The University’s approach to communications security
This control procedure defines the University’s approach to communications security, and directly supports the following policy statement from the Information Security Policy:
The University will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.
The University will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems.
This procedure is intended to be read and understood by ISDS and other staff who are responsible for the management of IT systems, and staff who may be engaging third parties and require descriptions or assurance around the University’s technical defences.
The decision to accept or reject email should be taken by the individual recipient. However, there are cases where the University will reject messages to protect the network or for policy reasons. This could include messages containing material that is threatening, abusive or otherwise unlawful, or which would be considered as coming under the classification of prohibited use under the Acceptable Use control procedure. This blocking is done via email security appliances, managed by ISDS.
It is very difficult to reliably identify incoming email as ‘spam’. The University subscribes to services that help to identify such mailings, but these services cannot identify all spam, and they may occasionally falsely identify valid messages as being spam.
Incoming email which is identified as 'spam' will be subject to one of three actions based on a points score given by the email security appliance. The score is made up of numerous metrics and is dynamically updated on a constant basis by the email security appliance vendor.
Mail which is identified as possible spam (with a low score) will be ‘tagged’. Tagging involved pre-pending the subject and body of the message with a ‘potential spam’ warning. Tagged messages should be treated with caution, links should not be followed and attachments not downloaded unless the recipient is 100% confident of the originator and is expecting the email.
An email which the system has given a mid-level score, and therefore higher chance of being spam, will be ‘quarantined’ by the system. This will send a message to the user’s mailbox to notify them that a suspected spam message has been detected. Users may then follow the link to the quarantine site to delete any messages filtered in this manner, or allow them through if they would rather receive them.
In the event the email scores very highly the email will be ‘blocked’. The email security appliance will block the message before it reaches the recipient/s mailbox/es. In this instance the recipient is not alerted to the presence of the message in any way.
The university reserves the right to retrospectively remove any emails which have been delivered to mailboxes that are deemed a security risk, at any time.
The university also reserves the right to reject certain types of email attachments to prevent the spread of malware. If the central mail gateway receives an email with any of these attachment types, it will be returned to the sender with an explanation as to why it has been rejected.
The message of rejection will invite the sender to liaise with the recipient about alternate means of transfer, or to re-send the mail with the offending attachment in a safer format.
The blocked file types include, but are not limited to:
The Information Classification Scheme recommends protecting the content and/or attachments of emails based on the classification of the data.
The University does not routinely provide a method for encrypting emails, but attachments can be protected in a number of ways - guidance is available on the ISDS website.
For users who require secure communications with public sector bodies (such as HM Government, the NHS or the Police) the University can utilise the Criminal Justice Secure Mail system. For users who frequently require full email encryption to any recipient the University can utilise Egress Switch. Ask the Information Security team for more details.
The University actively checks the legitimacy of the origin of inbound mail using SPF monitoring. SPF checking verifies the sending server of any given email is referenced as authorised by the domain owner.
Should an email fail an inbound SPF the email security appliance will ‘tag’ this message as potential spam. Staff should treat these messages with caution as with any other ‘tagged’ message. The University does not currently process mail based on DKIM or DMARC signing due to the less mature nature of these tools providing numerous false positives. This policy is assessed at regular intervals.
The University also operate an up to date outbound SPF record providing assurance for external recipients on the authenticity of the University designated sending servers. The University also have plans to develop outbound mail signing by incorporating DKIM alongside SPF to form a full DMARC chain. It should be noted that signing a message with SPF, DKIM or DMARC does not directly influence the deliverability of the message - this is dictated by the configuration of the recipient’s mail sever / email security appliance and its behaviour dependent on the presence of these flags.
The University deploys next-generation perimeter firewalling with botnet filtering. In addition, IPS provides a deep-packet inspection feature that mitigates a wide range of network attacks. In the event of an actual or suspected attack it helps pinpoint the source of the attack and take the appropriate action such as alerting staff or dropping the connection in real time.
Web filtering is in place to block access to malicious destinations before a connection is established, using constantly updated signatures. Access to malware, ransomware, phishing and command & control callbacks over any port or protocol are blocked before threats reach us. This service also permits the blocking of categories or protocols of web traffic where the Information Security team requires this.
Most virtual machines on the server estate are effectively firewalled using the network virtualisation platform, so east / west traffic between virtual machines has to be explicitly permitted both outbound from the source and inbound at the destination. VMs can be grouped together where shared ports/protocols exist and a standardized naming scheme can ensure virtual machines can be online using a comprehensive list of firewalls rules in a matter of seconds once built by the server team.
North / south traffic from outside the virtual environment has to be permitted further through an internal firewall cluster and in some cases, again on the destination host. This permits high granularity in traffic permissions such as IP, hostname, subnet, etc.
Wi-Fi Secure Access Policies ensure we can control policies to the end user depending on who the user is and whether they connect to a managed or their own device.
Perimeter and internal firewall rules are formally reviewed by the ISDS Infrastructure and Operations teams on an annual basis.
Remote access options are detailed in the Information Security Control Procedure –Mobile and Remote Access.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Security Board.