT equipment that is connected to the RIN including but not limited to the following: (i) It is the responsibility of CCS to monitor global advisories and network traffic and inform IT resource owners of potential problems, as well as isolate ports at the front door firewall when global vulnerabilities are found. (ii) It is the responsibility of IT resource owners to monitor their systems, apply all security updates on a regular and preferably automated basis, and act accordingly when abuses are discovered, including informing the ACAC Technical Support Group of the vulnerability. (iii) It is the responsibility of IT users of any personal device to allow security updates and other protocols to be installed if such personal devices are to have access to the RIN, and to ensure that such updates and protocols are not removed or disabled.

b. Any abuse classified as LOW will be logged by CCS and at the end of each month a report will be forwarded to:

· the School Chair, Management Contact(s) and Technical Contact(s)

· the Department Manager, Management Contact(s) and Technical Contact(s).

c. Any abuse classified as HIGH will have Post Mortem conducted and documented (Cause, Issue and Solution). The documentation will be forwarded to:

· the School Chair, Management Contact(s) and Technical Contact(s) or

· the Department Manager, Management Contact(s) and Technical Contact(s).

ACAC Risk/Response Table

Risk Level	Response
HIGH - Not containable - University-wide impact - Usually reserved for infections, denial of services attacks, network sniffing type abuses	1. If CCS detects an abuse, using the ERMS CCS informs the Technical Support Contacts or failing that the Management Contacts of the IT resources causing abuse using the ERMS system. 2. If network technical support persons detect an abuse, they must take appropriate action then inform CCS as outlined below. 3. The response timeframe is 10 minutes. 4. If no response, or the problem is not resolved within 10 minutes, CCS will take appropriate action, isolating the affected ports but making every effort to allow unaffected resources to continue functioning. 5. Follow-up with post-mortem and documentation within five days, as per the post-mortem section below.
MEDIUM - Containable - Impacting more than one school, department or group - Usually reserved for ftp server type abuses	1. Using the ERMS system contact all affected Technical Support and Management Contacts. 2. Timeframe depends on the threat at hand (i.e. speed of abuse spread, response of the IT resource causing abuse), however the abuse should be resolved within 48 hours unless it escalates. 3. CCS intensifies monitoring of the affected resource and attempts to determine if the problem has escalated to the HIGH Risk Level. 4. Isolation of affected resources not necessary as long as the abuse is contained within the affected units and not causing impact outside of the affected subgroup. 5. If not controlled by the local network administrators, it will be moved to HIGH Risk Level threat and CCS will take appropriate action by isolating the affected ports but making every effort to allow unaffected resources to continue functioning. 6. Follow-up with post-mortem and documentation within five days, as per the Post Mortem section below.
LOW - Completely containable - Impacting one machine or one school, department or group only - Could be any type of abuse but is contained (e.g. a virus on one workstation)	1. Advise Technical Support Contacts using the ERMS system. 2. CCS intensifies monitoring of the affected resource and attempts to determine if the problem has escalated to the MEDIUM or HIGH Risk Level. 3. Repeat steps 1&2 for a reasonable period of time until the issue is resolved. 4. Isolation of affected resources not necessary unless abuse cannot be contained or there is no response from local network administrators. If the problem is not resolved, CCS will take appropriate action, isolating the affected ports but making every effort to allow unaffected resources to continue functioning. 5. CCS will log incident in their IT Security Abuse Log. 6. At the end of each month, CCS will provide the Technical Support Contacts and Management Contacts a report of abuse occurrences for the month. 7. An anonymous list of incidents for the month will be submitted to ACACTECH for analysis and possible solutions to prevent repeats if possible.

Risk Level

Response

HIGH

- Not containable

- University-wide impact

- Usually reserved for infections, denial of services attacks, network sniffing type abuses

1. If CCS detects an abuse, using the ERMS CCS informs the Technical Support Contacts or failing that the Management Contacts of the IT resources causing abuse using the ERMS system.

2. If network technical support persons detect an abuse, they must take appropriate action then inform CCS as outlined below.

3. The response timeframe is 10 minutes.

4. If no response, or the problem is not resolved within 10 minutes, CCS will take appropriate action, isolating the affected ports but making every effort to allow unaffected resources to continue functioning.

5. Follow-up with post-mortem and documentation within five days, as per the post-mortem section below.

MEDIUM

- Containable

- Impacting more than one school, department or group

- Usually reserved for ftp server type abuses

1. Using the ERMS system contact all affected Technical Support and Management Contacts.

2. Timeframe depends on the threat at hand (i.e. speed of abuse spread, response of the IT resource causing abuse), however the abuse should be resolved within 48 hours unless it escalates.

3. CCS intensifies monitoring of the affected resource and attempts to determine if the problem has escalated to the HIGH Risk Level.

4. Isolation of affected resources not necessary as long as the abuse is contained within the affected units and not causing impact outside of the affected subgroup.

5. If not controlled by the local network administrators, it will be moved to HIGH Risk Level threat and CCS will take appropriate action by isolating the affected ports but making every effort to allow unaffected resources to continue functioning.

6. Follow-up with post-mortem and documentation within five days, as per the Post Mortem section below.

LOW

- Completely containable

- Impacting one machine or one school, department or group only

- Could be any type of abuse but is contained (e.g. a virus on one workstation)

1. Advise Technical Support Contacts using the ERMS system.

2. CCS intensifies monitoring of the affected resource and attempts to determine if the problem has escalated to the MEDIUM or HIGH Risk Level.

3. Repeat steps 1&2 for a reasonable period of time until the issue is resolved.

4. Isolation of affected resources not necessary unless abuse cannot be contained or there is no response from local network administrators. If the problem is not resolved, CCS will take appropriate action, isolating the affected ports but making every effort to allow unaffected resources to continue functioning.

5. CCS will log incident in their IT Security Abuse Log.

6. At the end of each month, CCS will provide the Technical Support Contacts and Management Contacts a report of abuse occurrences for the month.

7. An anonymous list of incidents for the month will be submitted to ACACTECH for analysis and possible solutions to prevent repeats if possible.

Post Mortem Procedure

The goal of the post mortem procedure is to learn from security incidents.

The purpose of the post mortem procedure is to identify process or technical reasons why a medium or high level risk/response action was initiated. It is understood that regardless of where the incident occurred, all parties involved in Ryerson’s IT system are subject to the post mortem: CCS who are responsible for the RIN, the owners of the incident site, and any other users affected by any propagation of the incident.

The post mortem will be carried out by a neutral third party selected from among the ACAC Technical Working Group, and Chaired by the Information System Security Officer.

Emergency Response Management System

Flowchart attached.