Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CoP Template

advertisement 
Use of The Information Services’ EZproxy Service
Code of Practice
Introduction
This code of practice is intended to support the Information Security Policy of the University and
should be read in conjunction with this document.
http://www.ed.ac.uk/schools-departments/information-services/about/policiesandregulations/security-policies/security-policy
This code of practice is also qualified by The University of Edinburgh computing regulations, found
at:
http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations
1.
Revision Date
Code of Practice Version
14/09/2012
CoP
Version
0.1
QA Date
QA Process
17/09/2012
Review by Liz Stevenson
L&C
Review by David Anderson
ITI-Unix
Accepted by the IT
Security WP
18/09/2012
14 Nov 2012
Template
Version
1.4
Author
Notes
Colin Watt
Initial version
Notes
Suggested date for Revision of the CoP
Author
01/09/13
Colin Watt
EZproxy Code of Practice v0.1
1
2.
System description
Revision Date
System
Version
14/09/2012
Author
Notes
Colin Watt
Initial version
2.1
System name
EZproxy service.
2.2
Description of
System
The EZproxy platform is a web proxy service that provides access to
restricted websites that require authentication by IP address, such as
electronic resources to which the library subscribes.
2.3
Data
2.4
Components
2.5
System owner
2.6
User base
2.7
Criticality
2.8
Disaster recovery
status
The service works by dynamically altering the URLs within the web
pages provided by the vendor of each protected resource. The server
names within the URLs of these web pages are changed to reflect the
EZproxy server instead, causing users to return to the EZproxy server
as they access links on those web pages.
EZproxy does not store or pass on any high risk user data.
UUNs are stored in request logs.
The EZproxy service is provided by a redundant pair of virtual servers,
behind the centrally managed load balacing service.
The service is managed by the Digital Library Section within the
Library & Collections division of Information Services. The primary
contact is Liz Stevenson.
The EZproxy service provides valid university users with access to
restricted electronic resources via EASE (see EASE Code of Practice).
High
The EZproxy servers operate as a redundant pair, with separate
application server stacks installed on Virtual Machines at two distinct
sites. These operate behind the load balancing service as a live-live
pair, with traffic redirected if one fails. This process is well
documented and thoroughly tested.
EZproxy Code of Practice v0.1
2
3.
User responsibilities
3.1
Data
3.2
Usernames and
passwords
3.3
Physical security
3.4
Remote/mobile
working
3.5
Downloads and
removal of data
from premises
Authorisation and
access control
3.6
3.7
Competencies
There is no end-user access to the EZproxy servers.
No user data is stored on or passed to the EZproxy servers.
There are administrative accounts for a small number of IS staff
ITI Unix staff have access at the operating system and application
level.
Digital Library staff have access to the application via an admin
interface.
There is no end-user access to the EZproxy servers.
The EZproxy servers are installed on the centrally managed virtual
infrastructure within IS managed data centres.
Administrative access to the EZproxy servers is limited to a subset of
the local University of Edinburgh networks. Remote admin access to
the servers must be through these local networks.
The only data stored on Ezproxy servers are session cookies, and
UUNs in request logs.
A small number of IS staff within ITI-Unix have access to the EZproxy
server filesystem.
A small number of IS Digital Library staff have access to the
application config and the resource configuration list.
There is no end-user access to the EZproxy servers.
ITI-Unix have several years experience and knowledge managing load
balanced and virtual server platforms.
Library & Collections Digital Library staff have several years
knowledge and experience coordination and managing access to
electronic resources and in working with ITI to ensure these are made
available securely.
There is no end-user access to the EZproxy servers.
EZproxy Code of Practice v0.1
3
4.
System Owner Responsibilities
4.1
Competencies
4.2
Operations
L&C’s Digital Library Staff own the EZproxy Service. It is one of this
team’s primary functions to specialise in providing access to the
library’s online resources and ensure team members have sufficient
knowledge and understanding of the concepts, tools, processes,
internal operation and security of service to deliver and support a
EZproxy service that is highly tailored to the University’s needs.
Servers are updated with appropriate operating system upgrades as part
of the centrally managed service, to ensure the security of the servers
and to protect the resources they access.
Application upgrades are carried out by ITI-Unix in consultation with
the L&C Digital Library section.
Access to the configuration is restricted to administrator logins which
are password protected to which only a small number of ITI-Unix staff
have access.
4.3
4.4
4.5
System
documentation
Segregation of
Duties
Security incidents
4.6
Fault/problem
reporting
4.7
Systems
development
Procedural documentation is held within the ITI-Unix section and
L&C Digital Library wikis.
System documentation is kept up to date by the application vendor
(OCLC) and made available on their web site.
- All operating system updates and security patches are carried out by
ITI-Unix
- All system backups are carried out by ITI-Unix
- All application upgrades are carried out by ITI-Unix
- All updates to target resources made available are made by L&C’s
Digital Library section.
On discovery of a security incident the Electronic Resources Team
should be contacted via the team Unidesk queue, by logging with the
IS Helpline. The Electronic Resources Team will initially investigate
and will escalate as appropriate to the Incident Response Team and
ITI-Unix.
Any security incidents related to the EZproxy servers would be
referred to the IS IRT team, who would log the incident and aid with
investigation, escalating as appropriate to the ITI-Unix section head.
Faults and problem reporting related to end user services (eg electronic
journals) should be via the Electronic Resources team Unidesk queue,
by logging with the IS Helpline.
All systems development is carried out by the application’s vendor,
OCLC.
EZproxy Code of Practice v0.1
4
5.
5.1
5.2
System Management
User account
management
Access control
User accounts are managed by ITI-Unix.
ITI-Unix staff have access to the EZproxy administrative logins.
A small number of L&C Digital Library Section staff have access to
the web based administrative views.
5.3
5.4
A small number of L&C Digital Library Section staff have access to
the resource configuration file.
Access monitoring EASE logins are logged on a remote, independent system.
All other logins are logged locally.
Access to the EZproxy service is recorded via logs which are
monitored and investigated in the case of reported abuse of the service.
Change control
Changes are subject to L&C Digital Library change control
procedures.
Any major change to service would be agreed and scheduled with the
DLS Forum (stakeholders for resources impacted by major changes)
and communicated through the IS alerts system.
5.5
Systems clock
synchronisation
5.6
Network
management
5.7
5.8
Standard configuration changes are managed via Unidesk.
The systems clock is synchronised to UTC using the NTP protocol.
There are no IP or visibility restrictions to the EZproxy service,
however there are restrictions to the server backends so that they can
only be accessed from the eucsoffices and library vlans.
The servers are protected by the central firewall.
Business continuity The EZproxy servers operate as a fully redundant live-live pair behind
the load balancing service – this function has been rigorously testing
during acceptance.
Security Control
The EZproxy servers each run applications on:
- EZproxy port 80
- Secure EZproxy port 80 (different ip address on server)
- Admin interface port 2050
- Ssh port 22
The load balancing service handles ssl communications.
Secure EZproxy communicates with EZproxy privately on each server.
Admin and SSH access is restricted to a small number of IS staff.
EZproxy Code of Practice v0.1
5
6.
Third Party
6.1
Outsourcing
N/A
6.2
N/A
6.3
Contracts and
Agreements
Compliance with
the university
security policy
N/A
6.4
Personal data
N/A
EZproxy Code of Practice v0.1
6
Related documents
EZproxy
EZproxy
Off-campus Access to Library Resources with MML EZProxy
Off-campus Access to Library Resources with MML EZProxy
Adding Mobile Formatted Library Resources To Your Smartphone or
Adding Mobile Formatted Library Resources To Your Smartphone or
1 Chicago Manual of Style The Chicago Manual of Style Online via
1 Chicago Manual of Style The Chicago Manual of Style Online via
ezproxycop-v0 2 - The University of Edinburgh
ezproxycop-v0 2 - The University of Edinburgh
EZproxy FAQ - Beloit College
EZproxy FAQ - Beloit College
EZproxy connects library users to e-content with a single
EZproxy connects library users to e-content with a single
EZproxy_hosted_questionnaire
EZproxy_hosted_questionnaire
Bibliography: textbooks on China and Japan in the IUN library
Bibliography: textbooks on China and Japan in the IUN library
Download
advertisement