This document establishes the network security policy for the University of Toronto.
The network security policy is intended to protect the integrity of campus networks and to mitigate the risks and losses associated with security threats to campus networks and network resources.
Like many other universities, the University of Toronto has experienced and will continue to experience an increase in unauthorized access or attempts to access its network and computer systems. Several incidents have resulted in break-ins. In addition, computer systems on campus have been used as platforms to launch attacks on systems on the Internet at large. These incidents represent a responsibility and potential legal liability for the University and could tarnish its reputation.
Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on research and instructional computers, student records, and financial systems could greatly hinder the legitimate activities of University staff, faculty and students. The University also has a legal responsibility to secure its computers and networks from misuse. Failure to exercise due diligence may lead to financial liability for damage done by persons accessing the network from or through the University. Moreover, an unprotected University network open to abuse might be shunned by parts of the larger network community. This policy will allow the University of Toronto to handle network security responsibly.
This policy is subject to revision and will be evaluated as the University gains experience with this policy.
The goals of this network security policy are:
- to establish University wide policies to protect the University's networks and computer systems from abuse and inappropriate use.
- to establish mechanisms that will aid in the identification and prevention of abuse of University networks and computer systems.
- to provide an effective mechanism for responding to external complaints and queries about real or perceived abuses of University networks and computer systems.
- to establish mechanisms that will protect the reputation of the University and will allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to the worldwide Internet.
- to establish mechanisms that will support the goals of other existing policies, e.g.
- Appropriate Use of Information Technology
- Student Code of Conduct
Note: Any violation of the network security policy will also be deemed a violation of the above listed policies, as appropriate.
The University of Toronto provides network resources to its divisions, faculties and departments in support of its Academic Mission. This policy puts in place measures to prevent or at least minimize the number of security incidents on the campus network without impacting the academic mission or the integrity of the University's many different computing communities.
The responsibility for the security of the University's computing resources rests with the system administrators who manage those resources. Computing & Networking Services (CNS) and the Computer Security Administration (CSA) group will help system administrators to carry out these responsibilities according to this policy.
The Provost has overall responsibility for this policy.
The Academic Advisory Committee (AcAC) of the Computer Management Board will review and respond to formal complaints resulting from the implementation of this policy. Computing & Networking Services (CNS) will prepare an annual report for AcAC relating experience with this policy and AcAC will recommend improvements to the Provost.
In support of this policy all Departments which administer LANs connected to the backbone will:
- provide Computing & Networking Services (CNS) with the names, eMail addresses and telephone numbers for at least two different contacts: a management contact; and a primary technical contact (usually the System Administrator). An alternate contact should be provided in situations where both the management contact and the primary technical contact are one and the same person.
- endeavour to assign to an individual, the authority to connect systems to the departmental network(s),
- endeavour to keep this information accurate and up to date.
Computing & Networking Services will:
- monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity and intrusion attempts,
- such monitoring will be carried out in compliance with the University's statement on Personal Privacy in the Appropriate Use of Information Technology;
- when a security problem (or potential security problem) is identified CNS will seek the co-operation of the appropriate contacts for the systems and networks involved in order to resolve such problems, but in the absence or unavailability of such individuals may need to act unilaterally to contain the problem, up to and including temporary isolation of systems or devices from the network, and notify the responsible system administrator when this is done;
- publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to prevent security breaches.
- carry out and review the results of automated network-based security scans of the systems and devices on University networks in order to detect known vulnerabilities or compromised hosts,
- CNS will inform the departmental system administrators of planned scan activity providing detailed information about the scans, including time of scan, originating machine, and test and vulnerabilities tested for. The security, operation or functionality of the scanned machines should not be endangered by the scan;
- CNS will report the results of scans that identify security vulnerabilities only to the departmental system administrator contact responsible for those systems;
- CNS will report recurring vulnerabilities over multiple scans to departmental management;
- if identified security vulnerabilities, deemed to be a significant risk to others and which have been reported to the relevant system administrators, are not addressed in a timely manner, CNS may take steps to disable network access to those systems and/or devices until the problems have been rectified.
- prepare summary reports of its network security activities for the AcAC on a quarterly basis,
- prepare recommendations and guidelines for network and system administrators, to be posted at the Computer Security Administration Web Page,
- provide assistance and advice to system administrators to the extent possible with available resources,
- issue semi-annual requests to verify the accuracy of departmental contact information.
The Computer Security Administration group within CNS will:
- co-ordinate all CNS network security efforts and act as the primary administrative contact for all related activities,
- co-ordinate investigations into any alleged computer or network security compromises, incidents and/or problems. To ensure that this co-ordination is effective, security compromises should be reported to Computer Security Administration - Email: email@example.com or telephone 416-978-1354,
- co-operate in the identification and prosecution of activities contrary to University policies and the law. Actions will be taken in accordance with relevant University Policies, Codes and Procedures with, as appropriate, the involvement of the Campus Police and/or other law enforcement agencies,
- in consultation with system administrators, develop procedures for handling and tracking a suspected intrusion, and deploy those procedures in the resolution of security incidents.
System Administrators will:
- endeavour to protect the networks and systems for which they are responsible,
- endeavour to employ CNS recommended practice and guidelines where appropriate and practical,
- co-operate with CNS in addressing security problems identified by network monitoring,
- address security vulnerabilities identified by CNS scans deemed to be a significant risk to others,
- report significant computer security compromises to Computer Security Administration.
Network users will:
- abide by the Appropriate Use of Information Technology policy of the University,
- abide by departmental policies governing connection to departmental networks.
Network resources include any networks connected to the University of Toronto backbone, any devices attached to these networks and any services made available over these networks. Devices and services include network servers, peripheral equipment, workstations and personal computers (PCs), UTORdial, UTORmail, etc
Department is used as a generic term to signify an academic or administration unit.
||"System Administrator" refers to the individual who is responsible for system and network support for computing devices in a local computing group. In some instances, this may be a single person while in others the responsibility may be shared by several individuals some of whom may be at different organizational levels.