Policy2 NSP

2014
NAME: STACY DSOUZA (1146129)

COURSE: HR POLICY DEVELOPMENT

INSTRUCTOR: SYED JAHANGIR ALI

DATE: 28
TH
JUNE 2014

Network Security Policy of Shaheed
Zulfiqar Ali Bhutto Institute of Science
and Technology
2014-June-27 Network Security Policy
SZABIST
Page 2

Network Se

SZABIST
Page 3

Contents
PREFACE: .......................................................................................................................................................................................... 5
Introduction ......................................................................................................................................................................................... 6
Scope................................................................................................................................................................................................... 7
Goals ............................................................................................................................................................................................... 7
Purpose ........................................................................................................................................................................................... 8
Who Needs to Know This Policy .................................................................................................................................................... 8
Policy Statement ................................................................................................................................................................................. 9
Definition: ....................................................................................................................................................................................... 9
Policy Interpretation and Management ............................................................................................................................................... 9
Physical Security Policy ................................................................................................................................................................... 10
User Responsibility ........................................................................................................................................................................... 10
Remote Access Policy....................................................................................................................................................................... 11
Policy Issues ..................................................................................................................................................................................... 11
Operational Functions ....................................................................................................................................................................... 12
1. Network Operations (NetOps) .................................................................................................................................................. 12
2. Academic and Administrative Departments ............................................................................................................................. 13
3. System Administrators .............................................................................................................................................................. 13
Network Users .................................................................................................................................................................................. 14
Proper Use of Computing Resources ................................................................................................................................................ 14
Authorization/Grant access and approve usage permission .............................................................................................................. 15
Network Administrators .................................................................................................................................................................... 15
Virus Protection Policy ..................................................................................................................................................................... 16
The policy relates to: ................................................................................................................................................................. 16
CISCO Responsibilities ................................................................................................................................................................ 16
Network Support Group Responsibilities ..................................................................................................................................... 17
Technical Support Group (TSG) Responsibilities: ....................................................................................................................... 17
End Users Responsibilities............................................................................................................................................................ 18
Noncompliance ............................................................................................................................................................................. 18
Self owned Computers .................................................................................................................................................................. 18
Usage Policy ..................................................................................................................................................................................... 19
Web Cache/Proxy Policy .............................................................................................................................................................. 20
Web Server Policy ........................................................................................................................................................................ 20
Network Documentation and Access Control (cabling, labeling etc.) .......................................................................................... 21
Firewall Management Policy ............................................................................................................................................................ 21
Qualification of the Firewall Administrator .................................................................................................................................. 22
Firewall Administration ................................................................................................................................................................ 22
User Accounts ............................................................................................................................................................................... 22
Firewall Backup ............................................................................................................................................................................ 22
Data back up and redundancy Policy ................................................................................................................................................ 23
SZABIST
Page 4

Disaster Contingency Policy ............................................................................................................................................................. 23
Vendors Managed/Under Warranty Hosts ........................................................................................................................................ 24
Bi-Annual Report/Review of Monitoring and Management of Network ......................................................................................... 24
Awareness and Training ................................................................................................................................................................... 24
Users must be trained on regular basis for the implementation of this policy. .................................................................. 24
Critical IT Resources ........................................................................................................................................................................ 24
Emailing Policy ................................................................................................................................................................................. 25
Software Licensing ........................................................................................................................................................................... 26
Enforcement ...................................................................................................................................................................................... 26
Policy Violation ................................................................................................................................................................................ 27
Determining the Response to Policy Violation(s) ......................................................................................................................... 27
Action when Local Users Violate the Policy of a Remote Site ..................................................................................................... 28
Action when Remote Users Violate the Policy of the University ................................................................................................. 28
Services ............................................................................................................................................................................................. 28
Unmanaged Hosts ............................................................................................................................................................................. 29
Thanks ............................................................................................................................................................................................... 29
Contact .............................................................................................................................................................................................. 29

SZABIST
Page 5

Network Security Policy of Shaheed Zulfiqar Ali Bhutto Institute of Science
and Technology (SZABIST)

PREFACE:

Today, the university is highly dependent upon networking and computing technologies. Our infrastructure
must continue to be protected in order to ensure continuity of services for our core functions-research,
education, and business processes required to run the university. It is crucial that we state and enforce a
clear network security policy to protect our students, faculty, and staff from internal and external threats
inherent in network usage. This document states the policy we currently practice which successfully
protects our network, information resources, and users. We accomplish this by looking for anomalies in
network use patterns and looking for security vulnerabilities on the devices connected to our network.

This document establishes the network security policy for SZABIST.
The network security policy is intended to protect the integrity of campus networks and to mitigate the risks
and losses associated with security threats to campus networks and network resources.

Like many other universities, SZABIST has experienced and will continue to experience security incidents
encompassing a broad scope of severity. These incidents range from individual virus infections to loss of
network connectivity for entire departmental zones due to denial of service attacks. The management of
these incidents is a responsibility of the University. Failure to meet that responsibility could result in a
tarnished reputation as well as potential legal liability.

Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption
of data or unauthorized disclosure of information on research and instructional computers, student records,
and financial systems could greatly hinder the legitimate activities of University staff, faculty and students.
The University also has a legal responsibility to secure its computers and networks from misuse. Failure to
exercise due diligence may lead to financial liability for damage done by persons accessing the network
from or through the University.

Moreover, an unprotected University network open to abuse might be shunned by parts of the larger
SZABIST
Page 6

network community. This policy will allow the SZABIST to handle network security effectively.

This policy is subject to revision and will be evaluated as the University gains experience with this policy.
Procedures and guidelines associated with this policy will be posted on the Computer Security
Administration web page.

A prior version of this policy was reviewed and approved by the president in June 2014. This policy was
endorsed by the IT Head and approved by the President in February 2014.

Introduction

Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology acknowledges an obligation to ensure
appropriate security for all Information Technology data, equipment, and processes within the University.

This security policy tends to ensure that the security and services of computing resources required by the
Institution are purposefully implemented and followed by its esteemed computing population. It identifies
exactly what services need to be provided to the world, and what services need to be provided to the
University. This security policy is formulated to reflect how SZABIST wishes to use the Intranet and
Internet, while minimizing the risk of attack.

The computing resources are intended for University related purposes, including direct and indirect support
of the University's Academic, Research and Service missions; University Administrative functions; Student
and campus life activities; and the free exchange of ideas within the University community and among the
University community and the wider local, national, and world communities.

This policy applies to ALL in the University, and to all uses of those resources, whether on campus or from
remote locations. This policy is intended to help protect network confidentiality, integrity, availability,
accountability, and assurance.

SZABIST
Page 7

Scope

SZABIST conducts significant portions of its operations via wired and wireless networks. The
confidentiality, integrity and availability of the information systems, applications, and data stored and
transmitted over these networks are critical to the universitys reputation and success. SZABIST systems
and data face threats from a variety of ever-changing sources. SZABIST is committed to protecting its
systems and data from these threats, and therefore has adopted the following objectives to achieve a
reasonable degree of information technology security:
o To enable all members of the university community to achieve their academic or administrative work
objectives through use of a secure, efficient, and reliable technology environment.
o To protect academic, administrative and personal information from current and future threats by
safeguarding its confidentiality, integrity and availability.
o To establish appropriate policies and procedures to protect information resources from theft, abuse,
misuse, or any form of significant damage while still enabling community members to fulfill their
roles.
o To establish responsibility and accountability for information security within the organization.
o To encourage and support management, faculty, staff and students to maintain an appropriate level
of awareness, knowledge and skill to enable them to minimize the occurrence and severity of
information technology security incidents.

Goals

The goals of this network security policy are:
a) To establish policies to protect the University's networks and computer systems from abuse and
inappropriate use
b) To establish mechanisms that will aid in the identification and prevention of abuse of University
networks and computer systems
SZABIST
Page 8

c) To provide an effective mechanism for responding to external complaints and queries about real or
perceived abuses of University networks and computer systems
d) To establish mechanisms that will protect the reputation of the University and will allow the University to
satisfy its legal and ethical responsibilities with regard to its networks' and computer systems'
connectivity to the worldwide Internet.
e) To establish mechanisms that will support the goals of other existing policies, e.g.
Staff / Faculty / Students Emailing Policy
Student Handbook

Purpose

SZABIST provides an extensive computing network infrastructure to support the Universitys teaching,
research, and service missions. This policy is an extension to the existing Student Misuse Policy and the
Employee Misuse Policy, and focuses on network connectivity.

The campus has seen an increase in malicious network scans and subsequent attacks against vulnerable
equipment. Therefore, it is the purpose of this policy to help protect the assets of SZABIST from these
intrusions, while maintaining an open computing environment.

Computing and network communications technology is changing rapidly and this policy may be amended at
any time to meet security challenges to ensure SZABISTs teaching, research, and service missions are not
impacted. These changes will be communicated via area Consultants and TSPs in addition to being posted
on the Web. Campus units may create guidelines that clarify or supplement, but not lessen, this policy.

Who Needs to Know This Policy

Faculty, staff and students

SZABIST
Page 9

Policy Statement

ALL WHICH IS NOT EXPLICITLY PERMITTED IS PROHIBITED.

Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology provides network resources to its students,
faculties and departments in support of its Academic Mission. This policy puts in place measures to prevent
and minimize the number of security incidents on the campus network without impacting the academic
mission.
The responsibility for the security of the University's computing resources rests with the CISCO, who
manages these resources. CISCO will help Network Administrators to carry out these responsibilities
according to this policy.

Definition:
Individuals: access to the network requires an authorized relationship with the university, normally
evidenced by the existence of current credentials within the system. In addition users must:
Agree to abide by all applicable policies.
Cooperate with the process of registering each device used for network access, including desktop
and laptop computers.
Familiarize themselves with the operating procedures and unique requirements of the devices and
software applications they use.

Policy Interpretation and Management

Manager CISCO will interpret the Security Policy in coordination with the Groups of CISCO.

A body comprising of Dean(s), General Manager(s) and HoDs will serve to review, interpret, and revise the
SZABIST
Page 10

policy as and when needed after taking feedback from the end users whenever necessary.

Approval of the Network Security Policy is vested with the Head of IT of the University. Advice and opinions
on the Policy will be given by:

a) Computer Resource Committee (CRC)
b) Value and Ethics Committee (V&EC)
c) Disciplinary Committee (DC)

Physical Security Policy

The physical security of the Computing Resources will concentrate on:

a) Critical communications links
b) Key servers
c) Key PCs

The resources will be located in physically secure areas. The keys to these areas shall reside with Security
Staff (Labs and CISCO Area) at the main gate of University and will be issued against the signature of the
CISCO Representative. The keys to the Servers will reside in CISCO and will be issued by Network
Support Group. The keys of the PCs will reside in CISCO and will be issued by Technical Support Group.

User Responsibility

Users are responsible for all activities on their user id or from activities that originate from their systems.
Users are encouraged to use strong passwords and maintain their virus protection software and system
software at current levels.

SZABIST
Page 11

Remote Access Policy

The remote access means the accessing of Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology
Network resources from site other than SZABIST (including residential areas). CISCO will coordinate the
establishment of all external network connections for SZABIST Network. CISCO and the related
Department must properly document and note the entry points to the SZABIST Network.

All remote access to SZABIST Network, whether via dial-up or Internet access, must use encryption
services to protect the confidentiality of the session. Information regarding access to SZABIST computer
and communication systems, such as dial-up modem phone numbers, is considered confidential. This
information must not be posted on electronic bulletin boards, listed in telephone directories, placed on
business cards, or made available to third parties without the written permission of CISCO.

NSG will periodically scan direct dial-in lines to monitor compliance with policies and may periodically
change the telephone numbers.

Policy Issues

The assets that must be protected include:

a) Computer and Peripheral Equipment
b) Computing Premises
c) Supplies and Data Storage Media
d) System Computer Programs and Documentation
e) Application Computer Programs and Documentation

SZABIST
Page 12

Operational Functions

1. Network Operations (NetOps)

To accomplish the goals of this policy, the WPI NetOps group will perform the following functions.

Monitor network traffic, as necessary and appropriate, for the detection of network problems,
intrusions, and policy violations.
o When a security problem is identified, NetOps will seek the cooperation of the appropriate
contacts for the systems and networks involved in order to resolve such problems. If
necessary, NetOps will act unilaterally to contain the problem by isolating systems and their
services from the network, and promptly notify the responsible system administrator when
this is done.
Publish security alerts, vulnerability notices, patches, and other pertinent information in an effort to
prevent security breaches.
Execute and review the results of automated network-based security scans of the systems and
devices on university networks in order to detect vulnerabilities or compromised hosts.
o NetOps will inform the departmental system administrators of planned scan activity. They
will also provide detailed information about the scans, including time of scan, originating
machine, tests performed and vulnerabilities tested. The security, operation, or functionality
of the scanned machines should not be endangered by the scan.
o NetOps will report the results of scans that identify security vulnerabilities only to the
departmental system administrator contact responsible for those systems.
o NetOps will help individual system administrators improve their skill sets if recurring
vulnerabilities over multiple scans appear.
o If identified security vulnerabilities, deemed to be a significant risk to others, are not
SZABIST
Page 13

addressed in a timely manner, NetOps may take steps to disable network access to those
systems and/or devices until the problems have been rectified.
o Prepare summary reports of NetOps network security activities on a quarterly basis.
o Prepare recommendations and guidelines for network and system administrators, to be
posted on the NetOps web page of the WPI website at http://www.wpi.edu/+netops.
o Provide security assistance and advice to system administrators.
o Cooperate in the identification and prosecution of activities contrary to university policies and
the law. Actions will be taken in accordance with relevant university policies, codes, and
procedures with, as appropriate, the involvement of the Campus Police and/or other law
enforcement agencies.
o Abide by the Code of Conduct for IT Administrators.

2. Academic and Administrative Departments

In support of this policy all academic and administrative department heads will provide the Information
Technology Division (IT) with the following information and keep it up to date:

The names of all system administrators and e-mail addresses for these contacts.
Registration of all departmental networked devices with full information provided at the network
registration Web page.

If no contact person exists, or is provided to IT, NetOps will assume responsibility for system security.

3. System Administrators

System Administrators will perform the functions listed below:

Protect the systems and services for which they are responsible.
SZABIST
Page 14

Employ recommended practices and guidelines where appropriate and practical.
Cooperate with NetOps in addressing security problems identified by network monitoring.
Address security vulnerabilities identified by NetOps scans deemed to be a significant risk to others.
Report significant computer security compromises to NetOps for assistance in tracking and
containing intrusions.
Abide by the Code of Conduct for IT Administrators.

Network Users

Faculty and Staff Members, Research and Teaching Support Staff, Students, Guest Users and Dial in
Users are the network users of SZABIST.
They are responsible for understanding and respecting the security rules of the systems they have access
to. Misuse of computing resources will constitute an abuse in terms of system performance. Some of the
responsibilities include:
a) Users should change their passwords regularly after at least 14 days
b) The data backup should be made by the user at his own end
c) No password sharing
d) No FULL RIGHTS open sharing of files and directories
e) Abide by the appropriate use of this policy
f) Abide by the Departmental policies governing connection to departmental networks (where applicable)
Controversial emails, postings to mailing lists and/or discussion groups (obscenity, harassment, etc.), email
spamming are strictly prohibited and will constitute violation of the rules and will be dealt with as per the
existing Values & Ethics rules.

Proper Use of Computing Resources

The proper use of computing resources will be exclusive of the following:
SZABIST
Page 15

a) Breaking into accounts or bypassing security
b) Cracking and/or Sharing of passwords
c) Disrupting of service(s)
d) Modification of another user file(s)
e) Sharing of accounts
f) Downloading and accessing of all pornographic, X rated and objectionable material or of text
documents containing abusive or profane language and all other prohibited material which comes under
section 31(h) of Pakistan Telecommunication (Re-organization) Act 1996.
g) Downloading of files that can choke the network bandwidth
h) Playing on-line games from the Internet.

Authorization/Grant access and approve usage permission

Manager Information Technology Support Services (CISCO) and Network Administrators are the authorized
personnel to grant access to SZABIST computing services. Special access like Internet and dial in shall be
granted on the approval and permission of the Dean(s) and/or Head of the Department.
Extra privileges (read, write, scan, delete etc.) on the files, system volumes, directories or systems shall be
granted to the users only by the permission of the HoDs in case of staff or Teaching Assistant/Research
Associate and Project Director/Dean (s) in case of students.
Exceptional cases like Senior Year Projects or Research Projects shall be provided with root access or
rights for the local machines for a limited period only by TSG.
The permission of Dean(s) or Manager CISCO will be required in case the user data/content of file(s) is to
be monitored for system integrity/requirements.

Network Administrators
The Network Administrator will have access to system administration privileges and passwords for services.
He/she will monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection
of unauthorized activity and intrusion attempts. He will also:
SZABIST
Page 16

a) Publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to
prevent security breaches
b) Carry out and review the results of automated network-based security scans of the systems and
devices on University networks in order to detect known vulnerabilities or compromised hosts
c) Inform the Departmental System Coordinator of planned scan activity providing detailed information
about the scans, including time of scan, originating machine, and test and vulnerabilities tested for
d) Provide assistance and advice to the users to the extent possible with available resources
e) Monitor or list a user's files for any reason depending upon the requirement of the system security and
integration.

Virus Protection Policy

The policy relates to:
a) Prevent all infections
b) Prevent the loss of information/data and software on University-owned computers and minimize the
cost of computing maintenance and network downtime by virus outbreaks
c) Create, train, motivate, and empower TSG to implement virus protection software, to monitor virus
outbreaks, for computers associated with SZABIST.
d) Distribute updates of virus protection software and other important campus-supported software to all
University-affiliated computer users
e) Provide and continue to support the best virus protection solution that SZABIST can support
f) Require a minimum of end-user responsibilities in regard to computer virus protection practices.

CISCO Responsibilities

a) Acquire the licenses for anti-virus software that have been decided on for use
b) Procure software and updates from the vendor as they are made available
SZABIST
Page 17

Network Support Group Responsibilities

a) Install and maintain anti-virus software on the servers
b) Execute the appropriate level of scanning (on-demand vs. active)
c) Administrators of SMTP servers will install email attachment filters, if available, to intercept well known
viruses
d) Seek assistance or training from software company directly
e) Maintain log files and other records of virus scans. Rotate logs on a regular basis and will retain old logs
and records for a period of 3 months.
f) Submit annually, a report to Manager CISCO that details the number and nature of virus incidents as
well as the steps taken to remove the viruses.
g) Upon finding a computer propagating a virus, immediately notify the end-user and TSG responsible for
the system requesting that the suspect computer be shutdown.

Technical Support Group (TSG) Responsibilities:

a) Provide the initial setup for campus computers
b) Distribute virus protection updates. The anti-virus software will be available for SZABIST users to install
on computers on the SZABIST Network.
c) TSG have the responsibility to disconnect any client known to be an infecting agent. Such a
disconnection is an emergency action.
d) Provide documentation for users
e) Provide end-users with information on how to acquire the current anti-virus software and, how they
work, and how to use them.
f) Provide a central repository of information regarding infections by viruses of University owned
computers allowing effective reporting and analysis.
SZABIST
Page 18

End Users Responsibilities

Computer systems owned by SZABIST will run anti-virus software, and it should be active at all times. The
primary user of a computer system is responsible for keeping the computer system compliant with this virus
protection policy and should:
a) Install and maintain current virus protection software
b) Be certain that the software is running correctly. If these responsibilities appear beyond the end-user's
technical skills, the end-user is responsible for seeking assistance from TSG
c) Initiate disinfecting procedures or seek assistance from TSG
d) Perform regular backups of data

Noncompliance

SZABIST faculty, staff, and students not complying with this policy leave themselves and others at risk of
virus infections which could result in:
a) Damaged or lost files
b) Inoperable computer resulting in loss of productivity
c) Risk of spread of infection to others
d) Confidential data being revealed to unauthorized persons

Self owned Computers

A computer system owned by a faculty, staff member, or student which is on campus and is directly
connected to SZABIST Net will be treated the same as a University-owned computer.

SZABIST
Page 19

Usage Policy

SZABIST have an Internet Bandwidth Connection of 10 Mbps with connection of Pakistan Education and
Research Network (PERN 2), through the Digital Cross Connect Technology. Following rules will apply to
all:
a) Monitoring and recording of all Internet usage will be done by NSG. CISCO reserves the right to monitor
the usage at any time. Manager CISCO will review Internet activity and analyze usage patterns, and
they may choose to publicize this data to assure that company Internet resources are devoted to
maintaining the highest levels of productivity.

b) The display of any kind of sexually explicit image or document on any company system is a violation of
SZABIST policy on sexual harassment. In addition, sexually explicit material may not be archived,
stored, distributed, edited or recorded using our network or computing resources.
c) NSG may block access from within SZABIST network to all such sites that are known. If someone find
connected incidentally to a site that contains sexually explicit or offensive material, he/she must
disconnect from that site immediately, regardless of whether that site had been previously deemed
acceptable by any screening or rating program.
d) SZABIST Internet facilities and computing resources must not be used knowingly to violate the laws
and regulations of the Islamic Republic of Pakistan.
e) Internet facilities will not be used to deliberately propagate any virus, worm, Trojan horse, or trap-door
program code, disable or overload any computer system or network, or to circumvent any system
intended to protect the privacy or security of another user.
f) Each member of SZABIST Internet community using the Internet facilities of SZABIST shall identify
himself or herself honestly, accurately and completely (including ones affiliation and function where
requested) when participating in chats or newsgroups, or when setting up accounts on outside
computer systems.

SZABIST
Page 20

Web Cache/Proxy Policy

The web caching used for the enhancement of web traffic for SZABIST Internet traffic is through THREE
proxies:
ISA Firewall/Proxy for Faculty, Staff, RA and TA
ISA Firewall/Proxy for STUDENTS of Hostels
Squid Proxy for students in Labs and guests in the REC Lab
The cache will be monitored and administered in the following manner:
Monthly reports of the proxy servers will be made using the recommended software and kept for future
reference. One month log will be kept on across the server hosts for further study and investigation if and
when required.

Monthly report of the staff/faculty proxy with reference to TOP TEN USERS will be sent to the concerned
department(s) without the history.

History will only be issued on the written request of the concerned HoD to Manager CISCO

Web Server Policy

a) Everyone is permitted to have a Web site.
b) No offensive or harassing material may be made available via SZABIST Web sites (relates to main,
student, staff, faculty, ra or ta sites)
c) No personal commercial advertising may be made available via SZABIST Web sites.
d) The personal material on or accessible from the Web site is to be minimal.
e) Users are not permitted to install or run Web servers.
f) All network applications other than HTTP should be disabled (e.g., SMTP, ftp, etc.)
g) All content on SZABIST WWW servers connected to the Internet must be approved by and installed by
SZABIST
Page 21

the Web Master.
h) No confidential material may be made available on the Web site
i) There shall be no remote control of the Web server (i.e., from other than the console.) All administrator
operations (e.g., security changes) shall be done from the console. Supervisor-level logon shall not be
done at any device other than the console.

All Web sites may be monitored as part of the company's network administration function. Any user
suspected of misuse may have all their transactions logged for possible disciplinary action.

Any internal WWW servers supporting critical company applications must be protected by internal firewalls.
Sensitive, confidential, and private information should never be stored on an external WWW server.

Network Documentation and Access Control (cabling, labeling etc.)

Physical access to servers and network equipment should be limited to authorized individuals like Network
Administrators and Equipment Maintenance Group (EMG). The keys should be under lock and security of
University. Network cables should be organized, labeled, and protected from interference. Network
documentation must be maintained to identify network node and network cable color coding as well.

Firewall Management Policy

NSG is responsible for managing the firewall. Firewall administrator shall provide their home phone
number, pager number, cellular phone number and other numbers or codes in which they can be contacted
when support is required.

SZABIST
Page 22

Qualification of the Firewall Administrator

a) Sound understanding of network concepts and implementation.
b) Hands-on experience with networking concepts, design, and implementation so that the firewall is
configured correctly and administered properly.

Firewall Administration

a) The username/password of administrative accounts must be strongly protected.
b) Strong physical security around the firewall host and to only allow firewall administration from an
attached terminal.

User Accounts

The only user accounts on the firewall should be those of the firewall administrator and any backup
administrators. In addition, only these administrators should have privileges for updating system
executables or other system software. Only the firewall administrator and backup administrators will be
given user accounts on the SZABIST firewall. Any modification of the firewall system software must be
done by the firewall administrator or backup administrator and needs approval of NSG Team Leader.

Firewall Backup

To support recovery after failure or natural disaster, a firewall like any other network host has to have some
policy defining system backup.

a) Data files as well as system configuration files need to be have some backup plan in case of firewall
failure.
SZABIST
Page 23

b) The firewall (system software, configuration data, database files, etc. ) must be backed up daily, weekly,
and monthly so that in case of system failure, data and configuration files can be recovered.
c) Backup files should be stored securely on a read-only media so that data in storage is not over-written
inadvertently and locked up so that the media is only accessible to the appropriate personnel.
d) At least one firewall shall be configured and reserved (not-in-use) so that in case of a firewall failure,
this backup firewall can be switched in to protect the network.

Data back up and redundancy Policy

All the Servers (Windows and UNIX) will have the WEEKLY/MONTHLY and QUARTERLY BACKUP for the
System and DATA level information.

All the proxy servers will have a MONTHLY LEVEL BackUP.

All the CRITICAL Server(s) will have a redundant BACK UP server ready all the time so that the services
are not interrupted for longer duration of time.

Disaster Contingency Policy

Each Department must maintain a disaster contingency plan. There must be written plans detailing
procedures for various disaster scenarios, both natural and man made. To guard against disaster, critical IT
resources must be preserved against loss or corruption by appropriate backup procedures after registering
them with CISCO.

SZABIST
Page 24

Vendors Managed/Under Warranty Hosts

Vendors that manage hosts on SZABIST network must comply with this Security document. They are
encouraged to use private IP and should access their host through SZABIST firewall by Network Support
Group. Secure encrypted authentication and communication such as SSH is encouraged; avoid using clear
text protocols such as FTP or Telnet on vendor managed hosts. CISCO must maintain contact information
for all vendors managing hosts on SZABIST network.

Bi-Annual Report/Review of Monitoring and Management of Network

Bi-Annual reports of the following will be submitted to Manager CISCO:
a) Firewall Report
b) Proxy Usage Report
c) Network Management Report
d) Web Statistics Report
e) Printing Report

Awareness and Training

CISCO members should be trained on regular basis from within and outside country to make a team of
individuals with HIGH PERFORMANCE TEAM infrastructure.
Users must be trained on regular basis for the implementation of this policy.

Critical IT Resources

Some IT resources may need special consideration with respect to risk assessment, filtering, and
notification. The relevant Department should submit a written request to register them as critical IT resource
with CISCO in advance. All submissions for classification as a critical IT resource will be reviewed by the
SZABIST
Page 25

security committee and considered for approval by CISCO.
Registered critical IT resources must have IT personnel resources available 24 hours per day, 7 days per
week. An incident response plan must be filed with the CISCO by the relevant Department that describes
risk assessment, filtering, and notification procedures. Systems classified as critical IT resources must have
a documented disaster recovery plan on file within the Department.

Emailing Policy

Electronic mail should be used properly, to reduce the risk of intentional or inadvertent misuse, and to
assure that official records transferred via electronic mail are properly handled.

Use of electronic mail services for purposes constituting clear conflict of SZABIST interests or in violation of
SZABIST policies is expressly prohibited.

Use of SZABIST email to participate in chain letters or moonlighting is not acceptable. Use of electronic
mail is for business purposes. Limited personal use is acceptable as long as it doesn't hurt SZABIST.

The policies as advertised for Staff/Faculty and Students will stand valid and following will add to them:

a) All will have an email account.
b) Email address directories can be made available for public access.
c) The contents of email messages will be considered confidential, except in the case of criminal
investigations.
d) Confidential or company proprietary information will not be sent by email.
e) Only authorized email software may be used (Web Outlook, Eudora, Outlook)
f) Anyone found to be deliberately misusing email will be disciplined appropriately.
g) The email system will provide a single externally accessible email address for employees. The address
will not contain the name of internal systems or groups.
h) All electronic messages created and stored on SZABIST computers or networks are property of
SZABIST
Page 26

SZABIST and are not considered private.
i) SZABIST retains the right to access employee electronic mail if it has reasonable grounds to do so. The
contents of electronic mail will not be accessed or disclosed other than for security purposes or as
required by law.
j) Users must not allow anyone else to send email using their accounts. This includes their supervisors,
secretaries, assistants and any other subordinates.
k) If confidential or proprietary information must be sent via email, it must be encrypted so that it is only
readable by the intended recipient
l) No visitors, contractors, or temporary employees may use SZABIST email.
m) Email servers shall be configured to refuse email addressed to non-SZABIST systems.
n) Email clients will be configured so that every message is signed using the digital signature of the
sender.

Software Licensing

CISCO and the relevant Department has the responsibility to request the removal of software that does not
comply with licensing agreements or copyright law, but it is the responsibility of the user to comply with
licensing agreements and copyright law.
Any software or files downloaded via the Internet into the SZABIST network become the property of
SZABIST. Any such files or software may be used only in ways that are consistent with their licenses or
copyrights. No one can use SZABIST facilities knowingly to download or distribute pirated software or data.

Enforcement

Any member of the University who fail to adhere to this policy may be subject to penalties and disciplinary
action, both within and outside the university. Violations will be handled through the university disciplinary
procedures applicable to the relevant Department or School where applicable.
The University may temporarily suspend, block or restrict access to IT resources, IT staff, and/or segments
independent of such procedures, when it reasonably appears necessary to do so in order to protect the
SZABIST
Page 27

integrity, security, or functionality of University or other IT resources or to protect the university from liability.
The University may also refer suspected violations of applicable law to appropriate law enforcement
agencies.

Policy Violation

In case a violation occurs owing to an individual's negligence, accidental mistake, having not been properly
informed of the current policy, or not understanding the current policy, the course of action will be initiated
with an "investigation". The Network Administrator will determine how, when, who and why the violation
occurred so that an appropriate action can be taken in consent with Manager CISCO.

When a security problem is identified, NSG will seek the co-operation of the appropriate contacts for the
systems and networks involved in order to resolve such problems. However, in the absence or
unavailability of concerned individuals, may need to act unilaterally to contain the problem, up to and
including temporary isolation of systems or devices from the network.

The type and severity of action varies depending on the type of violation that has occurred. This will be
reported to the Values and Ethics Committee, disabling of network resources, rigorous fine etc.

Determining the Response to Policy Violation(s)

Domain or hosts falling within the IP classes:
a)203.128.0
b)203.128.1
c)203.128.4

Shall be considered as INTERNAL and all others will be considered as EXTERNAL.
SZABIST
Page 28

The response to policy violations will depend on the boundaries implying what type of action must be taken
to correct the offending party; from a written reprimand to pressing legal charges.

Action when Local Users Violate the Policy of a Remote Site
In the event that a local user violates the security policy of a remote site, the offender will be dealt as per
the user group and appropriate action as per the V&E Committee or Administration Policies of the
organization will be taken.

Action when Remote Users Violate the Policy of the University
In the event that a remote user violates the security policy of the University, the offender will be dealt as per
the University Policy and appropriate action in coordination with Manager CISCO and Administration
Policies of the University. An official letter/email will be also sent to the suspected site host master for the
logging of complain and appropriate action there upon.

Services

The "firewall" should provide the following services:
a) In/Out bound Electronic Mail (SMTP)
b) World Wide Web (http and https) through the respective proxy servers with the efforts of blocking X
Rated sites as per the laws of PTCL, PTA and GoP.
c) Secure Shell (SSH) access to SZABIST.edu.pk servers/hosts around the world except for X rated.
d) DNS requests for In/Out bound Electronic Mail (MX records) and information about externally/internally
visible hosts.

The "firewall" should block the following services:
a) Ping of Death daemons (incoming)
b) Chatting (MIRC/ICQ for students)
SZABIST
Page 29

c) Spoofing
d) Denial of Service Attack and/or Smurfing etc.
e) Port scans and probes

Unmanaged Hosts

Unmanaged hosts are hosts that are not owned or managed by the university such as personal laptops,
computers and other devices used at housing, hostels, and classrooms. The responsibility of CISCO for
unmanaged hosts ends at the wall plate. CISCO has the responsibility to identify a user at a given address
at any given time. In response to an incident, CISCO must be able to investigate disruption of service to the
network due to this host.

Thanks
Thanks to ALL those who contributed in completing this policy.

Contact

Room:
Timing :
Support Days:
Phone :
Email :

ZABNET, Head of I.T.

90, Clifton campus, ground floor room 14.
10:00 - 18:00
Monday - Saturday
(92-21) 5824461-3 Ext.118 and 135
info@zabnet.com

Policy2 NSP

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Policy2 NSP

Caricato da

Copyright:

Formati disponibili

2014

NAME: STACY DSOUZA (1146129)

Potrebbero piacerti anche