Last spring the University Council Committee on Communications developed
a proposed policy on Computer Disconnection from PennNet (Almanac
April 20) that was subsequently discussed at the April 28 meeting
of the University Council. The goal of the policy is to protect the academic
missions served by Penn's computers and networks. Under the policy, Information
Systems and Computing would disconnect from PennNet any computers that have
actually damaged or pose an imminent threat of harming the integrity of
The call for comment on the proposed policy (Almanac
May 11) did not result in any suggestions for change. I therefore
announced the adoption of the policy, effective immediately (Almanac, July
13). It is being republished now Of Record. In republishing
the policy, I would like to call attention to a companion piece that also
appeared in the April 20 issue of Almanac, in which David Millar, Penn's
Information Security Officer, listed steps to prevent such disconnects.
Anyone with questions or concerns about their system's security should
contact Mr. Millar directly or send them to firstname.lastname@example.org.
--Robert Barchi, Provost
Policy on Computer Disconnection from PennNet
Background: A well functioning network is critical to the research,
academic and service missions of the University. Information Security has
documented an increasing frequency of computer intrusions which threaten
the integrity of PennNet. The capacity of entire departments to teach and
conduct research has been limited as a result, and sensitive data have been
at risk of unauthorized disclosure. At times, rapid response is required
to protect the integrity of systems, data and those that rely on them. Inefficiency
sometimes results because the owners of the penetrated machines can not
be located. Disagreements arise over the magnitude and immediacy of the
problems without a formal mechanism for resolving conflicts.
Certain types of misconfiguration of Penn systems, intentional or otherwise,
can have serious and detrimental consequences. Examples include using another
host's Internet Protocol address ("IP Spoofing") or misconfigured
networking protocols. Normal operation of Penn computers, and even computers
elsewhere on the worldwide Internet, can be compromised. Networks can become
so congested that network traffic can not get through.
Purpose: The goal of this policy is to protect the academic missions
served by Penn's computers and networks from disruption.
Policy: Information Systems and Computing (ISC) will disconnect
from PennNet any computers that have actually damaged or pose an imminent
threat of harming the integrity of PennNet.
Scope: This policy only applies to computers and devices attached
directly or indirectly to PennNet, including improper or defective "daisy-chain"
connections and private Local Area Networks with active networking components
connected to PennNet wallplates and hosts.
This policy does not address removing computers from PennNet for reasons
related solely to their content.
Implementation: Systems administrators must report serious computer
security incidents to the University Information Security Officer. Serious
computer security incidents will be defined as those that jeopardize the
integrity, privacy and/or availability of other computers and networks.
Examples of serious computer security incidents include break-ins where
privileged accounts (e.g. UNIX "root" account, or NT "Administrator"
account) are used without authorization, incidents where network traffic
is monitored without authorization, and incidents where Penn computers or
networks are either the source or the target of "denial of service"
attacks. The Information Security Officer will coordinate the response to
computer security incidents, including notifying campus systems administrators,
law enforcement officers, external sites, incident response teams and University
offices as appropriate.
Authorized actions: If, in the judgement of the Vice Provost
for ISC (VPISC) or his/her designate, criteria are met which suggest that
a system poses a significant and immediate threat either to:
- The security of other Penn computers and networks, or
- The continued operation of Penn networks and computers,
and the problem cannot be resolved expeditiously through collaboration
between the computer owners and ISC, then ISC will notify senior management
of the department or unit and will require the owners to remove the computer
from the network until the problem is solved.
Absent/Unidentified Owners: If ISC is unable, using the Assignments
database, to identify a system owner or Local Support Provider (LSP), ISC
will move unilaterally to protect the network by disconnecting the threatening
Disputes: In cases where there is persistent disagreement between
ISC and the owner of the perceived threat, ISC must notify the owner and
the LSP of the following information in writing:
- The reason for the disconnection
- What steps must be taken for the network connection to be restored
- How to arrange for the system to be reconnected
- The process of appealing a decision to disconnect
When the owner of the system has taken the steps necessary to correct
the problem, ISC will restore the PennNet connection as soon as possible.
Appealing a Decision to Disconnect: The Council Committee on
Communications shall appoint a subcommittee to review appeals of decisions
to disconnect computers. The subcommittee will consist of:
- At least four members of the faculty appointed by the Committee on
Communications, one of whom to serve as chair
- VPISC or her/his designate
- University Information Security Officer or her/his designate
The Committee on Communications may designate alternates to serve on
the hearings of an appeal when its appointees are unavailable.
The owner of a disconnected system who believes that the threat that
the system posed is outweighed by the impact of its disconnection on their
academic mission may appeal the decision by documenting this belief in writing
to the chair of the subcommittee. The chair or her/his designate may resolve
the dispute amicably; failing this it will be heard formally by the subcommittee.
The subcommittee will resolve conflicts as rapidly as possible within the
constraints of fairness. It will establish and follow its own operating
If the subcommittee does not begin the proceedings within 5 working
days in cases where the issue is a threat and not actual harm, or 30 working
days in cases where ISC can document actual harm, the subject system must
be reconnected. Once the subcommittee has begun the process, time limits
will not be imposed.
In considering appeals, the subcommittee will balance the value of leaving
machines connected against the associated risks. Its decision will be final.
The only recourse for faculty whose appeals are denied will be to the Senate
Committee on Academic Freedom and Responsibility. ISC may not appeal. However,
it may re-disconnect the computer and restart the entire process whenever
another trigger event is detected.
System owners who believe that their freedom of expression has been
unduly infringed may, under the Guidelines for Open Expression, request
that the Committee on Open Expression determine if the Guidelines were properly
interpreted and applied to the disconnection of their system.
Interpreting this policy: As technology evolves, questions may
arise about how to interpret this policy. The VPISC may as needed, after
consultation with the Council Committee on Communications, publish specific
rules interpreting this policy.
Advice: To minimize the likelihood of a serious computer security
compromise, campus systems administrators are encouraged to configure their
systems in accordance with the following standards:
Assignments Database: A computer database provided by ISC Networking
where Local Support Providers maintain information about PennNet connected
computers, including the network address, operating system, and contact
information. For more information about how to maintain records in the Assignments
Denial of Service Attack: An attack where someone takes up so
much of a shared resource that insufficient is left for others. Denial of
service attacks threaten the availability of resources, including computer
processes, disk space, or network capacity among other things. The result
is a degradation or loss of service.
Local Support Provider: Departments/Units at Penn appoint Local
Support Providers to provide information technology support locally.
Almanac, Vol. 46, No. 6, October 5, 1999
PAGE | CONTENTS
YEAR END REPORTS 98-99 | TALK
ABOUT TEACHING | BETWEEN
ISSUES | OCTOBER at PENN