Version Number: - Cardiff University



5572125-86169500Document Title:Cardiff University Website Filtering PolicyAuthor(s) (name, job title and Division):Huw Gulliver, Senior Engineer IT Security, University IT.Version Number:1.0Document Status:ApprovedDate Approved:12 October 2017Approved By:DIMOGEffective Date:12 October 2017Date of Next Review:Annually unless otherwise triggeredSuperseded Version:n/aDocument HistoryVersionDateAuthor/ConsultedNotes on RevisionsPurposeThis policy sets out the principles to maintain and support research, teaching and other business activities whilst protecting users, networks and computers from hostile or unwanted network traffic and illegal or other content in breach of the various requirements of Cardiff University as an institution.ScopeThis policy applies to all communications between the University’s networks and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols. Server to Server communications, such as e-mail, traffic, backups, automated data transfers or database communications are excluded from this policy.Relationship with existing policies This policy forms part of the Information Security Management Framework. It should be read in conjunction with the Information Security Policy, The University IT Regulations, The University Acceptable Use Policy (IT Facilities), the University IT monitoring notice, University Prevent Strategy and University Policy on Security-sensitive Research.Policy StatementThe University will make use of Internet filtering as part of its approach to managing risks and issues of Internet usage.PolicyAs part of its approach to managing risks and issues of Internet usage the University may make use of Internet filtering in the following areas;The University Acceptable Use Policy (IT Facilities) stipulates ‘Users shall not use the IT facilities inappropriately’. Inappropriate includes;5.1the creation, download, storage, transmission or display of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;5.2the creation or transmission of material which is designed, or likely, to be threatening or abusive, defamatory, invades another’s privacy, creates or maintains a hostile environment for others and/or causes other unwarranted damage or distress;5.3the creation, download, storage, transmission or display of material that promotes or incites racial or religious hatred, terrorist activities or hate crime; or instructional information about any illegal activities;The University’s legal obligations (for instance, the Data Protection Act 1998, Copyright Act 1988, Computer Misuse Act 1990, Protection of Children Act 1978, Sexual Offences Act 2003, Criminal Justice and Immigration Act 2008, Counter Terrorism and Security Act 2015). Issues of due care towards staff, students and other users of University IT facilities (by making sure, for example, that they are not inadvertently exposed to pornography or offensive material).To mitigate information and IT security risks posed by computer viruses, malicious software (malware), spam e-mail, phishing, computer hacking and use of illegal file-sharing by preventing access to sites associated with these risks.Maintaining freedom of access to the Internet is acknowledged as being of business importance to the University. Processes will be implemented to allow requests for changes or exemptions to be made for a given site or category of material, Schedule B.It is acknowledged that access to sites or material that the University has agreed be filtered may be necessary for some research or other academic teaching purposes. An exemption may be applied for via Head of School. Appeals against the decision of a Head of School will be referred to:The University Research Integrity and Ethics committee for research purposes.PVC Student Experience and Academic Standards for other academic teaching purposes.Internet filtering log data will be managed in accordance with the University IT Monitoring Notice. General trending and activity reports will be maintained as part of monitoring the effectiveness of this policy.The Director of University IT Services may block a site(s) or protocols temporarily to protect the University IT facilities and its users from cyber threats such as computer viruses, malicious software (malware), spam e-mail, phishing, computer hacking, Denial of Service (DoS) and use of illegal file-sharing are highly dynamic and volatile in nature. Sites blocked temporarily will be reviewed and considered for permanent blocking by the University Chief Information Officer (CIO).ResponsibilitiesThe University Senior Information Risk Owner (SIRO) is responsible for review of this policy. The University Senior Information Risk Owner (SIRO) will be responsible for approving or rejecting requests for filtering to be applied to or removed from a category of material. Appeals against the decision of the SIRO will referred to the Vice-Chancellor The secretary to the Data & Information Management Oversight Group (DIMOG) is responsible for ensuring that a summary of Internet filtering categories is published and maintained on the University Intranet, Schedule A.The Director of IT Services is responsible for ensuring that appropriate processes and procedures are established to support this policy. Including periodic review and recommending changes to the University CIO and DIMOG.Schedule A – Filtering actions by category.Website categories the University is taking steps to restrict or limit access.The actions taken when a web site category is accessed are one of.allow—Allow the user to access the web site.alert—Allow the user to access the web site and add an alert to the log files.block—Block access to the web site and add an alert to the log files.continue—Allow the user to access the page by clicking Continue on a warning page. And add an alert to the log files.Table 1 – Firewall Vendor supplied categoriesCategoryRESLAN and Student WiFi eduroamStaff WiFi eduraom and wiredGuest other UK HEI WiFi eduraomCardiff Guest/Vistor WiFiApproved by (Committee/Role)Date ApprovedAdultAlertContinueBlockedBlockedUEB22 March 2012Copyright InfringementBlockedBlockedBlockedBlockedUniversity ITHackingAlertAlertAlertAlertUniversity ITMalwareBlockBlockBlockBlockUniversity ITPeer-to-PeerBlockedAlertBlockedBlockedUniversity ITPhishingBlockedBlockedBlockedBlockedUniversity ITProxy Avoidance and AnonymizersBlockedAlertAlertAlertUniversity ITQuestionableBlockedBlockedBlockedBlockedDeputy Director Governance3/October/2016Source: Palo Alto Networks PAN-DB URL Category List. 2 – Local, Cardiff University, defined categoriesCategoryRESLAN and Student WiFi eduroamStaff WiFi eduraom and wiredGuest other UK HEI WiFi eduraomCardiff Guest/Vistor WiFiApproved by (Committee/Role)Date ApprovedDodgy Ad ServersBlockBlockBlockBlockUniversity ITBlocked SitesBlockBlockBlockBlockUniversity ITCategory Descriptions for Local, Cardiff University, defined categories.Dodgy Ad-Servers: Web sites currently redirecting to web sites distributing computer viruses or malware (malicious software). Used by University IT to protect University IT systems.Blocked Sites: Web sites currently blocked to prevent spread of viruses or to stop users being phished. Information is derived from current spam and phishing attacks against the University or HE Community.Schedule BWeb Filtering Exemption and Categorisation Change Request RoutingRequests fall into two types.A request to be permitted access to a web site, web sites in a category or whole category of web content that the University is filtering. In effect requesting exemption to the University policy for a category of content.A request to a change the category of a web site, on the basis the current categorisation is incorrect.Exemption Request.Outline of the process for requesting exemption from University Web Filtering policy for academic/research purposes.RequestApproverAppealRequest to filter a content category.SIROVice-Chancellor Request to cease filtering a content categorySIROVice-Chancellor Request for access to filtered content for research purposesHead of SchoolURIECRequest for access to filtered content for other academic teaching purposesHead of SchoolPVC SEASRequest for access to filtered content for business purposesDirector of DivisionCOORequest for web site categorisation changeFirewall VendorCIORequest for Cyber threat filtering temporary to permanent.CIOSIROAcademic Staff member, including research post-graduates.The member of staff will log a request on the IT Service Desk, providing information including the site full address (URL), purpose of the access, the length of time access be required and names of individuals will require access to the material.The request will be referred to the relevant Head of School to review the request and approval or rejection the request. Approved requests will be forward to the IT Service Desk for implementation.Appeals against the decision of a Head of School will be to,The University Research Integrity and Ethics committee for research purposes.PVC Student Experience and Academic Standards for other academic teaching purposes.Profession Services Staff member.The member of staff will log a request on the IT Service Desk, providing information including the site full address (URL), purpose of the access, the length of time access be required and names of individuals will require access to the material.The request will be referred to the relevant Director of Division to review the request and approval or rejection the request. Approved requests will be forward to the IT Service Desk for implementation.Appeals against the decision of the Directory of Division will be to the University SIRO.Student (under-graduate, taught post-graduate).The student will contact their tutor. Their tutor is expected to know if access is required for the student’s studies/research and to be able to provide support and guidance to the student, which may include making a request to the Head of School on behalf of the student.Approved requests will be forward to the IT Service Desk for implementation.Appeals against the decision of a Head of School will be to,The University Research Integrity and Ethics committee for research purposes.PVC Student Experience and Academic Standards for other academic teaching purposes.Categorisation Change RequestOutline of the process for making Web Site (URL) categorisation change request when a user comes across a web site that they believe has been incorrectly categorised.Request for a web site to be unblocked.User contacts the IT Service Desk to request a web site category review providing the site full address (URL) and reason this site categorisation should be changed.IT Service Desk submit a category review request to the vendor via the vendor support portal.Outcome of vendor review:Category change accepted by vendorUser informed and call closed.Category change rejected by vendorUser accepts and call closed.User disagrees and appeals.Call referred to the University CIOAppeal rejected, user informed and call closedAppeal accepted. IT Security team implement a by-pass to allow access. And call closed.Request for a Web site to be blocked.User contacts the IT Service Desk to request web site category review providing the site full address (URL) and reason this site has been categorisation should be changed.IT Service Desk submit a category review request to the vendor via the vendor support portal.Outcome of vendor review:Category change accepted by vendorUser informed and call closed.Category change rejected by vendorUser accepts and call closed.User disagrees and appealsCall referred to the University CIOAppeal rejected, user informed and call closedAppeal accepted. IT Security team implement a block to prevent access. And call closed. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download