This document establishes the network security policy for the University of Toronto .
The network security policy is intended to protect the integrity of campus networks and to mitigate the risks and losses associated with security threats to campus networks and network resources.
Like many other universities, the University of Toronto has experienced and will continue to experience security incidents encompassing a broad scope of severity. These incidents range from individual virus infections to loss of network connectivity for entire departmental zones due to denial of service attacks. The management of these incidents is a responsibility of the University. Failure to meet that responsibility could result in a tarnished reputation as well as potential legal liability.
Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on research and instructional computers, student records, and financial systems could greatly hinder the legitimate activities of University staff, faculty and students. The University also has a legal responsibility to secure its computers and networks from misuse. Failure to exercise due diligence may lead to financial liability for damage done by persons accessing the network from or through the University. Moreover, an unprotected University network open to abuse might be shunned by parts of the larger network community. This policy will allow the University of Toronto to handle network security effectively.
This policy is subject to revision and will be evaluated as the University gains experience with this policy. All revisions are reviewed and approved by the Technical Operations Committee. Procedures and guidelines associated with this policy will be posted on the Computer Security Administration web page.
The goals of this network security policy are:
to establish University wide policies to protect the University's networks and computer systems from abuse and inappropriate use.
to establish mechanisms that will aid in the identification and prevention of abuse of University networks and computer systems.
to provide an effective mechanism for responding to external complaints and queries about real or perceived abuses of University networks and computer systems.
to establish mechanisms that will protect the reputation of the University and will allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to the worldwide Internet.
to establish mechanisms that will support the goals of other existing policies, e.g.
Appropriate Use of Information Technology
Student Code of Conduct
Note: Any violation of the network security policy will also be deemed a violation of the above listed policies, as appropriate.
The University of Toronto provides network resources to its divisions, faculties and departments in support of its Academic Mission. This policy puts in place measures to prevent or at least minimize the number of security incidents on the campus network without impacting the academic mission or the integrity of the University's many different computing communities.
The responsibility for the security of the University's computing resources rests with the system administrators who manage those resources. Computing & Networking Services (CNS) and the Computer Security Administration (CSA) group will help system administrators to carry out these responsibilities according to this policy.
The Provost has overall responsibility for this policy.
The Technical Operations Committee of the Computer Management Board will review and respond to formal complaints resulting from the implementation of this policy. Computing & Networking Services (CNS) will prepare an annual report for the Committee relating experience with this policy and the Committee will recommend improvements to the Provost.
which administer LANs connected to the backbone will:
provide Computing & Networking Services (CNS) with the names, email addresses and telephone numbers for at least two different contacts: a management contact; and a primary technical contact (usually the System Administrator). An alternate contact should be provided in situations where both the management contact and the primary technical contact are one and the same person.
assign to an individual, the authority to connect systems to the departmental network(s).
ensure this information is kept accurate and up to date.
when implementing wireless and/or wired docking infrastructure, ensure that guidelines (see Appendix 1) maintained by CNS are strictly adhered to.
& Networking Services will:
monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity, intrusion attempts and compromised equipment.
such monitoring will be carried out in compliance with the University's statement on Personal Privacy in the Appropriate Use of Information Technology;
when a security problem (or potential security problem) is identified CNS will seek the co-operation of the appropriate contacts for the systems and networks involved in order to resolve such problems, but in the absence or unavailability of such individuals may need to act unilaterally to contain the problem, up to and including temporary isolation of systems or devices from the network, and notify the responsible system administrator when this is done;
publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to prevent security breaches.
carry out and review the results of automated network-based vulnerability, compromise assessment and guideline compliance scans of the systems and devices on University networks in order to detect known vulnerabilities, compromised hosts, and guideline compliance failures,
CNS will inform the departmental system administrators of planned scan activity providing detailed information about the scans, including time of scan, originating machine, and test and vulnerabilities tested for. The security, operation or functionality of the scanned machines should not be endangered by the scan;
CNS will provide tools to departments so they may run their own testing.
CNS will report the results of scans that identify security vulnerabilities only to the departmental system administrator contact responsible for those systems;
CNS will report recurring vulnerabilities over multiple scans to departmental management;
if identified security vulnerabilities, compromises or guideline compliance failures deemed to be a significant risk to others and which have been reported to the relevant system administrators, are not addressed in a timely manner, CNS may take steps to disable network access to those systems and/or devices until the problems have been rectified.
test campus wireless network access to ensure compliance to published guidelines.
prepare summary reports of its network security activities for the Technical Operations Committee on a quarterly basis,
prepare recommendations and guidelines for network and system administrators, to be posted at the Computer Security Administration Web Page,
provide assistance and advice to system administrators to the extent possible with available resources,
issue semi-annual requests to verify the accuracy of departmental contact information.
The Computer Security Administration group within CNS will
co-ordinate all CNS network security efforts and act as the primary administrative contact for all related activities,
co-ordinate investigations into any alleged computer or network security compromises, incidents and/or problems. To ensure that this co-ordination is effective, security compromises should be reported to Computer Security Administration - Email: [email protected]
or telephone 416-978-1354,
co-operate in the identification and prosecution of activities contrary to University policies and the law. Actions will be taken in accordance with relevant University Policies, Codes and Procedures with, as appropriate, the involvement of the Campus Police and/or other law enforcement agencies,
in consultation with system administrators, develop procedures for handling and tracking a suspected intrusion, and deploy those procedures in the resolution of security incidents.
System Administrators will
protect the networks and systems for which they are responsible,
employ CNS recommended practice and guidelines where appropriate and practical,
co-operate with CNS in addressing security problems identified by network monitoring,
address security vulnerabilities identified by CNS scans deemed to be a significant risk to others,
report significant computer security compromises to Computer Security Administration.
Network users will
abide by the Appropriate Use of Information Technology policy of the University,
abide by departmental policies governing connection to departmental networks.
Network Resources: Network resources include any networks connected to the University of Toronto backbone, any devices attached to these networks and any services made available over these networks. Devices and services include network servers, peripheral equipment, workstations and personal computers (PCs), UTORdial, UTORmail, etc.
Departments: Department is used as a generic term to signify an academic or administration unit.
System Administrator: refers to the individual who is responsible for system and network support for computing devices in a local computing group. In some instances, this may be a single person while in others the responsibility may be shared by several individuals some of whom may be at different organizational levels.
For information about this policy or for clarification of any of the provisions of this policy, please contact the Manager of Computer Security Administration at [email protected]
Appropriate Use of Information Technology:
Computer Security Administration Web Page:
Student Code of Conduct
Appendix 1: Guidelines for the Implementation of Wireless and Wired Docking Infrastructure
The Network Security Policy specifies that University departments planning to implement wired and wireless network connectivity must adhere to the guidelines specified in this document.
Before configuring frequency spectrum settings in wireless access points, Departments must consult with CNS. CNS maintains campus frequency spectrum mappings to ensure that spectrum collision does not occur.
Departments must ensure that all access to wireless and wired docking area network connectivity is controlled by an authentication system. This system must be designed such that network connectivity can be traced to an identifiable end user. Under special circumstances, for periods of limited duration, it may be sufficient that all network connectivity sessions be traced to the responsible departmental representative. An example of such a situation would be a meeting led by a departmental representative making use of network connectivity for non-University users.
Departments must recognize that eavesdropping is possible with wireless communications, and thus ensure that sensitive data being transmitted is protected from potential eavesdroppers via suitably strong encryption.
Departments must take steps to prohibit unauthorized wireless access point installations by their users.
Any person implementing a wireless access point or wired docking station will be responsible for the network traffic through it.