Adopted by the Information Services Committee’s Technical Advisory Group on 15-Apr-04. 1. Purpose The purpose of this policy is to ensure that every University Unit (Faculty, School, Centre, Administrative Unit, the Library, etc) having IT facilities connected to the University Network can be contacted in the event of a computer or network security incident. The ability to quickly contact responsible Unit personnel and have them take appropriate action can mitigate the negative effects of an incident both locally in the Unit and more globally throughout the University and the Internet. 2. Background Like many universities, UWA is experiencing an increase in unauthorized attempts to access its network and computer systems. Attempts to break into University computers are a regular event. Risks to our academic mission are very serious. The loss or corruption of information or access to information on research or instructional workstations and servers, student records, and financial systems could greatly hinder University work. The University has a responsibility to secure its computers and networks and to respond quickly to threats to the integrity of systems and data. A compromised computer in one Unit can easily be used as a springboard to launch attacks on computers in other Units or the Internet. Because of these risks, central University security personnel must take action when they become aware of a security incident specifically involving a UWA computer or one connected to the University Network. In cases where the incident poses a potentially serious threat to University information system resources or the Internet, the computer will be immediately blocked from network access (see Procedures for Exercising “Take-Down” Powers: http://www.uwa.edu.au/it/__data/page/13813/Take-Down-Procedures-final.html). When a problem computer is identified, whether or not it is blocked from network access, central University security personnel must be able to quickly contact someone in the appropriate University Unit who can take action and/or pass the information on to the appropriate Unit support personnel. Quickly reaching a Unit contact is also important so that any affected user(s) may be informed of the situation. In addition, central University security personnel will inform this contact person of possible irregularities such as computers with configuration problems that could negatively impact the network or that appear to be infected with a virus. 3. Requirements a. To implement this procedure, each Unit having IT facilities connected to the University Network is required to appoint a Security Contact and one or more backup contacts. Groups of Units may agree to share contacts for efficiency. b. Each Security Contact for a given Unit must be reachable through a single email address (eg security@unit.uwa.edu.au). In due course, it is proposed that messages communicated between central security personnel and Unit Security Contacts will be properly secured and validated, by means of a suitable encryption and signing process. UCS will establish a suitably secure mailing list of all Security Contacts, which will only be used for network or computer security matters. c. Security Contacts must respond promptly to security incident reports from central University security staff and pass them on to responsible Unit or third party support personnel as appropriate. Contacts need to have some familiarity with the computers in their Unit and be able to determine who a responsible technical person is; it is not essential for the Security Contact to have extensive security expertise. d. Security contacts must cooperate with the Security Response Team, with UCS and with other appointed officers in the investigation, identification and resolution of security incidents. This will include providing access to buildings, computer systems and audit trails or similar as necessary, at all reasonable times. e. From time to time, UCS will verify the authenticity of Security Contacts with School Managers (or equivalent). f. Security Contacts are responsible for ensuring that appropriate personnel take timely action in response to each security incident (including escalating the incident to an appropriate Unit authority if action is not taken) and that each incident and its resolution is reported on the University’s Security Incident Report System (see http://www.ucs.uwa.edu.au/web/tech/security/incident_reporting_form). g. Failure to ensure that a Security Contact is recorded and kept up to date for a Unit may result in that Unit being disconnected from the University Network, in order to ensure that the whole University Network has seamless allocation of security responsibility, in order to preserve the integrity of the University’s network environment. 4. Updating a Unit’s Security Contact or Email Address a. The name, email address and phone number for the Security Contact must be supplied for every Unit having a connection to the University Network, and must be kept up to date. This can be accomplished by entering the appropriate information on the Subnet and Security Contacts Website, at https://secure.uwa.edu.au/ucs/subnet/, using a Cyllene account (to be replaced in due course by a suitably secure authenticator when the Directory Service is operational). The Security Contact may be the same person as the Subnet Contact, but need not be (see 3 above). b. If no Security Contact is listed for a Unit, the School Manager (or equivalent) will be asked to nominate someone. That person must then contact UCS to establish a Cyllene account if they do not already have one, and enter their details in the Subnet and Security Contacts Website (https://secure.uwa.edu.au/ucs/subnet/). | 
