ISP-12 Network management policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy seeks to ensure the secure and efficient management of the University’s communication networks. It outlines responsibilities for network design, access control, and security, requiring staff and third parties to follow strict procedures to protect the network’s integrity. The policy aims to prevent unauthorised access, secure network resources, and minimise risks from external threats, supporting the University’s overall information security efforts.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Digital Platforms and Network Manager, Head of Digital Security, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 14 November 2025 |
| Effective date | 14 November 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 30 September 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Incident Reporting: Staff and authorised third parties must immediately report any network-related information security incidents to the Information Security Manager. If the manager is unavailable, incidents should be reported via email to cert@bristol.ac.uk. |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | authorised third parties, change management, Data Protection Act 2018, GDPR, information security, ISO/IEC 27001, ITIL, network access control, network incidents, network security |
On this page
- Updates to this policy
- Introduction
- Scope
- Definitions
- Responsibilities
- Management of the network
- Network design and configuration
- Physical security and integrity
- Change management
- Connecting devices to a network
- Deployment of WLANs and WLAN equipment
- Network address management
- Network boundary management
- Further guidance
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This Network management policy is a sub-policy of the University’s ISP-01 Information security policy and sets out the responsibilities and required behaviour of those who manage communications networks on behalf of the University.
3. Scope
3.1. This policy applies to all University staff, contractors, vendors, and any third parties who have access to or manage the University's communication networks.
3.2. It encompasses all communication networks under the University's control, regardless of the type of traffic they handle, whether physical or virtual, and irrespective of their location, including on-premise, hosted, or public cloud environments managed by or on behalf of the University.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Change management: A structured process for managing changes to IT systems to ensure they are implemented securely and efficiently, minimising risks.
4.3. Comms rooms: Secure locations where network switches and other infrastructure are stored, with controlled physical access to authorised staff only.
4.4. Firewalls: A combination of software and hardware that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
4.5. Gateway: A network device that connects the University’s internal network to external networks, often including security controls like firewalls.
4.6. IPv4/IPv6: Internet Protocol versions used to allocate unique addresses to devices on a network, with IPv6 offering a larger address space than IPv4.
4.7. Network address management: The allocation and oversight of IP addresses used on the University’s network.
4.8. Network segmentation: The practice of dividing a network into smaller, isolated sections to improve security and control access between them.
4.9. IT Architecture Board: A body responsible for approving ongoing and future designs of network and IT system configurations, ensuring they align with the University's security standards.
5. Responsibilities
5.1. University Members: Must ensure they understand and comply with information security policies, in particular around the acceptable use of the University network and information communication facilities.
5.2. IT Services: Are responsible for the overall management, maintenance, and configuration of the University’s network. This includes, incident management, controlling access, managing network address allocations, ensuring physical security, and applying security measures like firewalls while following change management processes.
5.3. Contractors and Third Parties: Must ensure they understand and comply with information security policies and follow the same security guidelines as IT Services staff when managing or accessing the University’s network. They must ensure network configurations and security measures are maintained, and promptly report any incidents or breaches in accordance with the policy.
5.4. Information Security Team: Input in the development of Network Management policies and standards. The Information Security Manager (or, if unavailable the wider team) are responsible for processing network-related information security incidents. They also ensure the network's ongoing security by identifying vulnerabilities and logging risks.
5.5. Digital Platforms and Network Manager: Is responsible for approving temporary exceptions where network switches cannot, due to practicality, be located in approved comms rooms.
5.6. IT Architecture Board: Review and approve designs and configurations of the network to ensure they meet the University’s performance, availability, and security needs. Ensure ongoing network upgrades align with security and operational requirements.
6. Management of the network
6.1. The University’s communications networks will be managed by staff with the relevant skills and training to oversee their day-to-day running and to ensure their on-going security (confidentiality, integrity and availability).
6.2. Network management requires staff and authorised third parties to have a high level of privileged access to critical infrastructure assets and as such, play a key role in ensuring University information assets are protected. Staff are expected to understand the entirety of the University's Information Security Policies and how they apply to their specific role.
6.3. Staff and authorised third parties are required to escalate and act promptly and within guidelines specified by change management to protect the security of the University network but must be proportionate in the actions that they take, particularly when undertaking actions that have a direct impact on the users of the University network. Any actions which may be potentially invasive of users’ reasonable expectations of privacy must be undertaken in accordance with the University’s ISP-18 Investigation of computer use policy and the associated Guidelines for system and network administrators (PDF, 44kB) document.
6.4. Staff and authorised third parties must immediately report any network-related information security incidents to the Information Security Manager (or, if unavailable, by email to cert@bristol.ac.uk).
7. Network design and configuration
7.1. The network must be designed and configured to deliver high levels of performance, availability and reliability, appropriate to the University’s business needs, whilst providing a high degree of control over access to the network.
7.2. Ongoing and future designs for network configuration must be agreed by the IT Architecture Board.
8. Physical security and integrity
8.1. The Networking and communications facilities, including wiring closets, data centres and computer rooms must be adequately protected against accidental damage (fire or flood, for example), theft, or other malicious acts.
8.2. Network switches will be located in approved comms rooms only. This is to ensure physical access is restricted to authorised staff. Temporary exceptions may be made where this is not practical, and associated risk logged and tracked. Any exceptions will require the approval of the Digital Platforms and Network Manager.
9. Change management
9.1. All changes to network components (routers, firewalls etc) are subject to IT Services’ change management processes and procedures.
10. Connecting devices to a network
10.1. Any device which poses a risk to the security or operation of the network is liable to physical or logical disconnection from the network without notice.
10.2. All devices connected to the network, irrespective of ownership, are subject to monitoring and security testing, in accordance with standard University practices and in line with ISP-18 Investigation of computer use policy.
10.3. ISP-09 Acceptable use policy has further details on what is and is not acceptable to connect to University networks.
11. Deployment of WLANs and WLAN Equipment
11.1. No Wireless Local Area Network (WLAN) equipment may be attached to the University network without the permission of IT Services. In most cases such equipment will be under the direct supervision of IT Services.
11.2. Permission may be given by IT Services for equipment unsupervised by IT Services only in exceptional circumstances, for example academic research into wireless networking and related areas.
12. Network address management
12.1. The allocation of network addresses (IPv4 and IPv6) used on the University networks is the responsibility of IT Services which may delegate the management of subsets of these address spaces to other teams or Third Parties.
12.2. Network addresses (IPv4 or IPv6) assigned to end-user systems will, wherever possible, be assigned dynamically.
13. Network boundary management
13.1. Access to network resources must be strictly controlled to prevent unauthorised access. Access control procedures must provide adequate safeguards through robust identification and authentication techniques.
13.2. For more information on administrative account access refer to ISP-08 User management policy.
13.3. IT Services or authorised third parties are responsible for the management of the gateways which link the University network to the Internet. Controls, such as firewalls will be enforced at these gateways to limit the exposure of University systems to the Internet in order to reduce the risks of hacking, denial of service attacks, malware infection and propagation and unauthorised access to information. Controls will be applied to both incoming and outgoing traffic.
13.4. The same network boundary management principles will apply to network segmentation.
14. Further guidance
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.