Administrative heads (Deans and Department/Unit Heads): Responsible for approving the need for servers/services and assigning qualified FTE's to secure and administrate them. Ultimately responsible for the security of their respective unit(s).
College security officer: An FTE with IT responsibilities (as defined by the university's SIRT charge) who will act to coordinate efforts between SIRT members. The security officer will also represent the college on university security committees such as the university's SIRT and will head the Carl R. Ice College of Engineering SIRT.
College SIRT members: This group will act as a College of Engineering SIRT (Security Incident Response Team). The members will be appointed by the Dean's office with the approval of the Department Heads and the College Security Officer. Their duties will include the following: approval of new security contacts, reviewing requests for servers and services from security contacts, coordinating efforts of the security contacts, and recommending security policy at the college level. They will have the authority to reject requests for servers or services that cannot be properly secured. This group should be kept relatively small, but no specific limit should be placed on the number of people that serve on the SIRT.
Security contacts: FTE's who have been assigned IT responsibilities by their unit head and have been approved by the College SIRT. Security contacts should be required for any computer that offers network services (acts as a server as defined in the attached guidelines). Security contacts are responsible for ensuring that these attached guidelines are followed. These guidelines also allow the security contact to make exceptions to them with the approval of a SIRT Member. This is left to the judgment of the security contacts. This group should be kept relatively small, but no specific limit should be placed on the number of people that can act as security contacts.
End users: For the purpose of this document, end users are defined as those people that do not fall into one of the above categories. End users should not provide network services unless authorized by the security contact for their systems. They should follow the instructions of the security contacts in regards to their system's security.
Procedures
When setting up a new computer system, end users should contact the FTE that will act as their security contact. This will allow the security contact to be aware of the new system and make any necessary recommendations for its security.
New systems (especially those acting as servers) need to be registered with the college. Until a standard central registration process can go into effect, a request for approval emailed to the college SIRT should suffice. The security contact configuring the server should wait for approval from the SIRT before bringing it online.
If an end user desires to offer network services beyond those allowed by the attached guidelines for desktops, they should contact their security contact. Their security contact should then obtain the SIRT's approval before connecting the service to the network.
The college SIRT should meet as a group on a regular basis to discuss security issues and to facilitate communication. They should also hold periodic meetings that include the security contacts.