Policy and Procedures -
House, 150 Willis
Tel +64 4 499 2267 // Fax +64 4 499 5596 // email@example.com // www.catalyst.net.nz
This document is considered to be part the Loop contract between schools and the Loop.1.1: This document is often called a Loop Network Acceptable Use Policy (LAUP)
1.2: In the event of a dispute the main School-Loop contract takes precedence over this Technical responsibilities document.
1.3: All material of an offensive and illegal manner (e.g. Copyright restrictions) is strictly prohibited from being imported, stored, viewed or distributed via the Loop's resources.
1.4: The authoritative primary source for End User credentials will be the individual
Schools user Directory Systems. If this is not available then the Loop’s User Directory Systems will be used.
1.5: In order for a service or provider to ‘Trust’ both the school and/or the Loop they must be assured that both are utilising good practice. Good practice in relation to the configuration, operation and security of the schools network system.
2.1. Identity Provider Service (the service the Loop provides)
All communication is carried out over HTTPS/SSL/TLS
2.1.2. Single Sign On – Access and Trust Policy
220.127.116.11. Identity and Access management (IAM) in the Loop is based on the devolution of the authentication responsibility to the schools. The Authentication of the user is performed at the schools user directories. Once a user is authenticated as a valid user, the Attribute Release containing the user credentials is trusted throughout the Federation.
18.104.22.168. The Loop's IAM service is responsible for the Single Sign On (SSO) service which manages authentication and authorisation queries that is communicated with the schools user directory.
22.214.171.124. The SSO Service will also manage the 'Where Are You From' (WAYF) protocol to identify the school that the User is to be authenticated from.
126.96.36.199. Multi user sessions (aka multiple users) are permitted (aka multiple users) … although service providers may apply their own restrictions.
188.8.131.52. Each Access Release token has an expiry time of 24 hours.
184.108.40.206. A separate unique user access name will be issued by the school if the user has a different concurrent role. (Aka schools will require multiple identities for users IF they have different roles within the school)
220.127.116.11: A user working from different schools will have separate unique user access name for each school.
18.104.22.168 The expectation is that this process will be managed via the SMS or ‘Black box”. The expectation is that when a user is added, suspended or deleted via the SMS or Blackbox then it will become effective within 30 mins.
2.2. Identity Management Expectations
2.2.1. Authentication - Authoritative Source
22.214.171.124. The primary authoritative source for user credentials will be the schools network User Directory Systems. The secondary source shall be the Loops network user directory system.
126.96.36.199. User credentials and attributes must be promptly kept current and accurate.
188.8.131.52. The school must ensure that sufficient logging information is retained so that a particular End User can be associated with a given session.
2.2.2. Identity Authentication
184.108.40.206. User accounts must be unique for the organisation.
220.127.116.11. User who is no longer permitted access and privileges to the schools network system must have their access revoked (locked) promptly.
18.104.22.168. User accounts should not be re-issued for at least 24 months.
22.214.171.124 Granting Access and Identity Establishment
126.96.36.199.1. Schools should have a documented process for vetting users and issuing credentials to Service Providers' services or resources.
188.8.131.52.2 Schools must use reasonable endeavours to teach users how to use their credentials safely and securely.
184.108.40.206.3 All user records in the schools user directory should be reviewed and updated annually.
2.2.4. Login Password
Password allocation and management is the responsibility of the school with the following expectations ...
a) Passwords are to be no less than 8 characters and no more than 16 characters, and must include a minimum of 2 digits and 2 letters;
b) Passwords must not be dictionary words.
c) A Prohibited Password List is to be applied.
d) Force password changes at least after 1 term.
e) Force new users to re-enter password on first login.
f) Access is locked after 3 failed login attempts.
g) User name must not be pre filled.
h) Passwords should not be saved on client machines or browser clients;
i) User name to be displayed on entry, and password entry to be non display.
j) Last login date and time should be displayed after password verification.
k) Passwords kept in a file for verifying the authenticity of the user must be encrypted.
2.3 Security Expectations
The following are guidelines for data, software and environment security that all Participants need to consider in their ICT infrastructure plans and policies.
220.127.116.11. Malicious Software
18.104.22.168 All media and email must be scanned for malicious software such as viruses and spyware.22.214.171.124. It is encouraged that cryptographic controls and digital signatures be used during data exchanges, particularly over the internet and email.
126.96.36.199 Encryption should be used where applications support it and there is no degradation of service delivery.
188.8.131.52. Apply secure networks and firewalls. Implement appropriate network management controls and policies.
184.108.40.206. Ensure latest updates to anti-malware software.
220.127.116.11 Apply user network connection closure after 1 hour of inactivity.
18.104.22.168. Allow only approved software to be installed on the servers.
2.3.3 Physical Environment
22.214.171.124. Secure physical access to servers to authorised personnel only.
126.96.36.199. Access rights to terminated staff to be removed immediately.
188.8.131.52. Access rights to restricted areas to be reviewed regularly.
2.3.4. Disaster Recovery
184.108.40.206. Servers must have an uninterrupted power supply (UPS).
220.127.116.11. Backup of applications and user directories to be done regularly and rotated.
18.104.22.168 Ensure off site backup storage for monthly backup media.
22.214.171.124. A Disaster Recovery plan must be documented and known to authorised personnel.
2.4 SMS Expectations <<under development>>
All communication is carried out over ...
2.4.2. SMS – Access and Trust Policy
2.5 Parental Portal Expectations <<under development>>
All communication is carried out over ...
2.5.2. Parental Portal – Access and Trust Policy <<under development>>