skip to primary navigationskip to content

Privacy Policy for the Managed Firewall Service

1. Managed Firewall Service: Description and Features

This policy applies to all data traversing a managed firewall provided by the UIS to a customer of the Managed Firewall Service. 

The University Information Services (UIS) offers a Managed Firewall Service (MFS) to protect institutions’ private networks; this can be delivered either as a fully managed service, or as a federated service, and is part of the University’s cybersecurity infrastructure.

A firewall is a device that is placed between a network and 'the outside world', defending an institution’s data against threats, and offering protection from legal and reputational risks, by:

  1. blocking traffic to/from particular hosts, internal or external - the existence of those hosts can therefore be hidden from the other side of the firewall;
  2. blocking certain identifiable protocol classes, e.g. ICMP;
  3. blocking traffic to specific ports, thereby blocking certain types of traffic.

Other optional features, such as anti-spam, antivirus, application control, and IPS functions can be enabled.

With the fully managed service, UIS proactively monitors services and ensures that policy implementation meets customer requirements. With the federated service, this configuration and monitoring is delegated to the appropriate local IT officers, who also retain responsibility for ensuring security is protected at all times.  

All firewalls in the Managed Firewall Service will log information determined by the Firewall’s configuration.  This may include personal data within the meaning of the Data Protection Act (1998) and the EU General Data Protection Regulation.

1.1 What is logged?

The firewall’s log records three types of events.

  1. Firewall events: these include system, router, VPN, and management events. Firewall events are automatic and will be enabled in all deployments of the Managed Firewall Service.
  2. Firewall traffic:  these include IP addresses, port numbers, times, dates, and volume of data traffic transferred.
  3. Firewall security event information: security events will be recorded depending upon the security options activated by the customer (typically malware detections); this may include personal data such as CRSid or URL addresses, depending upon the security event.

Firewall traffic logs and firewall security event information may be enabled or disabled on each firewall security rule. A security rule defines what traffic is allowed or denied through the firewall. It can be configured by either the UIS for the customer (Fully Managed deployment), or directly by the customer (Federated deployment). Logging may be enabled for the purposes of trouble-shooting or security requirements. All firewall logs are automatically sent to the UIS log management system.

1.2 Who has access to the logs?

Access to the firewall log data is only available through the firewall log management system (FortiAnalyzer). Access to the logs is restricted to nominated staff in the UIS Security Engineering and Network Systems teams. In addition, customers may nominate institutional staff that will also have access to the firewall log data specific to their firewall.

In certain circumstances, log data may be extracted and distributed outside of the FortiAnalyzer to the following groups of staff:

  • UIS CERT staff, to enable the response to a specific security incident.
  • UIS management staff, in response to a security incident.
  • Designated IT staff in customer institutions may extract logs for use within the customer institution.

All other access to firewall logs requires permission from the CISO.

1.3 How long are logs kept?

The log retention period is configured within the log management system maintained by the UIS. It is the same for all customers.

  • On-demand firewall logs are kept for up to 30 days within the log management system (FortiAnalyzer).
  • Archived firewall logs are kept for up to 365 days within the log management system (FortiAnalyzer).

Each customer has allocated a log storage limit. If this is exceeded, older logs will be automatically overwritten. The speed at which the allocated storage is used, and therefore the actual retention time, is entirely dependent on the amount of logging enabled on the firewall and the volume of events logged. This is determined by customer requirements or security needs.

Log data may be extracted and distributed outside of the FortiAnalyzer (eg: in response to a security incident, or potential security incident, as described above); the data may be stored for a longer/indefinite period, and analysed as part of responding to and resolving security threats. Log data may also be passed to law enforcement agencies in response to any lawful notice served on the University.

2. Data Protection

Some of the log data may include personal data within the meaning of the Data Protection Act (1998) and the EU General Data Protection Regulation.

For these purposes, and depending on the type of Institution and the MFS service option selected by that Institution, the Data Controller is either the University of Cambridge, or the University and the Institution (joint responsibility).

The responsibilities are shown in the tables below.

Type of Institution

Included in University of Cambridge Data Protection Registration

(e.g. Department, Museum, etc.)

Maintains a separate Data Protection Registration

(e.g. College, Theological Federation institution, etc.)
Service Option Selected Data Controller
Fully Managed Firewall University University and Institution
Federated Managed Firewall University University

 

Type of Institution

Included in University of Cambridge Data Protection Registration

(e.g. Department, Museum, etc.)

Maintains a separate Data Protection Registration

(e.g. College, Theological Federation institution, etc.)
Service Option Selected Data Processor
Fully Managed Firewall University University and Institution
Federated Managed Firewall University University



3. Definitions

  • Cambridge University Data Network (CUDN): The data network provided to the University by the UIS.
  • Chief Information Security Officer (CISO): The individual responsible for the University’s Information Security.
  • Device: An active networked item of equipment that connects to the CUDN. For example, a mobile phone, a desktop computer or a BMS unit.
  • General Data Protection Regulation (GDPR):

GDPR applies from 25 May 2018 and replaces the Data Protection Act 1998 (DPA). It sets out rules and standards about how organisations can use information relating to living identifiable individuals. The GDPR is prescriptive about how organisations should implement the principles – and how they should demonstrate that they are doing so.

  • Managed Firewall Service (MFS): A device that is placed between a network and 'the outside world', defending an institution’s data against threats, and offering protection from legal and reputational risks, by blocking certain traffic, based on a set of configured rules.
  • Operational Security Staff: UIS staff who have day-to-day operational responsibility in cyber security. For example, this may include staff responding to security incidents, investigating security logs or configuring security systems.
  • Security Event: Any traffic identified by the firewall as a potential threat is logged by the firewall as a security event.
  • Security Incident: A definition used within the UIS Security Operations Centre. An incident that involves cyber security.

 

September 2017