NCU Computer Network Security Policy - excerpt for users

Z Uniwersyteckie Centrum Informatyczne

This excerpt contains provisions that directly apply to the users of the Nicolaus Copernicus University network. It is based on translation of the original Polish document and as such is not legally binding.

Rector of the Nicolaus Copernicus University in Toruń
of December 19, 2017

Security policy for the computer network of the Nicolaus Copernicus University in Toruń

Based on Article. 66 section 2 of the Act of 27 July 2005 Law on Higher Education (Journal of Laws of 2016 r., Item 1842, as amended)

the following is administered:

Chapter 1 General concepts

§ 1
  1. A computer network operates at the Nicolaus Copernicus University in Toruń, hereinafter referred to as "NCU".
  2. The NCU computer network, hereinafter referred to as "NCU CN", covers all NCU facilities, in particular locations in Toruń, Piwnice and Bydgoszcz and network services provided by the NCU on its own or external resources.
  3. The basic role of NCU CN is to support teaching, scientific and university management processes.
  4. NCU shall not be liable for losses resulting from the failure of NCU CN.
  5. NCU CN may be used in a way that does not violate applicable law.
  6. It is not allowed to distribute through NCU CN content or images of commercial, advertising, political, etc. without the consent of the rector or chancellor.
§ 2
  1. The security policy of NCU CN, hereinafter referred to as the "Policy", introduces uniform operating principles for users and network and service administrators to ensure adequate data protection.
  2. The policy consists of a basic document issued as ordinance of the rector and three annexes specifying detailed operating procedures in the following areas of the NCU CN:
    1. account management - Annex 1;
    2. domain management - Annex 2;
    3. external services made available by the account in NCU CN - ​​ Annex 3.
  3. Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, lies with the University's Nicolaus Copernicus University Information Center, hereinafter referred to as "UCI"
  4. The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed operating principles within the subsystems constituting the NCU CN.
  5. If the word should and its variants are used in the text, it should be interpreted as an order from which derogations may occur in particularly justified situations. Such deviations must be documented.

Chapter 2 Users of NCU CN 

§ 5
  1. NCU CN user is any person using a device connected to NCU CN or a NCU CN network service.
  2. In order to access the protected resources of NCU CN, it is necessary to have a NCU CN user account, hereinafter referred to as NCU CN.
  3. NCU account also gives the right to use selected external services, specified in the Regulations for the use of external services, which is Annex 3 to this ordinance.
  4. In some cases, access to specific services requires special accounts associated with the services. This account is called the service account.

§ 6 
  1. NCU CN account is a registered entitlement to use NCU CN.
  2. NCU CN account can be owned by:
    1. NCU employees employed under an employment contract or civil law contract;
    2. retirees and pensioners of the NCU;
    3. other people who need an account in connection with the teaching classes given at NCU or other activities like courses, practices, etc.;
    4. students of NCU (including PhD students);
    5. NCU guests during their stay at the university;
    6. holders of the NCU graduate card;
    7. other people - in particularly justified cases, with the consent of the UCI director.
  3. One person may have only one SK SKU account on main university servers.
  4. Employees, retirees, pensioners and students of NCU have the right to maintain their own website, maintained in accordance with § 1 para. 6.
§ 7
  1. Procedures regarding the handling of NCU CN accounts are included in Annex 1.
  2. NCU CN accounts of the alumni card holders of the NCU are governed by the principles set out in the Regulations of the Alumni Program.
  3. NCU CN account used in violation of § 1 para. 5 is blocked by the administrator of the NCU CN or the administrator of the respective local network. The appropriate supervisor of the user is notified about the fact of blocking the NCU CN account, who, after explaining the case, decides to unblock the account.
  4. Additional rules of keeping NCU users' accounts in local networks of NCU CN may be specified in the regulations of these networks.
§ 8
  1. NCU CN accounts of persons who have lost their entitlement expire and are cleared after the deadline set for a given account type.
  2. A user who has lost the status entitling him to an NCU CN account, will be informed by an e-maol from the administrator about the date when the account.
  3. Identifier, or the associated e-mail aliases of canceled NCU CN account will not be reassigned to another person.
  4. Dates and procedure for canceling the NCU CN account are described in Annex 1.
§ 9 
  1. Functional account is the entitlement to carry out tasks or provide information services for the purposes of:
    1. organizational units of NCU;
    2. registered student and local government organizations operating in NCU;
    3. student research clubs;
    4. other institutions and organizations, made available under separate regulations or arrangements.
  2. Functional accounts of NCU organizational units are run at the request of their manager.
  3. Functional accounts of student and local government organizations and student groups are maintained at their request approved by the rector or dean.
  4. Each functional account must have a supervisor appointed by the person competent to set up such an account.
  5. Functional accounts can only be used for the purpose for which they were granted.
§ 10 
  1. Account in the service is the right to access the service that does not use the NCU CN account system.
  2. Services may define their own regulations regarding the requirements for service accounts, in particular regarding the manner of logging into the service, requirements regarding the quality and frequency of password changes, etc.
  3. Services can define their own policies regarding account expiration dates and procedures for deleting them.
§ 11
  1. Email addresses in the form of or, where ID is an identifier that meets the requirements of electronic mail can be assigned only to NCU CN accounts of employees, NCU retirees and pensioners, persons listed in § 6 para. 2 point 3 and functional accounts.
  2. NCU employees using the NCU CN account on the central university server receive by default the e-mail address or, where ID is the account identifier; when setting up an account, they are informed about the possibility of defining additional e-mail addresses.
  3. PhD students using the NCU CN account on the central university server use e-mail addresses in the form, where ID is the identifier of the PhD student's account.
  4. Other students using the NCU CN account on the central university student server use email addresses in the form, where ID is the student's account identifier.
  5. NCU guests during their stay at the university using the NCU CN account on the university NCU central server (in accordance with this Policy) use e-mail addresses in the form, where ID is the account identifier.
  6. NCU alumni card holders use the e-mail addresses specified in the Regulations of the Graduate Program.
  7. Users of NCU CN accounts on local servers use e-mail addresses determined on the basis of regulations regarding these servers.
§ 12 
  1. NCU employees are required to use their business e-mail addresses during business correspondence.
  2. It is not recommended to configure automatic redirection of mail received to the NCU address to servers outside the NCU. UCI shall not be liable for problems related to the delivery of mail if the account is configured with redirection to a server outside the NCU.
§ 13
  1. In order to protect the network, the NCU CN user is obliged to ensure the security of their accounts, in particular to protect their passwords and other authentication data.
  2. The user cannot request to change the password or reenabling blocked access by phone if the caller cannot be identified.
  3. It is forbidden for the user of NCU CN:
    1. enabling others to use their accounts and associated permissions;
    2. attempting to use another user's account and running password decryption applications;
    3. conducting activities aimed at eavesdropping or intercepting information flowing on the network;
    4. changes in the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
    5. launching applications that may disrupt or destabilize the operation of the system or computer network, or violate the privacy of system resources;
    6. sending bulk mail to random recipients (spam).
  4. If the user fails to comply with the above rules, the administrator may temporarily limit or block access to the network or service.
§ 14
  1. The content of the user's account, in particular the content of the mailbox is protected by professional secrecy.
  2. In justified cases, by the decision of the rector or chancellor, the content of the account may be disclosed to third parties.

Chapter 5 Data and service protection

§ 33
  1. All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force also after termination of employment at NCU.
  2. Secrets covered in particular:
    1. information on the configuration of the NCU network and IT systems;
    2. passwords and other access data;
    3. any personal information;
    4. content of home directories and user correspondence;
    5. administration data;
    6. system logs containing information on user activity.
  3. The disclosure of data covered by professional secrecy is only possible upon written request and must be preceded by the consent of the rector, chancellor or persons authorized by them.

Chapter 6 Information services

§ 36
  1. The task of e-mail servers is to deliver messages while protecting users against spam and messages containing unwanted software.
  2. Messages identified as suspicious but not classified as obvious spam must be marked accordingly so that the users can define their own rules of conduct.
  3. Users are obliged to apply the principle of limited trust, and in particular not to take actions such as entering their own password or changing the password in response to a received message.
  4. Due to the risks of sending spam from the NCU CN and related consequences, e-mail can only be sent via properly secured servers.
  5. Email sent from the NCU CN must be scanned for spam and containment of unwanted software; messages identified as dangerous must be blocked, and the user from whose account such correspondence was sent must be notified.
  6. It is forbidden to use web forms that allow sending mail to arbitrary recipients.
§ 37
  1. Sending mail to all employees or students requires the consent of the rector, vice rector, chancellor, or a person authorized by them.
  2. Permission to send such mail is granted once or permanently.
  3. The user with such consent will be provided by UCI with an address enabling the mailing.

Chapter 7 Managing the network layer

§ 42
  1. NCU maintains a central wireless network connected to the global eduroam system.
  2. Access to the eduroam network requires an active NCU CN account authorizing the use of the network or an account in another institution included in the eduroam system.
  3. NCU staff and students accounts authorize access to the eduroam network worldwide.
  4. NCU graduate accounts authorize access to eduroam only within the NCU area.
  5. Devices of persons having eduroam accounts outside NCU and holders of the NCU graduate accounts are placed in a virtual subnet, which is treated as an external network in relation to NCU. This network does not have automatic access to electronic magazines subscribed by NCU.
  6. The eduroam network is used to access the network in the NCU area and cannot be used to create permanent network connections through e.g. directional antennas and signal amplifiers.
  7. In situations that give rise to the suspicion that a user account is being abused, e.g. a large number of devices use one account, or the method of use indicates a permanent connection, administrators may block the user's permission to use the network.
§ 43
  1. It is forbidden to run unsecured wireless networks inside NCU CN.
  2. Access devices for wireless communication may be connected to the NCU CN only in consultation with the NCU CN administrator or a person authorized by the NCU CN administrator to make such decisions in a specific area; connecting devices without agreement will be treated as a serious breach of security of NCU.
  3. In justified cases, NCU CN administrators may use methods to jam unknown wireless devices.
  4. Devices using a wireless network may not interfere with other network users, and users of such devices are required to follow the instructions of the NCU CN administrator.

Chapter 8 User devices

§ 44
  1. Workstations owned by NCU should be protected by constantly updated software ensuring the security of the computer system. NCU provides necessary licenses for security software in accordance with the financial rules set by the rector.
  2. In the case of personal data processing, it is necessary to ensure the protection described in the Security Instruction of the given personal data processing system.
  3. Descriptions of protection for various operating systems are constantly updated and available on UCI websites.
  4. The Software Administrator assigned to the station is responsible for the security of the workstation software.
§ 45

Users' private devices may be connected in NCU CN, subject to the following rules:

  1. the users of the private device bear responsibility for threats that may result from the lack of proper protection of their devices;
  2. the users are required to properly protect their own devices so as to exclude unauthorized access to services, e.g. by using passwords saved on the device;
  3. if there is a possibility that the device with stored passwords may be used by an unauthorized person, the user is obliged to immediately change all access passwords in the NCU systems;
  4. specific service security instructions may impose additional restrictions on access from private devices.
§ 46
  1. If it is determined that a device interfering with the network operation operates in NCU CN or violates the principles of this Policy, the relevant network administrator has the right to immediately disable access of such device to the network.
  2. The administrator notifies the user of the device about the identified cases of violation of the Policy, and in justified cases or in the absence of a response from the user, also the appropriate user superior.
  3. All cases of identified violations of this Policy are recorded by administrators.

Chapter 9 Password policy

§ 47

Central service administrators use two-step authentication on the access server to access servers. The second element of authentication is a random number generated on an external device.

§ 48
  1. Users are required to keep access data secret. In particular, it is not allowed to give anyone the access password to an individual account.
  2. Passwords must meet security requirements enforced by password changing systems.
  3. In systems where personal data are processed, passwords specific to these systems are used and users' passwords are changed at least once a month, unless additional security mechanisms are used, e.g. tokens or lists of one-time passwords.
  4. It is permissible to set up a new password in the NCU systems by the SMS service, while the management policy of the particular system must regulate the rules for verifying the phone numbers associated with the accounts.

Chapter 10 Change of equipment user and disposal of electronic equipment and media that may contain data

§ 49

The user of electronic equipment provided to another user which may contain data requiring protection is obliged to assess the risk associated with the possible disclosure of data. If it is necessary, user erases the data in a way that prevents recovery. In case of doubt, the user contacts the relevant network administrator in this matter.

§ 50
  1. Electronic equipment is subject to the general principles of utilization adopted at NCU.
  2. The receipt and disposal of equipment that may contain data that requires protection, for example, on which personal data was processed, can only be entrusted to entities with appropriate permissions confirmed by an appropriate certificate.
  3. Equipment to be disposed of that may contain data that requires protection must be appropriately marked on the casing so that it can be properly transferred to the disposal entity.