N10-007 Given a scenario, implement the appropriate policies or procedures

Security policies

Networks and computers may be monitored and usage logged. Logs are kept secure and are only available to personnel authorized by the Director of Information Services and will only be kept as long as necessary in line with current data protection guidelines. Edinburgh Napier University’s networks and computer may be monitored and logged for all lawful purposes including: –

  • Ensuring use is authorized
  • Management of systems
  • Protecting against unauthorized access
  • Verifying security procedures
  • System and operational security
  • Compliance with Edinburgh Napier University policies and regulations
  • Detection and prevention of crime

Monitoring includes active attacks by authorized Edinburgh Napier University users to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Monitoring is automated in the detection and removal of viruses, malware, spam, pornographic and inappropriate URL’s and other activities not lawful to University business. Use of the Edinburgh Napier University information technology, authorized or unauthorized, constitutes consent by the user to monitoring of these systems. Unauthorized use may give rise to disciplinary procedures or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used subsequently in a disciplinary, criminal or another form of proceedings. Use of the Edinburgh Napier University IT systems constitutes consent to monitoring for these purposes.

Network policies

Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. When you deploy Network Access Protection (NAP), health policy is added to the network policy configuration so that Network Policy Server (NPS) performs client health checks during the authorization process.

When processing connection requests as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs both authentication and authorization for the connection request. During the authentication process, NPS verifies the identity of the user or computer that is connecting to the network. During the authorization process, NPS determines whether the user or computer is allowed to access the network.

Network policies can be viewed as rules. Each rule has a set of conditions and settings. NPS compares the conditions of the rule to the properties of connection requests. If a match occurs between the rule and the connection request, the settings defined in the rule are applied to the connection.

When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found.

Each network policy has a Policy State setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests.

Acceptable use policy

Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.

When you sign up with an Internet service provider (ISP), you will usually be presented with an AUP, which states that you agree to adhere to stipulations such as:

  • Not using the service as part of violating any law
  • Not attempting to break the security of any computer network or user
  • Not posting commercial messages to Usenet groups without prior permission
  • Not attempting to send junk e-mail or spam to anyone who doesn’t want to receive it
  • Not attempting to mail bomb a site with mass amounts of e-mail in order to flood their server

Users also typically agree to report any attempt to break into their accounts.

Standard business documents


A Service Level Agreement (SLA) is a formal definition of the relationship that exists between a service provider and its customer. A SLA can be defined and used in the context of any industry, and is used to specify what the customer could expect from the provider, the obligations of the customer as well as the provider, performance, availability and security objectives of the service, as well as the procedures to be followed to ensure compliance with the SLA. Service level agreements are often used when corporations outsource functions considered outside the scope of their own core competencies to third party service providers. The operation and maintenance of computer networks is outsourced by many companies to third-party network providers, making SLA support an important subject in the context of computer networks.


A document that expresses mutual accord on an issue between two or more parties. Memoranda of understanding are generally recognized as binding, even if no legal claim could be based on the rights and obligations laid down in them. To be legally operative, a memorandum of understanding must (1) identify the contracting parties, (2) spell out the subject matter of the agreement and its objectives, (3) summarize the essential terms of the agreement, and (4) must be signed by the contracting parties. Also called letter of intent.


Master services agreement is a contract that spells out most but not all of the terms between the signing parties. Its purpose is to speed up and simplify future contracts. The initial time-consuming negotiation is done once, at the beginning. Future agreements need spell out the differences from the contract and might require only a purchase order. MSAs are common in information technology, union negotiations, government contracts and long-term client/vendor relationships. They can affect a wide area such the country or a state, with subset terms negotiated at the local level.

Common Terms

Master services agreements usually spell out payment terms, delivery requirements, intellectual property rights, warranties, limitations, dispute resolutions, confidentiality and work standards. For example, the MSA can spell out who has final ownership of any new developments, whether royalties are due on products stemming from new discoveries, and to whom and how information can be disseminated without violating confidentiality agreements. Another important clause involves indemnification or how risk is divided among all signatories if any party is sued by an outside entity. It might cover whether all parties are responsible for attorney fees or if everyone must abide by alternative methods of resolving disputes.


When it comes to implementing or constructing large and complex systems (such as an enterprise software system), the work requirements and conditions should be properly documented. Statement of Work (SOW) is such document that describes what needs to be done in the agreed contract.

Usually, the SOW is written in a precise and definitive language that is relevant to the field of business. This prevents any misinterpretations of terms and requirements.

An SOW covers the work requirements for a specific project and addresses the performance and design requirements at the same time.

Whenever requirements are detailed or contained within a supplementary document, SOW makes reference to the specific document.

The SOW defines the scope and the working agreements between two parties, typically between a client and a service provider. Therefore, SOW carries a legal gravity as well.