1.
GLYNDWR UNIVERSITY’S SECURITY NETWORK INFRASTRUCTURE
Task 1:
Prepare a security policy document for Information and Communication Technology
(ICT) use in GUL.
NETWORK of a university is what connects its students to the plethora of information at
different knowledge domains. Its significance lies in the fact that students allocate more time
on on-line study than the class. Besides the lecture, the students do also show an equal
participation on UGC ‘User Generated Content’ over the net. Network is therefore a
prerequisite on university campus, followed by its security.
The ICT infrastructure of Glyndwr is what provides a seamless access on information to its
students. Unfortunately it runs a very high risk of getting tampered, hacked, attacked or
violated. Universities and Government Installations are the soft targets for hackers as the data
has a huge commercial value [1]. While drafting the security policy of Glyndwr, it becomes
imperative to include everything that makes it robust.
It all starts with identifying the core areas on work:-
Currently, the university has a separate computer room where the students can use the
internet to learn more about the subject. Every student can directly access the internet without
any user authentication. This poses a big problem for the university network as an unbarred
entry makes the system vulnerable to external threats [2]. There has to be a Unified Software
Management that keeps everything centralised – user registration, login details and purpose
of visit. In its present state, it is very easy for any student or user to unknowingly upload a
virus into the system. The losses incurred for reasons of system crash or break-down run in
millions and no university can afford this [3]. Question is also raised over the network
performance as it fails to meet the bandwidth demand during the peak hours. Having a
centralised server should keep the system simple and ‘unadulterated’.
Password Setting should be the first barrier on entry [3]. The network would remain safe only
when the key is held responsibly. Every student needs to be provided a login ID as his or her
key to the system. The IT Administrator also needs to define the rights for each user. This
however depends on the ‘purpose’ that each user has with the system. Students use the
system primarily for information and the staff would use it for keeping records. Separate
logins for each person would improve traceability and any malicious activity can be instantly
spotted. The studies [4] indicate that a lot of students disclose their passwords to other
individuals. This is a serious compromise with the security of the network. Biometrics based
identification can be a feasible strategy to remove such inadequacies with the system.
Also, the university needs to upgrade its networking abilities to match the present technology.
It is suggested that routers are used for connecting the campus with internet. Also, WiFi and
WiMax can be installed for providing a ubiquitous service on internet facilities [5]. This is
expected to bring the burden down on the infrastructure as the students can use their PDA

2.
devices or laptops to surf the net. It is however recommended that the network runs on a very
agile anti-virus; one that keeps the viruses from entering the system.
The unified software solution should be able to adapt with the different technologies –
Firewall, Encryption, VLAN ‘Virtual Exchange Network’, Virtual Private Network and PKI.
Also there should be a formal code of conduct on using the secondary devices on the main
server. However for the administrator to achieve excellence on network security, the
applications should be combined well with anti-viruses – Gateway antivirus, Stand alone
antivirus and Server antivirus. Password protected user authentication would keep the system
from external threats and anti-viruses would keep the system from internal threats.
Also, there has to be an effective control strategy on every layer – Access Control Policy,
Operation Control Policy, Network Access Control Policy and Directory Access Control. All
the control mechanisms should be complemented with Information Encryption. Using
encryption algorithm would make sure that no unauthorised person makes an entry into the
system.
After an investigation into the core areas, it is time to segregate the different functions to
redefine the security policy in its newer version:-
Password Authentication:
Every student needs to be provided a login ID as his or her key to the system. The IT
Administrator also needs to define the rights for each user.
Software Licenses:
There should be no room for any unlicensed installation in the university campus. Every
software and device driver needs to be bought directly from the vendor and with a facility of
auto-update.
Access to Computer System;
Access should be based on the ‘rights’ for the different user groups. As part of the Computer
Misuse Act the students shouldn’t be allowed to interfere with other user’s work area and
also the network resources should be distributed on each layer. This should keep the different
user groups separate from each other.
Obscenity:
The Computer Misuse Act (1990) mentions it clearly that an individual must not do anything
on the computer that makes the other person offended, stressed or disturbed. Obscenity of any
form shouldn’t be accepted as part of the code of conduct.
Social Media:
Studies (7) suggest that 16 of the network sites, including Facebook and Twitter are the
biggest carriers of network security threats. Such platforms are potential carriers of Malware
and Trojans. The security policy must make a clear mention that social media would be
allowed but only to a extent that doesn’t compromise the network security.
Physical Security:
One of the biggest challenges on networking is to keep it from the internal threats. Mostly it
is a PAN drive or a software upload that leads to a crash. Students must therefore be asked to

3.
use secondary devices in a safe environment. Moreover the Network Administrator should
update the network layer with the most recent versions of Anti-viruses.
Network Security is the key to an organization’s sustainable growth. The policy should be
comprehensive enough to include the most recent technology and flexible enough to meet the
changes.
Task 2:
GUL is to establish a sister college in the USA. The Data Protection Act 1998 sets
specific limitations on the sharing of personal data with any organisation which is based
in a country which does not have data protection legislation. The USA does not have a
Data Protection Act. Examine the legal implications for this enterprise with reference to
the UK Data Protection Act.
Information Technology, like a coin, has 2 sides to it. It brings the world’s information to you
and makes your life easier. But, on the other side it also puts your own information at risk.
‘Data Protection’ is therefore one very important aspect of the computing world and
especially the Academic Institutions need to be more vigilant on this. As the use of IT based
resources get more intense, the business processes too have become more machine centric.
Today, tonnes of data is sent over the internet for different purposes; it can be academic,
business, informative or personal. It runs the risk of getting copied, every time it leaves the
computer. The EU Directives on Data Protection Act, 1998 try to address most issues on this
concern.
First and foremost, the Act sets the ownership of the data and is very tough on the transfer of
data, especially outside of the EEA [European Economic Area]. Any organization, like
Glyndwr, with an intention to collaborate on business in US territory, needs to have a look on
the Data Protection Act, 1998. The Act has it – If the data of European origin is sent across
to a country that does not have adequate data protection levels, it would be considered a
criminal offense [8]. For an organization like Glyndwr, this might become a big hurdle as US
is ‘not’ considered safe on data transfer. EU has it classification of countries based on data
privacy and US is identified as third country on this i.e. one that doesn’t have the right levels
of data protection.
The Act sets out the rules and regulations on data transfer, Grants rights to those who own the
data, Regulates the environment on information processing in EU and outside of EU and
Supervises the practices and Data Privacy.
Data Transfer, outside the EEA can only be affected through:- [9]
...an agreement over the set preconditions those ensure ‘adequate’ level of data protection
...the destination country already has ‘adequate’ level of data protection to match the EU
requirements
The term ‘adequate’ is derived through– [10]
 The source of the data and its destination country

4.
 The profile of the destination country in terms of data privacy and measures on data
protection
 The purpose of data transfer
 The purpose on data processing
EU acknowledges only a few countries that take adequate measures on data protection.
For Glyndwr University the solution is to adopt the principles on Safe Harbour [8].
- The European Union along with US have devised the principles on Safe Harbour
- The Organizations based in US must give consent on providing ‘adequate’ levels of
data protection
- The Data once transferred will not be subjected to duplication or processing, without
the consent of the data subject
- The nature of the data, the purpose on transfer and its processing should match the
preconditions
The Data Protection Act 1998 applies to – computer based records, information recorded on a
paper, public authority records and health records [11]. Processing of this data means any
conceivable operation on the data, holding, collection and its disclosure. In the present
context, the sister concern of Glyndwr will hold a lot research data, academic records,
teaching records and sundry financial papers. The University needs to look after every one of
these as this data is of significant academic value. Already there are innumerable instances
wherein the data has been stolen from the university and has been subjected to reproduction
at different platforms. In absence of any legislative framework the University couldn’t even
claim ownership on the same. Also, a mismatch on data protection is considered a negative
consequence on the reputation of the university. Glyndwr therefore needs to take adequate
measures on keeping the data intact.
The literature has shown that US is somewhat flexible on data privacy. But, with Safe
Harbour in place Glyndwr can go ahead with its plan to have a sister concern in UK. This
would however depend on how it proceeds on Safe Harbour Principles:- [12]
 Data should belong rightfully to its Data Subject and it transfer to US would be based
on the preconditions
 Any further processing of data would depend on the consent given by the Data
Subject
 The purpose on transfer should be legal and clear
 The processing of data would be done once or as approved by the data subject
 Personal data should be relevant, adequate and match the purpose of processing
 Personal data should be up to date and accurate
 Personal data shall not be kept with the data subject, beyond the intended purpose
 The sister concern would give consent to taking immediate legal action if the data is
lost or damaged
Glyndwr University, being an academic institution is also involved with research on different
subject areas. This makes it imperative to follow, more consciously, the principles on safe
harbour. Also, the university gets shielded by any unwarranted interception by any

5.
intelligence service. Safe Harbour outline it clearly - if the parent company is based in UK
then any interception in the name of Patriot Act would demand a Court Order [12]. Being a
member of Safe Harbour would also mean that any other entity in UK, while dealing with
Glyndwr, will have to follow the preconditions on Data Protection. Any deviation would be
considered a legal offense and the Directors of the company would be liable for the same.
Besides Data Protection the principles on Safe Harbour have inclusions from the Computer
Misuse Act 1990 and the IT Act 2000. The sister concern would be liable for handling the data
in a responsible way. There would be no duplication of data and it must be referenced right,
wherever it gets quoted. Most importantly, the data would be kept unique and changes would
be allowed only if the parent company gives consent to it. Alternatively, the University can
also follow the Binding Contracts, but they require a lot of formal procedures and
preconditions on keeping the data safe. Safe Harbour seems to be an easier and viable option.
Task:3
The UK and US Security Services have recently been exposed as (probably legally)
monitoring internet and email traffic of their citizens. Discuss the ethical issues involved
in these activities, balancing the needs for national security against individual rights to
privacy.
‘Privacy’ has attracted a lot of debate and there are studies which believe that reliance on
privacy for mass surveillance is justifiably correct [13]. However some do still believe that
Privacy is an individual’s necessity and to correlate it with mass surveillance is to
intentionally ‘infringe’ into an individual’s rights. Whether or not it is ethically correct should
not be the point of discussion. In European Convention, Article 8 has already given an insight
into this – both privacy and surveillance are a necessity, but covert state surveillance should
be governed by some degree of legal accountability for denying an individual with an
inalienable right [14]. 20 years back there was no such clause on the legislation and only
recently the Courts have started to take note of this situation. Today NGOs and Government
Institutions take collective measurers to call this illegal.
The debate started with the installation of CCTV across every corner of our lives and has now
reached our communication. If reports are to be believed then US and UK secret services
have run covert operations that intentionally run into our lives and violate our privacy.
PRISM is one such program where NSA ‘National Security Agency’ tapped the phone calls
of UK citizens. Similarly the internet companies were asked by the government officials to
reveal details over cloud computing [15]. Washington Post comments that there is nothing
that can be classified as personal. Chances are that any NSA official would be browsing
through your personal log as you read this.
Without making ‘privacy’ anymore complicated the Computer Misuse Act 1990 mentions it
categorically – to interfere with an individual’s privacy to data is illegal. This is pretty much
an offence and must be substantiated legally. Article 8 is an step towards this as it makes up
for the inadequacies of IOCA 1985. European Convention showed its intention to fight for
‘privacy’ when it represented the RIPA Act in 2000. The Regulation of Investigatory Powers
Act 2000 had a more dominant role to play on mass surveillance but it had a similar fate as of
IOCA. The researchers criticize it to be plain procedural and nothing substantial could be

6.
achieved out of it. Arguably, the protection of liberty for UK citizens is still a big challenge
[13].
Earlier, the governments have responded to the legislative vacuum by introducing minimal
laws and still privacy remains a nebulous term. On the ethical part, it is unquestionable that
privacy is compromised when the security services read your emails, photographs or personal
details. The state should at least make the security services liable to explain such an
infringement. There should be an explicit statement on what caused this indiscriminate
interception.
The situation has gotten complicated with the advent of cloud computing. Today the internet
is full of data centres were an individual has his personal data stored. Unfortunately, the same
data is easily accessible to security firms. Cloud Computing is a form of distributed
processing of data through a remote location over the internet [15]. Since the year 2007, the
internet industry is largely been dominated by cloud computing. Internet, in its most
commercial form has been a profit centre for most businesses, government organizations and
academic institutions. Google was the first to discover the potential of cloud computing,
followed by Microsoft. By the year 2012 the researchers started to see the problems with
cloud computing. LIBE Committee report ‘Protecting privacy and fighting cybercrime’
concludes that US regulations and Cloud computing are serious threats to the data
sovereignty of an individual in European Union [16]. Unfortunately, the legislative control is
practically incapable to control this.
Article 8 has been found to be slightly effective in regulating the surveillance interception but
under the strict government control, nothing much could be achieved out of it. The article
could only highlight the fact that covert surveillance cannot be stopped but its overt use can
be regulated. This is particularly relevant in reference to the Patriot Act. U.S. is known to use
the law for reaching out to data which is highly classified or under public domain.
A detailed investigation ‘unveils’ the following complications with the privacy issue:-
 Unlawful interception of information media has affected both UK and US citizens
 A very deficient 4th amendment protection for non-US citizens [17]
 Virtually ‘no’ private rights for the non-us citizens
 Insensitivity of US authorities over privacy aspect
 Cloud computing that further aggravates the problem
 Citizen rights are noticeably vulnerable and full of loopholes
 Very strong government support to US FISA for acquiring ‘Foreign Intelligence
Information’
 Insistence on national security over privacy issues
 Political non-commitment towards making an effective legislation
Apparently, the citizen rights of a US or UK resident are seriously compromised and the most
ironical part is that nothing we can do about it. Legislative control cannot be applied as the
law in itself is ambiguous. Starting from IOCA to today’s RIPA, nothing significant could be
achieved. As the technology has become more intense, the mass surveillance too has become
more dominating. Information technology is literally present on every corner of our life and
we put our personal information on it without thinking of how much it is ‘public’ to
everyone.

7.
Ethically, yes it is wrong to interfere with citizen’s privacy. How much you undermine
privacy in the name of national security, it remains an individual’s own right. National
security is a concern and needs no compromise but this doesn’t open up privacy for no
substantial reasons. Ironically, we have, in black and white, the court order that mandates a
warrant for any such act but NSA doesn’t seem to pay any heed to it. Evidently the Computer
Misuse Act, 1990 and the Data Protection Act 1998 get reduced to only a formal code of
conduct.
Task 4
Patent Wars: Samsung vs.Apple:
In view of the series of counter-arguments from Samsung, who seeing the wording of this
claim thought Apple may ultimately be after Google. Justify your arguments based on
copyright design and patent act.
In 2011, Apple started a series of legal actions against Samsung, claiming that: “Instead of
pursuing independent product development, Samsung has chosen to slavishly copy Apple’s
innovative technology, distinctive user interfaces, and elegant and distinctive product and
packaging design, in violation of Apple’s valuable intellectual property rights.”
Apple’s stand was finally vindicated at one of the U.S. courts and Samsung was held liable
for patent infringement.
Does this actually do any good to the Patent Act remains unanswered. The literature gives a
suggestion:
Intellectual Property Rights and Patent Litigation is indeed expensive, but if you look at it
properly, it will ultimately look after you........ [18]
Greenhalgh explains it more precisely – reaching a court on IP litigation is probably the most
expensive way to settle a dispute and one that the system should be designed to avoid [19].
Looking at the post-war analysis it seem right to say that patent reforms are required to
drastically improve the system. The UK office describes patent as – A patent is a set of
exclusive rights granted by a country to an inventor or their assignee for a limited period of
time in exchange for a public disclosure of an invention (ILO). This outlines it clearly that a
patent is out of a knowledge domain and holds considerable value for the customers.
Fortunately for the patent market today, Apple, Samsung and finally Google COULD unveil
the deficiency more prominently than anything else:-
1. Patent Buying
The large 2 years have seen an unprecedented rise on the number of patents being bought or
sold. Research papers mention – It was never seen in the patent business and what is
surprising is the money being invested in buying and selling rights on a patent [20]. Apple
alone spent $4.5 billion for buying 6000 patents acceded by Google ($12.5 billion for 17,000
patents). Evidently the buying was done not to promote research, but to protect the existing
patents.

8.
Buying patents to prevent existing patents is how the researchers [21] describe this.
Google was forced to buy all these patents so as to prevent any further litigation on the
Android smartphone segment. This excluded the 2300 IBM Patents in the mobile telephony
segment. All this to make sure that claims on patent infringement are registered against
Google and still the company is not sure of litigation. In all 153 cases on patent infringement
are registered against Google, Apple and Samsung [20].
2. FRAND ‘Fair Reasonable and Non Discriminatory’
Contrary to the core objective with the patent technology, today the companies use it more
for profit maximization. Whenever a patent of standardized technology is granted, the
government would expect the technology to be considered ‘standards essential’ and it would
be sold on FRAND basis [22]. The intention with such an arrangement is to take the
technology to the public and make it affordable too. Unfortunately the companies are not
complying with such policy arrangements and selling licenses on higher rates. Apple came
face to face with Google on FRAND issue, however the Wisconsin court turned it down.
3. NPEs ‘Non Practising Entities’
One of the major blows to a patent is the introduction of NPEs. Non Practising Entities are
firms that doesn’t have any active role on R&D efforts but they are the ones who get the
maximum profit out of this [23]. To explain it simply, a patent remains in effect for 20 years
into the market but the technology expires within a couple of years. NPEs would buy patents
during the later half of the product life cycle and ask for license fees from organizations that
have been using the technology for years. The ambiguous description of a patent and its
approval process has allowed the NPEs to flourish in the market.
The reports [23] reveal that the today a patent gets approved without much substantiation on
research. Just a dubious conceptualization and application of thought is enough to get a patent
registered. Probably the procedure was to take the patent technology to as many people.
Much to the discontent of the Patent administrators the NPEs started to use this aspect of a
patent to their benefit. As discussed earlier the large 2 years have seen an unprecedented rise
on the number of patents being bought or sold. Research papers mention – It was never seen
in the patent business and what is surprising is the money being invested in buying and
selling rights on a patent. Apple alone spent $4.5 billion for buying 6000 patents acceded by
Google ($12.5 billion for 17,000 patents). NPEs get all the blame for all this unscheduled
investment.
Evidently, a patent needs reforms in terms of product description, research backup and
application into the market [24]. There has to be a more accurate description of the
technology so that it doesn’t ‘infringe’ technology of any other domain. Any confusion can
be sorted very early and without any patent litigation. It is said that Apple has spent twice as
much amount on its R&D allocations, to the patent lawyers. The same money could have
gone easily to the R&D initiatives. Unfortunately, a small infringement on the technology
pulled the entire industry into the ring. It is therefore better that every patent gets the right
description for its market.
To quote it once more – reaching a court on IP litigation is probably the most expensive way
to settle a dispute and one that the system should be designed to avoid. The system on patent
needs to refurbish some of its processes and especially the one on commercialization of a

9.
technology. FRAND should be observed more frequently into the market, Companies should
be able to defend against NPEs and the approval process should be made more specific. No
overlapping on any aspect of technology should lead to indiscriminate spend of money. R&D
should see the most investment.

10.
REFERENCES
1. Saadat M. Network Security Principles and Practices (CCIE Professional
Development) (CCIE Professional Development) (Hardcover) [M].Cisco Press, 2007:
52-78
2. William S. Network Security Essentials: Applications and Standards (3rd Edition)
(Paperback) [M]. Oxford: Blackwell business, 2006: 15-47.
3. Mark R, Roberta B, Keith S. Network Security: The Complete Reference [M].
Osborne:McGraw-Hill Osborne Media, 2003-11-17.
4. Kwot T.Fung Network Security Technologies, Second Edition [M].
AUERBACH,2004/10/28, 11-123.
5. Joel S, Stuart M, George K. Hacking Exposed: Network Security Secrets & Solutions
[M]. McGraw-Hill, April 2005:23-126.
6. B. Harris , R . Hunt. TCP 1 IP security threats and attack methods .Computer
Communications, 1999, (22) :Page.885-897
7. Venter H S, Eloff J H P. Data packet intercepting on the internet : how and why? A
closer look at existing data packet -intercepting tools .Computers & Security, 1998,
17(3) :683-692
8. Salbu, supra note 8; University of Minnesota, Directing Digital Dataflows: The EU
Privacy Directive and American Communication Practices, available at
www.isc.umn.edu/research/papers/EUdatadirective.pdf.
9. Struggle Continues with EU Personal Data Protection Directive, EURO-WATCH,
Jan. 15, 1999, at 1.
10. Vera Bergelson, It’s Personal But Is It Mine? Toward Property Rights in Personal
Information, 37 U.C. DAVIS L. REV. 379, 396 (2003).
11. Rehder & Erika Collins, “The Legal Transfer of Employment-Related Data to Outside
the EU: Is It Still Even Possible?”, 39 INT’L L. 129, 133 (2005).
12. Standard Application for Approval of Binding Corporate Rules, 135. available at
www.iccwbo.org/uploadedFiles/ICC/policy/e-
business/pages/Standard_Application_for_Approval_of_BCRs.pdf.
13. Fenwick, H. (2002) Civil Liberties and Human Rights. (3rd ed.) London: Cavendish
14. Article 29 Working Party, Letter from the Chairman to Mrs Reding regarding the
PRISM program 13th August 2013
15. Walden, Ian (2011), Accessing Data in the Cloud: The Long Arm of the Law
Enforcement Agent, QMUL Cloud Legal Project, Research Paper No. 74/2011
16. Lyon, D. (2001) Surveillance Society: Monitoring Everyday Life. Buckingham: Open
University Press.
17. Nissenbaum, H. (1998) Protecting Privacy in an Information Age: The Problem of
Privacy in Public. Law and Philosophy, 17: 559-596.

11.
18. Phillips, Jeremy (2006): ‘IP Litigation, the New Money-Spinner,’ Editorial, Journal
of Intellectual Property Law & Practice, Vol. 1, No. 8, pp. 497.
19. Greenhalgh, Christine, Jeremy Philips, Robert Pitkethly, Mark Rogers, and Joshua
Tomalin (2010): ‘Intellectual Property Enforcement in Smaller UK Firms,’ Report for
the Strategy Advisory Board for Intellectual Property Policy (SABIP).
20. Berkeley Technology Law Journal, Vol. 27:209, p. 213 (2012) (citing C. Chien, A
Race to the Bottom, Intellectual Asset Management, Jan.–Feb. 2012, at 13–14)
21. Supercharging Android: Google to Acquire Motorola Mobility, Official Google Blog
(Aug. 15, 2011, 12:52 PM), http://googleblog.blogspot.com/2011/08/ supercharging-
android-google-to-acquire.html
22. Ashby Jones, “So What’s Up With this Apple/Google Lawsuit?” The Wall Street
Journal, March 30, 2010,
23. Yukari Iwatani Kane and Ian Sherr, “Apple: Samsung Copied Design,” The Wall
Street Journal, April 19, 2011,
24. Apple Inc., Business Conduct: The way we do business worldwide, 2010,
http://files.shareholder.com/downloads/AAPL/1283312876x0x443008/5f38b1e6-
2f9c-4518-b691-13a29ac90501/business_conduct_policy.pdf