One significant advantage of NetReg is the use of different kinds of security contact roles (CR). This allows the application to support the different ways IT is managed within departments and groups; and at the same time correctly route security notices to the right party.
Departmental Contact Role (DCR):
The Department Contact Role (DCR) is the CR whose members respond to security notices, including routing as necessary, for an organization or department within the university. By definition, they are associated with a node in the organizational tree. Only DCRs can have child contact roles (i.e., Group CRs).
The initial creation of a DCR requires review by Information Security and Policy (ISP).
Group Contact Role (GCR):
Group Contact Roles (GCRs) are created by DCRs when a separation of responsibility is necessary. Group contact roles will not have an org node set but will have a DCR "parent".
Both GCRs and DCRs have the same functionality within NetReg. They can claim, request, and transfer IP address entities. They have membership, receive and respond to security notices, and can register devices for use with DHCP. DCRs are associated with a node in the organizational tree, i.e, have an org node. GCRs do not have an org-node but must have a parent DCR. In that way, security incident reporting can ‘roll-up’ to nodes within the organizational tree. GCRs cannot themselves have children GCRs. This is to avoid the situation where GCRs link to each other but not to a parent DCR.
GCRs can be created for a variety of reasons:
- Separating devices into sets that receive (and do not receive) IT support from a Service Provider Contact Role (see below).
- Relatedly, to create sets of members for the purpose of providing service, i.e. GCR as Service Provider Contact Role.
- When response to security incidents is the responsibility of different groups, e.g., a research lab within a department.
Note: It is not necessary to use GCRs to provide or receive support from another CR but it may make it more convenient.
When a DCR creates a GCR it will add its first member. The GCR is authorized by the DCR to register devices and restricted data systems, claim IP addresses and so on. The GCR’s first member can in turn add any additional members. Individuals can be members in both CRs if that makes sense. In addition, notices sent to the GCR can also be sent to the parent DCR. This configuration of the GCR is set by the parent DCR.
Currently there is no restriction to how many DCRs can exist at a given node in the organizational tree. However, in order to maintain accountability and strong authorization it is highly recommended that the fewest number of DCRs exist at an org-node as is possible. The use of GCRs to separate areas of responsibility within a department is preferred to using multiple DCRs.
Individual Contact Role (ICR):
Each user of NetReg has an ICR. It is used to request membership in other Contact roles or request creation of a Group Contact Role with a Department Contact role. When DHCP registration is implemented in NetReg, a user's ICR will be used to register personally owned devices for use with the campus DHCP service.
Service Provider Contact Role (SP CR):
This CR provides IT management to another contact role, a client CR. As part of providing service it may need to update information belonging to the client CR. For example, the service provider might register devices for the client CR. SP CRs can be group or departmental.
A Contact Role has some devices that are managed by another party (e.g., an IT group in another department, CSS-IT Shared Services, etc.) For purposes of notifications (about compromises, vulnerabilities) and security reporting, both organizations need to be associated with the devices.
The client CR selects its service provider from a list of available service providers.
Notifications about security events (compromises, vulnerabilities, etc.) will go to members of both Service Provider and client CRs. Security reports will show incidents belonging to both the Service Provider and client CRs, to their respective parent departments.
Client Contact Role (Client CR):
The Client CR is the customer of a Service Provider Contact Role (SP CR) and selects the service provider and its contact role ID. Client CRs can be group or departmental.
Client Contact Role selects changes, or removes Service Provider Contact Role.