Issued: August 2014
Author: S. Wood
Last Reviewed Date: 14/08/2014
1. It is the policy of the Jisc that, as a network for education and research, Janet will be most effective if it places as few technical restrictions as possible on the development or use of new applications and services. The imposition of mandatory access control or monitoring systems is likely to cause problems for existing uses of the network as well as limiting future developments, and should only be considered where there is a clear benefit. Filtered or restricted network access may be offered as optional services that organisations can join, however the core Janet service should provide as open a network as is possible while meeting operational and legal requirements.
2. A presumption of openness brings associated risks that security incidents or misuse will seriously damage the effectiveness of the network (a summary of these risks can be found in Annex A). The impact of incidents may rapidly spread far beyond the individual organisation, machine or user where they originate. These risks must be managed if the network is to fulfil its purpose. The Jisc has therefore adopted this Security Policy to protect the network and the organisations that use it. Under the Terms for the Provision of the Janet Service, compliance with this Policy is a requirement for all organisations connected to the network. The Policy also places responsibilities on users of the network. The authority of Janet(UK), as service provider, to protect the operation of the network is established in the Terms for the Provision of the Janet Service.
3. This Janet Security Policy therefore has a number of goals:
- To ensure that appropriate local policies exist to protect Janet, the networks connected to Janet and the computer systems using Janet from abuse (whether defined in this or other Janet Policies);
- To ensure that mechanisms exist to aid the prevention and identification of abuse of the Janet network;
- To ensure an effective response to complaints and queries about real or perceived abuses of the Janet network;
- To ensure that the reputation of Janet is protected and that the network can meet its legal and ethical responsibilities with regard to its connectivity to the worldwide Internet.
4. The term ‘User Organisation’ has the meaning defined in the Terms for the Provision of the Janet Service.
5. The term ‘Connected Organisation’ means any organisation with a connection to the Janet network, whatever type of licence covers the connection. In particular it includes User Organisations.
6. The Terms for the Provision of the Janet Service place responsibilities on every person and organisation involved in the use or operation of Janet to protect the network against security breaches. In particular:
- Each User Organisation must ensure that all use of Janet by those individuals and Connected Organisations to whom it provides network access complies with this Security Policy and the Janet Acceptable Use Policy. The User Organisation must also ensure that information about security issues can be communicated rapidly within the organisation and to Janet(UK) and that problems are resolved promptly (see paragraphs 7 and 8);
- Each Connected Organisation, including those that are User Organisations, must ensure that its actions and those of the users for which it is responsible are safe for themselves and do not present a threat to others (see paragraph 9);
- Each user of the Janet network and the networks of Connected Organisations must behave in accordance with this Security Policy and with any policies and procedures local to the Connected Organisation. The user must cooperate with their organisation and the network operators to reduce security risks;
- Janet(UK) must ensure that the operation of the network is appropriately monitored, that the response to security problems is coordinated, and that temporary or permanent measures are implemented, up to and including disconnection, where necessary to protect the network or to comply with the law (see paragraph 10).
7. The successful prevention of security incidents and prompt resolution of those that do occur both depend critically on the rapid and accurate transfer of information between Janet Connected Organisations and Janet(UK) as operator of the network. To this end each User Organisation must provide Janet(UK) with up-to-date details of one or more persons who will act as Security Contact(s) for the User Organisation and any other organisations and individuals to whom the User Organisation provides access to Janet. The User Organisation must ensure that its designated Security Contact(s) have appropriate knowledge, skills, resources and authority to fulfil their role (see note 1).
8. The Security Contact(s) have roles in both the prevention and resolution of security incidents:
- To disseminate Janet(UK)’s warnings of general risks and precautions to appropriate people within the organisation(s) for which they are responsible, and to ensure that appropriate preventive measures are taken promptly;
- To ensure that any particular security breach or risk that has been reported to the Security Contact(s) by Janet(UK) as affecting an organisation for which they are responsible is investigated and resolved promptly, and to inform Janet(UK) that this has been done.
9. Each Connected Organisation must act responsibly to protect the network. This duty includes:
- Taking effective measures to ensure that there is no security threat to Janet or other Connected Organisations from insecure devices connected to the Organisation’s network (see note 2);
- Taking effective measures to protect against security breaches, in particular ensuring that recommended security measures are implemented;
- Taking effective measures to ensure that security breaches can be investigated and that other users of the network are protected from the consequences of breaches;
- Assisting in the investigation and repair of any breach of security;
- Promoting local policies in support of this Janet Security Policy, backed by adequate disciplinary and other procedures for enforcement;
- Implementing appropriate measures for giving, controlling and accounting for access to Janet, backed by regular assessments of the risks associated with the measures chosen (see note 3);
- Taking reasonable measures to encourage its users to act responsibly in compliance with this Policy and the Janet AUP, and ensuring that they are enabled to do so through systems, procedures and training that support good security practice.
10. The Terms for the Provision of the Janet Service authorise Janet(UK), as the service provider responsible for the Janet network, to require connected organisations to comply with this Policy, to monitor the network where it has reason to believe there has been a breach of the Policy or other threat, and to take such actions as are necessary to protect the operation of the network and the security of services provided to Janet customers (see note 4). In particular Janet(UK) is authorised to:
- Monitor use of the network, while respecting privacy and national law, either in response to information about a specific threat or generally because of the perceived situation;
- Where a vulnerability in customer equipment may present a serious threat to the security of the Janet network or services provided over it, to identify vulnerable systems and report these to the relevant Security Contact(s) (see Note 5);
- Implement such temporary technical measures as are required to protect the network or its customers against breaches of security or other incidents that may damage the network’s service or reputation;
- Require a User Organisation, through its nominated contact, to fulfil its responsibilities under any of the Janet Policies;
- Where a User Organisation is unable or unwilling to co-operate, initiate the process for achieving an emergency disconnection;
- Where permitted or required by law, assist law enforcement authorities in their investigations concerning the Janet network.
1. Further details of the role of the Security Contact can be found in the Janet Support Handbook on the Janet website.
2. The security of networked devices may, for example, be managed by a combination of direct configuration and maintenance, technical controls such as firewalls or router access control lists, system monitoring or probing, and delegation to appropriately skilled others. Where an organisation allows a device it does not own or control to connect to the network it is strongly recommended that consent to these normal operational measures be obtained as a condition of connection.
3. Further information about granting and accounting for access can be found in the factsheet ‘User Authentication’ on the Janet website.
4. On occasion, Regional Network Operators may assist in the investigation of misuse or protection of the network under their contracts with Janet(UK).
5. Active scanning of customer equipment under this clause will only be done on the authority of the Operations Director, who must ensure that this exceptional measure is justified by the threat to the security of Janet services and will not affect the services scanned. Scans will aim only to identify systems that may be vulnerable, and will not attempt to breach system security.
Annex: Risks to Networks and Networked Systems
All computer networks are exposed to threats, both internally and from the other networks to which they connect. Hostile traffic, both random and directed, is now a constant feature of the Internet. The particular open character of an education and research network increases both its exposure to these threats and the potential damage to the integrity and effectiveness of the network.
The risks to the network, the computers and organisations connected to it, include:
- Breaches of confidentiality. Organisations hold and have access to large amounts of intellectual property, both their own and licensed from others: the value of such property may be greatly reduced if it is disclosed to others. Organisations also handle a great deal of personal information about individuals who may suffer if it is not kept confidential: consequences range from a loss of privacy to partial or complete theft of identity.
- Loss of integrity. Information held on computers can be destroyed or modified, and unauthorised changes may be undetectable. The integrity of computers themselves may be compromised if intruders are able to take control of them, thus casting doubt on the accuracy of any results and the privacy of any data. Repeated failures can result in users losing confidence in computer systems at their own or other organisations.
- Failures of availability. Networks and the computers connected to them may be temporarily disabled either deliberately or accidentally by large flows of network traffic, making them unusable at critical times. Organisations that lose the confidence of others may find themselves unable to communicate if they are placed in a blacklist. Network and computer staff may be unavailable for support or development activities if they have to spend their time dealing with security incidents.
- Damage to reputation. The reputations of Janet and the organisations and individuals connected to it may be seriously harmed by security incidents or inappropriate use of the network. Many intruders like to advertise their successes, others may attack third parties using computers connected to Janet and to which they have gained control. Organisations whose systems are used in these ways are likely to be held responsible. The use of Janet to disseminate unwanted, offensive or illegal material is also likely to be seen as misuse of a publicly-funded resource.
- Legal action. National and international law is increasingly concerned with data networks and is placing a growing list of obligations on those who provide them. Individuals, organisations and network operators who, by action or inaction, fail to meet their legal obligations may be punished by the criminal law, have substantial financial damages awarded against them or be required to modify or cease their networking operations.
The openness of Janet and other connected networks may allow the impact of a security breach to spread far beyond an original insecure system or action. The same openness means that it will rarely be possible to protect organisations and users against the immediate consequences of their insecure actions: more often it will be necessary to respond promptly to security breaches by isolating the systems and organisations affected until the problem has been resolved.