Associate Vice-President, Information and Communications Technology
Authorization: Board of GovernorsUniversity Council
Approval Date: Jun 22, 2007
The University’s Research and Educational Network (the Network) is a shared resource that is critical to teaching, learning, research, University operations and service delivery. The Network is critical to University communications, which includes data, text, voice and video.
The Network is a critical University resource.
Everyone who uses the Network has a role in maintaining a secure network and computing environment, including students, instructors, researchers, staff and authorized guests.
University ICT security measures must balance security (limiting opportunities for and the impact of network attacks) with network functionality and user productivity.
Users of the Network have a reasonable expectation that their communications are private. This privacy is subject to the University’s legal obligation for disclosure and its business requirement to ensure a reliable Network service and to protect its users.
Information and Communications Technology (ICT) is responsible for the Network.
This policy applies to the Network at all University locations. The Network encompasses wired and wireless network connections in offices, libraries, student computing facilities, research laboratories, University residences and other University locations. It includes connections to external networks such as provincial, Canadian, and international research and educational networks as well as the Internet.
This policy applies to all members of the University of Saskatchewan community and authorized guests of the University:
A network-capable device is any device that can connect to the Network with either a wired or wireless connection. Network-capable devices include, but are not limited to, desktop computers, laptop computers, tablet computers, printers, copiers, servers, personal digital assistants, cameras, security system equipment, robots, research equipment and VoIP phones.
This policy governs the ICT security practices for any and all network-capable devices that use the Network regardless of whether the devices are personally owned, owned or leased by the University, acquired through a research grant or contract, or acquired by the University through some other contractual agreement (such as a gift).
This policy governs the use of equipment located at University facilities using the unlicensed radio communications spectrum whether or not it is connected to the Network, and whether or not the equipment is owned by the University. This includes, but is not limited to, wireless access points and cordless telephones. This spectrum includes the 2.4GHz and 5GHz bands used for 802.11a/b/g and 802.11n communications and any other spectrum allocation for similar purposes.
The policy has been developed in the context of, and is designed to complement:
Colleges, departments, administrative units or individual researchers may develop supplementary ICT security policies that provide additional detail or introduce specific restrictions regarding the appropriate use of the computing facilities for which they are responsible.
University students, instructors, researchers and staff are authorized to connect network-capable devices of an approved type to the Network. Instructors, researchers and staff may extend this authorization to guests on a temporary basis if they judge that so doing supports the University’s mission, but in so doing they assume responsibility for their behaviour. Authorization and access to the Network may be withheld or withdrawn with cause.
Only approved devices and device configurations may be connected to the Network. Information about, and configuration requirements for approved devices will be maintained and provided by ICT. Equipment that does not comply with these requirements may not be connected to the network. Exceptions to these requirements may be authorized to meet the academic needs of the University.
Activities that interfere with the reliable operation of the Network are prohibited. These include, but are not limited to: operating network-capable devices that attack other network-capable devices, users of the Network and the Network itself; operating wireless access points, cordless phones and other devices using the unlicensed radio communications spectrum; and impersonating or interfering with Network equipment or Network services. Devices that interfere with the Network may be disconnected and/or removed.
Scanning and mapping the Network, as well as monitoring Network traffic, are prohibited unless authorized by ICT. Units are authorized to scan and monitor only the equipment they are responsible for maintaining, subject to this activity not interfering with the Network or others’ use of the Network.
ICT may scan devices connected to the Network for security issues and vulnerabilities. Network traffic may be monitored to help ensure a reliable Network service and to protect Network users. Devices suspected to be in violation of this policy may be disconnected from the Network.
Individuals or departments who develop and/or purchase network-capable devices for use by themselves or others are responsible for ensuring that these devices meet the ICT Security Requirements. This includes computer labs and special-purpose devices such as VoIP telephone sets, network-connected debit machines and self-service kiosks.
Students, instructors, researchers and staff are responsible for ensuring that the network-capable devices they connect to the Network or use from off-campus to access resources or services located on the Network, meet University ICT Security Requirements.
Guests of the University, who are authorized to connect network-capable devices to the Network, are also responsible for ensuring that those devices meet University ICT Security Requirements. Members of the University community who authorize guests to connect to the Network are responsible for making them aware of this policy and their obligations under this policy.
Users of the Network must:
ICT is responsible for designing, implementing and managing the Network and maintaining efficient and effective operation. This includes:
ICT will develop, in consultation with the University community, the Approved Devices and Configurations Requirements. These requirements will address the ICT security and configuration requirements that must be met by all equipment connected to the Network, and identify configurations that are prohibited. ICT will communicate these requirements to the University community along with information about security alerts, vulnerability notices, security patches, and other pertinent information.
ICT may authorize exceptions to the Approved Devices and Configurations Requirements to meet specific academic or research needs of the University.
ICT will develop and maintain procedures related to this policy and make these available on the ICT website.
Suspected security compromises, incidents and problems should be reported to ICT_Security@usask.ca.
If there is reason to suspect that laws or University policies have been, or are being violated, or that continued access poses a threat to the Network, network-connected devices, users, the liability of the University or the reputation of the University, access to the Network may be restricted or withdrawn.
Following due process, the University may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:
There are no other documents associated with this policy.
Contact Person: Associate Vice-President, Information and Communications Technology