Network security is a large, complex topic which covers
many areas of concern. The reports submitted on this topic by
CITSADMN, the Standing Committee on Academic Computing (CITSAC),
and the Networking and Telecommunications Standing Committee (NTSC)
detail the areas that need to be addressed in projecting
campus security needs. Special attention should be paid to the
September 20, 1994, "Network Security Report,"
submitted by the NTSC which can be found in Appendix 5. This
report also includes the concerns raised by CITSADMN and
CITSAC and clearly delineates the issues before us. The NTSC
report should be used as a guide for establishing network
security policy, determining areas of risk to network security
and availability, and implementing action items to avert those
risks.
A secure network needs uniform requirements for physical
network integrity from telephone closets to classrooms,
privacy for the users of the network, and assurances of data
authenticity passed through the network. The campus community
should be informed of University policies on network security,
who is responsible for data and network security, and what the
penalties are for those who use networks improperly.
With respect to network security we recommend:
Recommendation SR1: A Standing Committee on Information
Security (SCIS) be established that permits regular
interaction, communication, and cooperative activity among
those who are responsible for ("owners" of) private,
non-public, proprietary data; those who are responsible for
facilitating the implementation of network hardware and
software network components required to secure these data; and
those who are needed to participate in ensuring the
authenticity of all data. It should also be the responsibility
of this committee to communicate with the managers of local
area networks on the campus decisions which impact the local
area networks or require security measures by them. This
Committee should be chaired by the campus ISM.
Recommendation SR2: A risk audit should be sanctioned by
the ISM and be performed by the SCIS to analyze those areas
where the University is exposed to security threats. This
audit should include a study both of the types of data that
require specific security measures and of the delivery methods
that are used to deliver these data to appropriate faculty,
staff, and students. The audit should specify action items
such as those recommended in the NTSC report which should be
implemented for handling security risks.
Recommendation SR3: A University security policy should be
established which addresses policy and procedure issues as
raised in the NTSC report in the subsection titled
"Security Policy." The policy should be concise and
enforceable. Specific guidelines should be provided separately
where necessary to assist personnel in complying with the
policy. This policy should be reviewed regularly.
Network reliability is discussed extensively in the NTSC
report of June 29, 1994 (see Appendix 6). In that report it is
acknowledged that network reliability is difficult to measure
meaningfully and the general approach suggested is to develop
procedures which would work toward the goal of 100 percent
network availability to the users. The NTSC report is quite
specific and broad in its recommendations, addressing the
areas of procedures, monitoring, physical security,
environmental conditions, design, disaster recovery, personnel
and training.
Recommendation SR4: NTSC shall be briefed regularly of
changes in management procedures and network design activities
by Network Services. Similarly, other major network providers
are encouraged to report on modifications in their activities.
Recommendation SR5: Since network equipment is placed in
every building which is connected to the network, it is
necessary that space be allocated for the equipment. NTSC
should continue the study it began in this report to create
criteria for the kind and quality of the communications space.
Network providers can then use these criteria to inform users
of the requirements for space and how this may affect their
quality of service.
Recommendation SR6: The role of the network administrator
is increasingly important to a properly functioning
department. Designation of where, or from whom, a unit gets
its network support needs to be made by the unit executive.
This designation should be made explicit in the job
description of the designee and appear as part of the
evaluation process. The unit should be prepared to make
release time and training opportunities available to the
designee.
Recommendation SR7: Disaster recovery plans should be made
for the voice, video, and data networks. The role of
communications is critical in the event of a disaster; however
such plans only make sense within the context of a larger
University plan sanctioned by the Provost. In particular, some
understanding needs to be reached about what constitutes a
disaster for a university and what is the role of the
University in the event of a disaster.
Recommendation SR8: There should be a resource for LAN
managers to call to receive trouble-shooting assistance 24/7.
