6.0 Communications Security

  1. Security Features
  2. Communications System Maintenance and Support
  3. Communications Control Procedures
  4. Remote Access
  5. Facsimile Communications
  6. Cellular and Radio Frequency Communications

6.1 Security Features

  1. Communications facilities should monitored for discrepancies.

    Examples: protocol errors, inconsistent communications identification data as related to hardware identification, and polling responses, sequence errors, status and error alarms, data inconsistencies, communications access control errors, nodes (eg. workstations, etc.) appearing and disappearing on the network, errors in network applications, eg. E-mail, file-transfer, proxy accounts, routing.

  2. Surveillance tests should be conducted periodically to ensure communications controls have not been compromised or misused. Results of these surveillance tests should be recorded for audit and quality assurance purposes.

  3. Records should be kept to ensure the integrity and accountability of data throughout the communications system network, including intermediate locations, nodes, concentrators, front ends, and monitors.

  4. All unsuccessful system access attempts should be recorded and reviewed.

  5. An integrity code should be included with the data to verify that the data has not been altered during transmission.

  6. University data, passwords and other university or security related information, if communicated over an uncontrolled network, should be encrypted.

6.2 Communications System Maintenance and Support

  1. Where access to university data is possible, contract personnel performing maintenance should be supervised by a knowledgable employee or other person responsible to the university who understands the implications of actions taken.

  2. The use of communications test equipment, communications software utilities, network monitoring tools and diagnostics for monitoring the network should be authorised and controlled.

6.3 Communications Control Procedures

  1. Communications equipment, excluding user workstations, terminals or other peripheral input/output devices, should be operated only by authorised personnel.

  2. Where university data is processed or stored on a system, or on a system which is part of a network, all communications with that system or network should be controlled.

    Examples: Techniques such as voice recognition, smart card, encryption, dial-back units, and controlled user groups are recognised means of controlled communications.

  3. All communications components (eg. bridges, routers, etc.) should be located in secure physical facilities as outlined in Part 4.

6.4 Remote Access

  1. Information systems that access the university's system and data resources from a remote location should conform to the guidelines for small systems outlined in Part 9 of this document.

    Examples: Researcher's offices, labs, employees working from home, employees with laptops working from remote locations.

  2. Where university data is communicated to remote locations across public telephone lines, radio frequencies, or by means of electronic mail or electronic data interchange (EDI), the data should be encrypted.

  3. Where the university has local area networks or other information system resources that are connected to public networks such as the InterNet and there is a risk of unauthorised access, the university systems should be protected by means of a firewall.

6.5 Facsimile Communications

  1. University data should be transmitted by facsimile only when required for urgent or emergent service.

  2. The sender of the data should be responsible for ensuring the security of university data transmitted.

  3. The facsimile device (fax machine, fax modem, etc.) should be located in a secure area where it can be monitored and used by authorised persons only.

  4. The following steps should be taken when transmitting university related data:

    a) The receiver should be notified by telephone that the data is being transmitted. b) The receiver should stand by to receive the data. c) The sender must take the utmost care to assure the accuracy of the fax numbers dialled. d) The sender should transmit a covering letter to accompany the university related data. The letter should contain the following:

    i) name, address and phone number of the sender;
    ii) name, address and fax number of the receiver;
    iii) number of pages transmitted;
    iv) a notice that the data is confidential and is not to be copied or released without the prior written approval of the sender;
    v) the purpose for which the data is provided.

  5. Where there is doubt about the security of the receiving fax machine or the ability of the receiver to ensure privacy and confidentiality, communication by fax should be denied and other methods of transmitting the data employed.

  6. Where there is frequent transmission between two points, or where faxes are sent to a fax mail-box, transmissions should be encrypted.

6.6 Cellular and Radio Frequency Communications

  1. Cellular telephones and other radio frequency communications should not be used for voice, facsimile or transmission of university data unless the information is required urgently and no other alternative is available.

  2. Data transmitted over analogue cellular and other radio frequencies should be encrypted.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page