ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 110 – 3rd Party Connections
A business or technical case for arranging connection to Anglia Ruskin
University’s network must be established. Where such a case is established, a
formal understanding must be agreed and signed. The understanding must set
forth the obligations of care, confidentiality and professional and responsible
behaviour on the part of Anglia Ruskin University and its personnel as well as on
the part of the person or organisation with whom or with which the connection is
being arranged. The understanding must also make specific provision to ensure
that Anglia Ruskin University’s data classifications are honoured and maintained,
the data ownership and the liability of the parties are defined and that provision
for virus protection is specifically included.
The external organisation must have a data security policy in place that offers at
least the degree of insight and care as our Information Security Policy Practices.
(Note, however, that smaller organisations may not have a policy in place. In this
case, agreement should be reached as to an appropriate approach to the issues.
The University Records Manager should be consulted for guidance (please
contact Jackie Barlow - email: jackie.barlow@anglia.ac.uk.
All permanent connections must be routed through a filtering barrier, such as a
firewall, which will conceal the internal addressing conventions used by us and
which will make the necessary network address translations and prevent nonstandard traffic.
The connection with external persons and organisations should be configured so
that access is restricted to the business function being supported and that access
to any other university systems and services is prevented. For any instance
where it appears that the available technology does not support restrictions on
access, details are to be referred to central information services management for
consideration and resolution.
All occasional remote inbound connections (dial up and/or access via the
Internet) will be subject to an authentication challenge and appropriate
arrangements for mutual authentication should be put in place as feasible. The
use of dial-up remote diagnostic facilities should be closely managed to ensure
that no opportunity for unauthorised access is created.
Where the external connection is inbound, for example, by browser, and access
is being sought to other than public services it should be authenticated.
Depending on the sensitivity of the systems and data being accessed, basic
authentication by password challenge may suffice if effective password rules can
be enforced. The session should also be protected by encryption such as
Secure Sockets Layer (SSL), a Virtual Private Network (VPN) or the like. For
more sensitive applications and where non-repudiation is a requirement,
consideration should be given to the exchange of authentication certificates.
ARU - Version 0.5 - May 2012
1
ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 110 – 3rd Party Connections
TCP/IP should be the only protocol that the connection supports. Where there is
reason to contemplate an alternative protocol, details of the circumstances
should be referred to the Director IT Services with a recommendation.
Provision must be made to defend our university network from unauthorised
access and denial of service attacks.
Audit trails of external accesses, which log all activities, must be maintained and
regularly reviewed to ensure that only the agreed activities are being undertaken.
An external organisation should not have shared accounts in lieu of individual
accounts for access to our services, unless there is a clear understanding that in
those circumstances, the responsibility for the use of those external accounts will
be fully accepted by the organisation concerned and the written approval of our
University Records Manager is secured. In addition, shared accounts must
never be given access to information considered sensitive or information that is
not stored in a publicly accessible site on the Internet.
It is incumbent on all university personnel to respect the privacy of externally
connected organisations. Personnel who attempt to access those external
networks without justification and authorisation will be subject to disciplinary
proceedings.
In addition to the above requirements, no inbound or outbound connections to
external parties can be established until the approval of the Director IT Services
is secured.
ARU - Version 0.5 - May 2012
2