Guidelines and procedures for blocking network access

Guidelines and procedures for blocking network access

Purpose

Computing Service must take immediate action to mitigate any threats that have the potential to pose a serious risk to the University's information system resources or the Internet. If the threat is deemed serious enough, the computer(s) posing the threat will be blocked from accessing the University network. These guidelines specify how the decision to block is made and the procedures involved.

Guidelines

Computing Service personnel have the authority to evaluate the seriousness and immediacy of any threat to campus information systems or the Internet and to take action to mitigate that threat. Action that is taken will be proportionate to the threat and will take account of the potential negative impact caused by making the offending computer inaccessible. Examples of threats that are serious enough to invoke these procedures include:

  • attacks on other computers or networks (e.g network scanning or mass emailing of viruses).
  • evidence someone has gained unauthorised access ie. the system has been hacked.
  • the system is susceptible to a serious security vulnerability.
  • evidence of infringing peer-to-peer applications being operated.

Procedures

If the threat is immediate, the offending computer will be blocked immediately and notification will be sent to the departmental or faculty IT contact(s) via email that the block has occurred. If the threat is not immediate, notification of the threat will be sent to the departmental or faculty contact via email. If a timely response is not received indicating that the department is taking action to mitigate the threat, the offending computer will then be blocked.

Unblocking

Where a compromise has occurred, Computing Service will work with the departmental or faculty contact and/or the system administrator(s) to ensure that the computer are properly re-secured. In many cases, a complete system rebuild will be required. In the following situations, a rebuild is highly recommended:

  • The computer has been hacked.
  • The computer has been compromised by a worm or virus involving a remote control "backdoor" element.

In some cases of worm/virus compromise with no known backdoor element, Computing Service may recommend a particular anti-virus cleaning tool, rather than a rebuild.

If a block has been put in place it will be removed when both the department and Computing Service personnel agree that the problem causing the incident has been sufficiently addressed.