Information Communication Technology Security in College of North London Report

Description of the College of North London

The College of North London is a fictitious institution of higher learning located in Wales. It offers both degree and certificate programs in various faculties and all its departments have been well equipped with modern ICT infrastructure. Below is a brief description of the information and networking systems of the institution.

The College has an information system geared at transaction processing, management information, decision support as well as executive information functions. These systems have been established as the west grid whose infrastructures are networking facilities, extensive shared memory, parallel processing facilities, a video conferencing access grid and even reserves for storage of research data. This west grid is very important in providing the avenue for researchers to share resources and other elements of expertise. The operation of this information system is modulated by the AICT and it comprises an SGI Altix XE320 cluster for disseminated memory functions and IBM Power5 and SGI machines for communal memory jobs. The university’s information system also has a General Access Linux Cluster (GALC) which comes in handy for doing large scale parallel computing jobs using the communal memory. Finally, within this system are numerical and statistical servers which host very many geometric, arithmetic and statistical packages. These five SGI Altix XE250 servers help provide interactivity and group applications.

The information system manpower majorly comprises ICT technicians. These include information officers, operating officers, technical officers and information security officers. These individuals are responsible for the installation and maintenance of technological equipment that help in enhancing the performance of the organization.

The administrative information systems (AIS) as part of the larger information system are responsible for maintaining proper administrative functions within the college. The systems are majorly PeopleSoft utilities such as payroll, human resource, student, financial and supply chain records. These systems are continually supported by the IBM Global services especially in the area of general usage.

The geographic information system (GIS) helps in collecting geospatial data relevant to the running of different areas of administration. For example, the college’s assets such as already installed infrastructure like transport facilities have to be constantly monitored for effective management. Other information that is relevant within this system includes data on culture, geopolitical information and general environmental data.

The Office automation systems (OAS) are very crucial in the maintenance of efficiency within the administration block. Information relevant to this facility is stored in a common database which is accessible using passwords by the relevant authorities.

Definitions of terms

1. Spam- Illegitimate and unsolicited electronic mails sent to a large number of recipients.
2. Pyramid schemes, Chain letters- Communications that aim at informing an individual that for a comparatively small investment, the recipient of the message can make a large amount of money. There are a number of variations but they all have the same fraudulent base concept-that the recipient of the message sends a certain amount of money to a specific number of individuals preceding the recipient in a chain, on the hope that as time goes on a substantially large number of people will be making similar payments to the recipient.
3. Port scanning-these are any attempts to pick up any weaknesses of a computer or a network by consistently sending information requests.
4. Network sniffing- Connecting a device or installing software to a network in order to study and record the data that is shuffling between systems on the network.
5. Spoofing-Deliberately prompting a computer system or its user to perform an incorrect function by impersonating a genuine source.
6. Service denial- Approaches and strategies are taken to bar a system from appropriately responding to legitimate requests.
7. Ping attack- A type of service denial, in which a system within a network receives fast and repeated echo requests, in essence blocking up the channel from contact by other users.

Purpose

The main function of this Information and Communication Technology (ICT) policy is to provide the appropriate frameworks for the usage of ICT hardware and services within the institution. The purpose of this policy is to encourage the College’s already-established tradition of openness, honesty and integrity. These are basic guidelines on what is allowed and what is disallowed on the College ICT infrastructure with the aim of protecting the ICT resources from destructive acts such as viral attacks, loss of data, unpermitted access, system and network crashes and legality challenges.

Scope

This policy is applicable to all members of staff (casual, temporary and permanent), students and all other people with access to the College ICT utilities, including all individuals that are linked to third parties. This policy covers all the hardware, software and other ICT infrastructures under the College ownership. It provides guidelines for each and every action that is carried out using these infrastructures affecting both the well-being of the institution’s systems and other affiliated setups.

General use and ownership policy

Role

As much as the Information and Communication Technology Council (ICTC) is dedicated to the provision of an acceptable amount of privacy, the ICTC

1. While the ICTC is committed to the provision of a reasonable level of privacy, the ICTC shall not be held responsible for guaranteeing the confidentiality of personal information that is hosted or channeled through any network or system owned by the College. All data developed and transmitted on the ICT infrastructure shall be regarded as College property.
2. The ICTC shall strive to secure the College’s network and the mission-critical College data and infrastructure. The ICTC shall not be held liable for the security of personal data hosted on the College ICT systems.
3. Users are required to practice proper judgment pertaining to the appropriateness of personal use of ICT infrastructure and services. They shall at all times be directed by ICT policies that have been developed regarding personal use of ICT networks (i.e. inter-, intra- and extranet systems). Where policies are either not clearly applicable, users are expected to make consultations with the relevant ICT staff.
4. For the purpose of security and network maintenance, the authorized ICTC staff shall analyze the hardware, software and other utilities at an appropriate time as required by the ICT development policy.
5. The ICTC holds the right to assess networks and infrastructure on a basis that is compliant with this ICT policy.

Security of proprietary/confidential information

1. College data hosted in the ICT infrastructure shall be categorized as either confidential or non-confidential. Some of the data classified as confidential include research information, payroll data and human resource information. College members of staff shall take all the appropriate steps to prevent any unpermitted access to confidential information.
2. Users shall ensure that passwords are secured and that accounts are not shared. Group and/or communal accounts are categorically illegal. Authorized users personally hold the responsibility of strengthening and according to the secrecy needed for their access passwords (Kingston University 2006).
3. All personal computers, laptops and workstations shall be secured using a password-disabled screensaver that automatically activates in a timeless than five minutes, or by logging off when the system is not being used.
4. Any pieces of information by users of the College e-mail address to newsgroups shall carry a disclaimer that categorically declares the opinions carried as being the user’s and not necessarily those of the College. This is unless the communication is in line with or lies within the scope of official duties.
5. All hosts that are linked to the College networks shall at all times be needed to execute the appropriate virus-scanning techniques. Users are required to exercise caution when accessing electronic mail attachments from unknown sources and which have the potential for security threats such as viruses or e-mail bombs (Kingston University 2006).

Unacceptable use

1. At no time shall a member of staff or student be authorized to partake in any action that is illegal under the laws of the United Kingdom or international law while using the College ICT infrastructure and services.
2. Below are some of the activities that are strictly prohibited. This list is by no means exhaustive but is a basic outline of all activities that are classified as unacceptable.

Unacceptable System and/or Network Activities

The list below contains items that are categorically prohibited, without room for exceptions:

1. Infraction of the rights of any individual or institution as accorded by the United Kingdom’s intellectual property law and the College’s intellectual property policy or the institution’s code of conduct (The University of West Indies 2008).
2. Installation of malicious software onto the network/ server. Listed under this prohibition are viruses, e-mail bombs and Trojan horses.
3. Communal College user accounts and password-users shall be held responsible for any violations emanating from shared accounts.
4. Use of college ICT infrastructure to actively participate in the acquisition or transmission of material that is regarded as tantamount to sexual harassment or that is related to the development of an unfriendly work environment.
5. Using the College accounts to make deceptive offers of products and services.
6. Breach of security or the severance of communication within the network. Security contraventions include but are not limited to, access of information of which the user is not the designated recipient, or gaining access onto a server that one has not been directly permitted to use, except when this access falls within the scope of official duties (The University of West Indies 2008).
7. Port and security scanning without the express authorization of ICT management.
8. Conducting any form of network monitoring that interrupts any information that is not aimed at the originator’s host system, unless this action is a function of a member of staff’s responsibilities.
9. Outflanking user authentication or security of any system within the College ICT infrastructure. Also covered in this item includes denial of service to other network users (The University of West Indies 2008).
10. Using any software or any ICT utility to interfere with or cede any user’s terminal session using any network (inter-, intra- or extranet)
11. Using the College ICT infrastructure to offer services to individuals residing or based inside or outside the college facilities on either unpaid or commercial bases.

Unacceptable communication practices

1. Sending unrequested material and any other public content to persons who did not personally ask for such pieces of communication (University of Tasmania 2010).
2. Unsanctioned use, or plagiarism, of electronic mail header details.
3. Requisition of e-mail for any other email address, except for that of the solicitor’s account, aimed at harassment or the collection of feedback (University of Tasmania 2010).
4. The creation or passing along of “chain letters” and/or “pyramid schemes” of any kind. The usage of unsought for e-mail emanating from the College networks under the representation of, or to publicize, any utility hosted by the college or linked to the College network (The University of West Indies 2008).

Password Policy

1. All system-level passwords shall be adjusted a minimum of one time per month.
2. All user-level passwords shall be reviewed at least once every quarter.
3. User accounts that have been accorded system-level advantages by group registration shall carry passwords that are clearly different from all the other accounts registered by the user.
4. Passwords shall not be transmitted as part of emails.
5. Passwords linked to college accounts shall not be utilized for other non-College access such as G-mail or a mobile phone PIN.
6. All passwords shall be regarded as impressionable and confidential college information. Users shall not share their college passwords with other people, including unauthorized department officials (Dublin City University 2010).
7. Users shall at no time use the “Remember Password” element of utilities such as G-mail, Facebook and Twitter.
8. Users shall not write passwords down and keep them anywhere within the proximity of their offices (Makerere University 2005).
9. In an account or password is purported to have been compromised through hacking, the password in question shall be changed as a matter of urgency. ICTC shall be immediately informed in order to carry out investigations, especially if the breach touches on crucial College infrastructure or functions.
10. As one of the keyed up security procedures, password cracking may be carried out on a random basis by the authorized members of staff in order to isolate the weak and/or ineffective passwords. Cracked or guessed passwords shall have to be changed immediately by the user of the account.
11. All user- and system-level passwords shall have to comply with framework established below:

Basic password construction guidelines

Computer passwords serve a number of functions within the College. Because very few utilities support the use of one-time access tokens (i.e. access passwords that can be used one time only), all the users of the College ICT networks and/or systems shall familiarize themselves with the following guidelines on how to develop a powerful password.

Weak passwords are distinguished by the following criteria:

1. They are made up of fewer than eight characters.
2. They contain words that make sense in a particular language.
3. They are made up of popularly used words such as:

1. 1. People and animal names.
   2. Names associated with Information and Communication Technology such as Microsoft or Macintosh.
   3. The words “College” and “North London” or any derivation from these words.
   4. Personal details such as anniversaries and student registration numbers.
   5. A letter or digit patterns such as 456654, uuuwww or PONMLKJI.
   6. Any of the items listed above are written backwards.
   7. Any of the items listed above start with or are succeeded by a single number e.g., password3 or 4password.

Strong passwords on the other hand are identified by the features listed below:

1. Comprise both capital and small letters.
2. Contain numbers and punctuation symbols alongside numerical digits.
3. Are eight or more alphanumeric characters in length (The University of West Indies 2008).
4. Are not words that make sense in any language or dialect
5. Are not derived from personal information or commonly used names

Application development frameworks

The developers of applications for use within the College ICT infrastructure shall make sure that their programs meet the security guidelines listed below:

1. Shall only provide for authentication by individuals and not groups of users
2. Shall not reserve passwords invisible text or in another form that can be easily reversed.
3. Shall allow for some type of role management, that is, one user adopting the responsibilities of another without necessarily having to be in the possession of the other’s password.

Program developers shall ensure that their software meets the following basic security standards.

1. Shall only allow for authentication of single users.
2. Shall not show passwords in discernible characters or in any format that is easy to decipher.
3. Shall permit RADIUS, X.509 and/or TACACS+, with LDAP security retrieval, when necessary (University of Salford 2008).

Server Security Policy

All servers that are linked to the College ICT network shall have an established management team that shall be in charge of conducting all administrative procedures. Such management teams shall be tasked with the responsibility of regularly monitoring the compliance of configuration and shall establish an exception policy that is appropriate within the limits of their environment. All management teams shall draft procedures for configuration modification; if the server is executing crucial College systems, this shall include a terminal assessment and assent by the ICTC’s administrators.

1. All servers shall be signed up with the ICTC. During the registration process, the following information has to be provided:

1. 1. The physical location of the server (University of Ballarat 2010)
   2. Contact details of the System administrator
   3. Hardware and software being used
   4. Details of the functions and applications in use by the server

2. Any configuration modifications for severs shall follow the proper change management strategies.

Basic configuration guidelines

1. Server Operating systems (OSs) shall be constructed according to the approved ICT guidelines
2. Utilities and functions that are not underused shall be rendered inoperative at all times.
3. Access to networks and services shall be recorded and conferred with protection using various access-regulation methods where necessary (University of Salford 2008).
4. Up-to-date security patches shall be installed on the systems as long as such updating does not affect the normal functions of the systems
5. Software to protect against viral attacks shall be installed and set to update on a regular basis.
6. Cross-system trust relationships create room for security threats and shall not be permitted
7. Servers shall be hosted in access-controlled localities
8. Access to servers from uncontrolled or easily-accessible localities is strictly prohibited.

Monitoring

1. All security-related functions on critical or cognizant systems shall be registered and audit streams stored in all system backups.
2. Security-linked functions shall be communicated to the ICT information security officer, who shall be held responsible for analyzing system records and conveying reports of occurrences to the relevant authorities. Corrective steps shall then be prescribed as required. Security-linked functions include, but are not limited to:

1. 1. Port-scan invasions
   2. Evidence of unpermitted entry to privileged accounts
   3. Infective occurrences that are not linked to particular functions on the host

Audit policy

For auditing purposes, any necessary access shall be accorded to members of the College ICT audit team when need arise. This access shall comprise:

1. User- and/or system-level access to any communications garget
2. Access to data that may have been created, distributed and hosted within the College ICT infrastructure (University of Auckland 2007).
3. Entry into work area such as offices.
4. Access to College networks for the purpose of interactive traffic monitoring.

Internal Computer Laboratory security policy

1. All College entities that possess or operate computer laboratories shall identify officials to oversee the daily operations of computer laboratories. These individuals shall hold the title of Computer laboratory Administrators.
2. Computer Laboratory Administrators shall ensure that their laboratories are secure and shall ensure that this policy is fully implemented.
3. Computer Laboratory Administrators shall be in charge of ensuring that the Laboratory complies with all the College ICT policies.
4. Computer Laboratory Administrators shall be tasked with the responsibility of managing access to their laboratories. They shall ensure that unauthorized individuals do not gain access to institutions ICT resources at their charge.
5. The ICTC holds the right to interfere with particular laboratory links if such links are impacting negatively on the ICT infrastructure or are regarded as security risks. As such, Computer Laboratory Administrators shall be available for emergencies at any time of the day.
6. The ICTC shall be provided with records of all the available Internet Protocol addresses and any associated configurations related to hosts in any computer laboratory (University of Canberra 2010). The Computer Laboratory Administrator does not have the authority to modify any configuration without giving prior notice to the ICTC network management.

General configuration requirements

1. All traffic between production networks and computer laboratories shall go through filtration firewalls (University of Canberra 2010). At no time shall computer laboratory network hardware and utilities link a laboratory to a production network without the data first going through filtration firewalls.
2. Computer laboratories shall desist from partaking in port-scanning, traffic spamming or any other functions that may be detrimental to the well-being of the College network and/or any other associated network. In line with this item, the general use and ownership policy shall be implemented.
3. In computer laboratories with free-pass access, any direct linkage between the College production network and from these laboratories shall be illegalized. On top of this no College-critical information shall be hosted on any hardware-based in such laboratories.

Anti-virus policy

1. All systems linked to the College ICT network shall run the approved anti-virus software and shall be required to conduct daily full-system and on-access scans.
2. Anti-virus software shall be regularly updated through automated daily updates
3. Computer Laboratory Administrators and individual computer owners, working in tandem with the relevant ICTC officials, shall be tasked with the responsibility of conducting the necessary procedures for guaranteeing virus protection on their machines. All computers have to be confirmed as virus-free before being allowed connection to the College network (University of Canberra 2010).
4. Once identified as virus-infected, a computer shall be taken down from the College network until it has been declared free of viral infection.
5. The steps listed below shall be followed by all users in order to reduce the propensity to viral attacks. Users shall:

1. 1. Never access any files linked to e-mails from strange or unidentified sources. Any e-mail of this nature shall be immediately deleted and cleared from trash folders.
   2. Clear spam, chain and junk mail without passing it on to other users.
   3. At no time download files from unknown sites
   4. Desist from open disk sharing with read/write freedoms unless this is critically necessary
   5. Back up critical data regularly and store information safely
   6. Ensure that removable media are scanned prior to using them
   7. Not run utilities and applications that could transfer viruses to a computer system with non-functional antivirus software.
   8. Constantly look for anti-virus updates to deal with the most current virus.

Physical Security policy

1. Security identification: All College computer hardware shall be distinctly branded by use of techniques such as etching with the name of the College department and name/number of the office or computer laboratory where the hardware is hosted.
2. The personal computer Central Processing Unit (CPU) cases shall be securely locked at all times.
3. Placement of computers: If possible, all the computer systems shall be placed at least two meters away from high-risk windows.
4. Opening of a window: All windows that can open towards high-risk environments shall be fitted with permanent grills
5. Blinds: All external windows to areas containing computer systems in positions that are visible to the public shall be fitted with blinds or one-way tinted films.
6. Intruder alarm: Buildings that contain a large number of computer systems shall be fitted with an intruder alarm.
7. Positioning of intruder alarms: Intrusion-detection gadgets shall be placed within the area in order to ensure that unauthorized entry is not possible without detection.
8. Intrusion detection system test- A regular movement test shall be carried out on all workstations to ensure that all computer systems are placed within the physical limits of the detection device.

Computer server rooms

1. Computer servers shall be located in rooms that are designed and secured for this specific function.
2. The room containing servers shall be fitted with a proper air-conditioning system in order to provide a proper working environment and to cut down any risk of system failures.
3. No forms of water conduction pipes shall traverse the area around the computer server room in order to reduce the possibility of flooding.
4. If possible, the floor in the computer server room shall be a raised false floor in order to allow for the placement of cables underneath the floor. This will help cut down the risk of damage to the systems should flooding occur.
5. Power connections to the servers go through the uninterrupted power supply (UPS) and surge protection units in order to allow for the protection of systems in case of power outages.
6. Access to areas hosting computer servers shall only be restricted to authorized College personnel.

Physical Local Area Network (LAN) and Wide Area Network (WAN) security

Switches

1. LAN and WAN infrastructure such as switches and hubs shall be located in secured areas. On top of this, the hardware shall be kept in lockable and air-conditioned communication lockers (Griffith University 2002).
2. All communication lockers shall be locked at all times and should only be accessed by the authorized ICT personnel.

Workstations

1. Users shall be required to log out of their computers when they are not within the vicinity of the workstation
2. Any system that is not under current use shall be switched off during off-work hours.

Wiring

1. All wiring architecture shall be properly documented
2. Any unused network ports shall be de-activated when not being used
3. All network wiring shall be regularly scanned and the findings noted down for future reference.
4. No item shall be placed on top of network wiring

Monitoring Software

The usage of system evaluation tools such as network analyzers shall only be permitted to the ICTC members of staff who are directly in charge of network management and security.

Internet Usage Policy

1. Every software used to access the internet shall remain as part of the College software suite and shall go through approval procedures set up by the institution. (Griffith University 2002).
2. All persons using the internet-access software shall configure it to obtain the latest security updates as distributed by the vendors.
3. All files that are obtained from the internet shall be taken through a scanning process to purge out any viruses, using the College’s updated anti-virus software.
4. All internet access software shall go through the established gateways and firewalls. Circumventing these security protocols is strictly prohibited.
5. Access to websites and databases shall be in compliance with the established General Use and Ownership Policy.

Narrative

The first step of the entire policy document creation was the identification of the institution on which I would focus the project. I came up with a fictitious college (the College of North London); an academic institution that has an expanse that is as large as my current university. Once I had established the size and requirements of the organization, I was ready to collect the necessary information to help in developing the document.

Most of the research I did was primarily based on secondary data. I extracted all the necessary information from books, journals, articles and websites. The criteria of selection for the literature was mainly the relevance to the process of ICT policy-making as well as the year of publication. Both public and private libraries as well as online libraries were visited in order to access the data. This research was partly evidence based and partly founded on professional research by professionals in the field. Various articles were studied in order to provide background information which essentially ended up giving credibility to the final document. It would have been extremely difficult for me to draft an ICT policy without referring to similar documents from other institutions. This definitely made for some interesting research and in as much most of the information was only used for reference purposes, it effectively came round to help me form the back-born of the paper.

The information I collected from the publications served to provide an explanation as regards the process of policy development. This was very crucial information that ended up making the final draft appeal to both professionals and the general public. For the latter, it may require that some of the information carried in the document be broken down into simple language and at the same time illustrations drawn from the most successful applications of such policy elements in real-life cases.

Like with any other professional field of study, Computer sciences researches have to be conducted in such a way that they offer credibility to the practitioner. In such a field, the strength lies exemplification from historical developments. With this knowledge in mind, I made the effort to obtain relevant information to the particular topic in question and this was accompanied by proper citation.

I had to obtain this secondary information because, for any professional policy document creation, chances are that extensive research has been carried out by professionals in the field before. Consequently, in order to establish the backbone of a given similar project, it is only necessary that an extensive review of literature be carried before identifying seeking first-hand information from the field. From this project, I discovered that the latter, i.e. information collected from the field was also necessary since it helped give professional credibility to my project. Combining results from both sources would serve to foster their symbiotic relationship with one offering background information and the other presenting up-to-date information on the topic.

The College of North London has a constitution and policies that govern the running of every sector of the campus. As such, the information and communication department has its own set of rules which guide every operation taking place with the information systems. It is my opinion that as far as consultation is concerned, the information systems policy points out that, senior faculty members from the department of computer science and ICT be heavily involved. These are professors who have vast knowledge of computer technology and therefore are better placed to offer reasonable suggestions as to what information systems can work properly for the institution. I am of the idea that the same senior professors assisted by junior colleagues from the department should also be taxed with the responsibility of analyzing and designing the information systems that they think best suit the college bearing in mind that the university is growing on a day to day basis. The implementation of the systems is a prerogative of a combination of administrative and ICT staff members. The ICT members will sit on a board with an administrative team and offer their advice on the best infrastructure that can be installed to adequately maintain a decent information systems network around the college. The same ICT members will then offer a list of equipment providers from which the administrative panel will decide on whose offer would make the best economic sense for the institution. Once new systems are installed, the policy offers the provision that a few individuals from the computer engineering department will familiarize themselves with the system and as such will be responsible for reengineering and maintenance.

Reference List

Dublin City University 2010, “Dublin City University Information & Communication Technology (ICT) Security Policy”, Dublin City University. Web.

Griffith University 2002, “Griffith University Information Security Policy”. Web.

Kingston University 2006, “Kingston University Information & Communication Technology Security Policy”, Kingston University. Web.

Makerere University 2005, “Makerere University (2005-2009) Information &Communication Technology (ICT) Security Policy”, Makerere University. Web.

The University of West Indies 2008, “The University of West Indies Information & Communication Technology Security Policy”, The University of West Indies. Web.

University of Auckland 2007, “Information Security Management”, University of Auckland. Web.

University of Ballarat 2010, “ICT Security Policy”, University of Ballarat. Web.

University of Canberra 2010, “Information Security Policy Framework”, University of Canberra. Web.

University of Salford, 2008, “University of Salford ICT Acceptable Use Policy”, University of Salford. Web.

University of Tasmania 2010, “ICT Security Policy: ICTP 2.1”, University of Tasmania. Web.