Network Security and Management (Guidelines and

Procedures)

Purpose
These guidelines and procedures are meant to ensure the availability and security of the shared
network resources which support the learning, teaching and research mission of the University
and the administrative activities that underpin this mission.

These guidelines and procedures supplement and clarify the principles set out in the Policy on
Computing and Information Technology Facilities as they apply to the York University centrally
managed network infrastructure and the operation of systems therein.

Roles and Responsibilities

Users: Those using University network resources.

System Administrators: Those responsible for installing and maintaining software and/or
equipment attached to or operating via the central network infrastructure.

System Managers: Those who own and/or have management authority for Information
Technology systems attached to or operating via the central network infrastructure.

Central Computing Support Group: Computing and Network Services (CNS) is responsible
for the management of the University’s central information technology services. This includes
Central Network Management and Information Security.

Central Network Management: The department within CNS with responsibility for the
operation of the University data network infrastructure including network-authoritative services.

Information Security: The department within CNS with responsibility for the overall security
of the University Information Technology systems and data.

Definitions
University Network: The University-owned network infrastructure which is managed by the
Central Computing Support Group. This includes the University network backbone, networks for
individual buildings, modem pools, and wireless access points.
Network-Attached Device: Any type of computer system, network equipment, or other device
which operates on the University network infrastructure. This includes personal computers,
servers, network-enabled printers, network hubs or switches, and any other device which uses the
network.

Network-Authoritative Service: Network services which are required for the integrity and
stability of the central network infrastructure, including DNS, DHCP, and routing.

Network Access Point: A device which allows network traffic to flow from any external source
to the University central network infrastructure. This includes wireless access points,
modems, wired network drops, and routers connected to external networks not operated by the
University.

Vulnerability Analysis: Any interaction with, or observation of a system which is used for
determining security vulnerabilities present. Examples include network scanning, encryption
cracking, and system information gathering.

Guidelines
1. Network Access Points: All points of access to the University Network (including
network drops and wireless access points) require authorization by the Central
Computing Support Group. Operators of wireless access points shall also conform to the
University guidelines for usage of unregulated radio spectrum bands.
2. Network Traffic Types and Limits: The Central Computing Support Group will control
bandwidth limits and the types of inbound and outbound network traffic permitted
through the Internet gateway and other points within the University network. Decisions
about the permitted types of traffic and bandwidth limitations will be based on the
business and academic goals of the University and the security exposure involved.
3. Network Monitoring: The Central Computing Support Group will monitor network traffic
as necessary and appropriate to detect unauthorized activity or intrusion attempts, and for
diagnostic purposes. All monitoring will be carried out in accordance with the University
Policy on Computing and Information Technology Facilities. Interception or monitoring
of network traffic without authorization from the Central Computing Support Group is
prohibited.
4. Baseline Security Configurations: The Central Computing Support Group will establish
and provide recommended baseline configuration standards for selected operating
systems. System Managers are responsible for ensuring that systems under their
responsibility are configured in a secure manner, making use of the baseline standards at
minimum.
5. Vulnerability Analysis: System Administrators or System Managers are authorized to
perform vulnerability analysis on systems for which they are responsible for. Information
Security, or its designee, is authorized to perform vulnerability analysis of any device on
the University Network at any time. All other vulnerability analysis of systems on the
University Network requires prior approval of Information Security.
6. IP Addresses: The Central Network Management assigns IP addresses to networked
systems either at system installation time, or dynamically depending on the system and
area of the network it is located. Using or attempting to use a different IP address than the
one assigned is prohibited.
7. 7. Domain Names: All IP addresses within the University Network are assigned within
the "yorku.ca" domain name. Using or attempting to use a non-"yorku.ca" domain name
to resolve to a York University IP address without authorization from the Central
Computing Support Group is prohibited.
8. Network Abuse: Interfering or attempting to interfere with the normal operation of
networks and systems within or external to the University is prohibited. Examples of this
type of abuse include unreasonable use of resources, denial of service, scanning,
monitoring, interception, impersonation, or modification of systems or data without
authorization or consent of the system or data owner.
9. Network Authoritative Services: Operation of network-authoritative services (DNS,
DHCP, and routing-related services) without authorization by Central Network
Management is prohibited.
10. Malicious Software Use: Use or transmission of malicious software such as computer
viruses which could provide unauthorized access and/or infect systems is prohibited.
Computers infected with malicious software are considered a security compromise.
11. Commercial Use: Use of University Network connections to host services for
unauthorized commercial purposes is prohibited.
12. Inappropriate Use: Use of the University Network must not violate the University Policy
on Computing and Information Technology Facilities . Such violations include copyright
violations, distribution of computer viruses or other malicious programs, unauthorized
access, or other unlawful use.
13. Incident Response: In the event of a known or suspected incident of unauthorized access
or other system security compromise, or in response to a violation of any guideline
specified here, Information Security, or its designee, is authorized to investigate any
device on the University Network in accordance with the Incident Response and
Investigation procedures contained herein. This may involve disconnection of the system
from the University Network, copying of system data, and/or physical collection of the
device for examination.

Procedures
Attaching to the Network

1. Contact Information: All network-connected devices must have a Management and

System Administrator point of contact registered with the Central Computing Support
Group. An additional backup contact is required if the manager/system administrator are
the same individual. Incomplete and/or incorrect contact information may result in
termination of network service without notice.
2. System Placement: The University network is divided into zones with varying degrees
of security and functionality. Before operating a system on the network, the logical
placement of the system within the network (i.e. zone) shall be decided in consultation
with the Central Computing Support Group according to the function and sensitivity of
the system.
3. System Configuration and Operation: System Administrators shall follow existing
recommended practices and/or standards for configuration and operation of equipment
where these are available.
4. System Updates: System Administrators shall apply relevant security patches in a
regular and timely fashion as well as running up-to-date anti-virus software where
applicable.

Incident Response and Investigation

1. Complaints of Alleged Violations: Complaints regarding violations of law or University
policy may be directed to System Managers, and/or to the Central Computing Support
Group as appropriate. Complaints reported to the Central Computing Support Group will
be investigated by Information Security which will (if appropriate) refer the matter to
appropriate University authorities and/or law enforcement agencies.
2. Reporting Security Compromises: All System Administrators and System Managers
shall report security compromises which involve misuse or unauthorized access to
University systems and/or data to the Central Computing Support Group. Information
Security will coordinate investigations into any alleged computer or network security
incident.
3. Vulnerability Analysis: Systems which pose a significant risk to the security, integrity,
or availability to other systems or the University Network due to a suspected security
vulnerability will be investigated by Information Security and/or by the responsible
System Manager.
4. Access to System Information: System Administrators and/or System Managers shall
provide access and/or information from a system which is the subject of a current
investigation to Information Security upon request. Information required may include
system logs, configuration information, a complete system image, and/or physical access
depending on the type of incident and needs of the investigation.
5. Disconnection: Systems operating in violation of law; these guidelines; or which pose a
risk to the security, integrity, or availability of systems or the University Network may be
disconnected from the network by Central Network Management or Information
Security. Appropriate contact information will be used for notification in advance of
disconnection when possible. Systems may be disconnected prior to notification of the
affected contacts when such systems are the source of (or need to be protected from) an
immediate and/or unacceptable risk, or if no appropriate contact can be notified.
6. Reactivation: A system previously disconnected as a result of incident response may
only be reactivated with the consent of Information Security.