Network and Server Security Management Policy
- Related Documents: Network and Server Security Management Procedure and Annex, Minimum Cybersecurity Controls
- Owner: Computing and Communications Services (CCS)
- Approver: Provost and Vice-President, Academic; Vice-President, Administration and Operations
- Approval Dates: March 2007
I. Purpose
IT resources and services accessed through TMUnet are essential to Toronto Metropolitan University's (the University's) research, teaching and administrative activities. This policy is to protect the integrity of and mitigate the risks and losses associated with security threats to the University's IT resources, including their data that are connected to the Information Network. It recognizes the primacy of teaching and research and the creation of deliverables thereof, as legislated in the Toronto Metropolitan University Act (Toronto Metropolitan University Act 1977, Section 3, page 2).
II. Scope
This policy’s scope is:
· To minimize any vulnerability from threats to the integrity and availability of IT resources, within the University's ‘primacy of function’ mandate recognized above.
· To block by default access to IT resources that can be scanned or compromised, leading to ethical or legal liability, as well as injury to the University's reputation, while at the same time accommodating a system flexibility that permits the University's ‘primacy of function’ mandate.
· To implement efficient IT security measures to detect attacks.
· To recover from damage done by such attacks, protecting the majority of IT resources from becoming infected with malicious code or unauthorized access.
· To provide processes that respond to queries and complaints about actual and perceived abuses, whether internal or external, and to take action to resolve the incident and to minimize the likelihood of recurrence.
III. Policy
IT resources deployed by units at the University must not disrupt or compromise the ability of the University to deliver its ‘primacy of function’ mandate, or other University or remote resources and services.
By default computers and other networked devices at the University must not be accessible to network connection requests and broadcast attacks initiated outside of the University. This does not mean that computers within the University cannot access the Internet. However, it does mean that where campus-based systems such as Web, E-mail, FTP, Streaming Media, and other services, servers or network segments must be accessible to the Internet, special steps are required to make them accessible.
Any IT resource will be subject to periodic vulnerability assessments by Computing & Communications Services (CCS) and/or contracted third-party IT security companies. Review of any vulnerabilities found will be the responsibility of the ACAC Technical Working Group.
Primary responsibility for the security of the University's IT resources resides with those at the University who operate, maintain and/or support any IT resource.
Detailed security processes and procedures for IT resources reside with the Technical Support Contact and Management Contact, who operates, maintains and/or supports IT resources.
IV. Jurisdiction
This policy falls under the jurisdiction of the Provost and Vice President, Academic and the Vice President, Administration and Finance. The application and interpretation of the policy, and its associated procedures, is the responsibility of the Director, Computing and Communications Services, and the Chair of ACAC under direction of ACAC.