Polityka bezpieczenstwa SK UMK wyciag/en
Z Uniwersyteckie Centrum Informatyczne
This extract contains rules that directly concern the users of the UMK network.
Chapter 1 General concepts
§ 1
- At Nicolaus Copernicus University in Toruń, hereinafter referred to as the "NCU", there is a computer network.
- The computer network of NCU, hereinafter referred to as "SK UMK", covers all UMK premises, in particular locations in Toruń, Piwnice and Bydgoszcz, as well as network services provided by NCU on its own or foreign resources.
- The basic role of SK UMK is to support didactic, scientific and university management processes.
- UMK shall not be liable for losses resulting from the failure of SK UMK.
- SK UMK may be used in a manner that does not violate applicable legal regulations.
- Through UMK SK it is not allowed to distribute content or images of commercial, advertising, political, etc. without the consent of the rector or chancellor.
§ 2
- The security policy of SK UMK, hereinafter referred to as "Policy", introduces unified operating principles for users and network and service administrators to ensure proper data protection.
- The policy consists of the main document issued as the Rector's order and three annexes defining detailed procedures for the following areas of SK UMK:
- account management - attachment No. 1 ;
- domain management - attachment No. 2 ;
- external services, provided by the account in SK UMK - attachment No. 3 .
- Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, rests with the Information & Communication Technology Centre of the Nicolaus Copernicus University, hereinafter referred to as "UCI"
- The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed rules of operation within the subsystems constituting SK UMK.
- If the word should and its variants is used in this text, then should be interpreted that any exceptions for a given rule must be justifiable and documented.
Chapter 2 Users of SK UMK
§ 5
- SK UMK user is any person using a device connected to SK UMK or a SK UMK network service.
- In order to access the protected resources of SK UMK, it is necessary to have a SK UMK user account, hereinafter referred to as the SK UMK account.
- SK UMK account additionally gives you the right to use selected external services, as set out in the Regulations for the use of external services, constituting Annex 3 to this ordinance.
- In some cases, access to specific services requires special accounts linked to services. Such an account is called an account in the service.
§ 6
- SK UMK account is a registered permission to use SK UMK.
- the following persons are entitled to an SK UMK account
- employees of UMK employed under a contract of employment or a civil law contract;
- pensioners the NCU;
- other people, to whom an account is necessary in connection with teaching classes given at the NCU or other activities like courses, practices, etc.;
- UMK students (including PhD students);
- guests of UMK during their stay at the university; holders of an alumni card of the NCU;
- other persons - in particularly justified cases, with the consent of the UCI director.
- One person may have only one SK SKU account on main university servers .
- Employees, pensioners, and students of UMK have the right to maintain their own website, maintained in accordance with § 1 para. 6.
§ 7
- Procedures regarding the service of SK UMK accounts are included in Annex No. 1 .
- SK UMK accounts of the alumni card holders of the NCU are governed by the principles set out in the Regulations of the Alumni Program.
- An SK UMK account used in violation of § 1 para. 5 is blocked by SK UMK administrator or administrator of the relevant local network. The appropriate supervisor of the user is notified of the fact of blocking SK UMK account, who, after clarifying the case, rules on unblocking of the account.
- Additional rules for keeping user accounts in local networks of SK UMK can be specified in the regulations of these networks.
§ 8
- SK UMK accounts of persons who have lost their entitlement expire and are cleared after the deadline set for a given account type.
- A user who has lost the status entitling him to an SK UMK account, will be informed by an emal form the administrator about the date when the account
- The identifier, or email aliases associated with it, of canceled SK UMK accounts will not be re-assigned to another person.
- Deadlines and procedures for canceling SK UMK accounts are described in Annex 1.
§ 9
- A functional account is the right to perform tasks or to run information services for the needs of:
- organizational units of the NCU;
- registered student organizations operating at the NCU;
- student science clubs;
- other institutions and organizations, made available under separate regulations or arrangements.
- Functional accounts of the organizational units of the NCU are run on the order of their manager.
- Functional accounts of student organizations as well as student clubs are run at their request approved by the rector or dean.
- Each functional account must have a supervisor appointed by the person responsible for creating such an account.
- Functional accounts may only be used in accordance with the purpose for which they were granted.
§ 10
- An account in a service is the right to access a service that does not use the SK UMK account system.
- Services can define their own regulations regarding the requirements for accounts in the service, in particular on how to log in to the service, the quality and frequency of changing the password, etc.
- Services can define their own rules regarding the expiration dates of accounts and the procedures for removing them.
§ 11
- E-mail addresses in the form of ID@umk.pl or ID@cm.umk.pl, where ID is an identifier that meets the requirements of electronic mail, can be assigned only to SK UMK accounts of employees, pensioners and pensioners of UMK, persons listed in § 6 para. 2 point 3 and functional accounts.
- An employee of UMK using the SK UMK account on the central university server receives by default the email address ID@umk.pl or ID@cm.umk.pl, where ID is the account identifier; when creating an account, he is informed about the possibility of defining additional e-mail addresses.
- PhD students using the SK UMK account on the general university server use e-mail addresses in the form of ID@doktorant.umk.pl, where ID is the PhD student's account ID.
- Other students using an SK UMK account at a central student server use e-mail addresses in the form of ID@stud.umk.pl, where ID is the student's account identifier.
- Guests of UMK during their stay at the university using the SK UMK account on the general university server of UMK (in accordance with this Policy) use e-mail addresses in the form of ID@v.umk.pl, where ID is the account identifier.
- The holders of the alumni card of the Nicolaus Copernicus University use the e-mail addresses defined by the Regulations of the Absolwent Program.
Users of SK UMK accounts on local servers use e-mail addresses determined on the basis of regulations concerning these servers.
§ 12
- Employees of UMK are obliged to use business e-mail addresses while conducting business correspondence.
- It is not recommended to configure automatic forwarding of mail received to the address of UMK to servers outside of UMK. UCI is not responsible for problems related to the delivery of e-mails, if the account is configured to redirect to a server outside of UMK.
§ 13
- In order to protect the network, SK UMK user is obliged to take care of the security of their accounts, in particular to protect their passwords and other data used for authentication.
- The user can not request a password change or re enabling an blocked account by phone if it is not possible to identify the caller.
- The UMK SK user is forbidden to:
- allow other people to use their accounts and related rights; making attempts to use a foreign account and run the application decrypting the password;
- conduct activities aimed at eavesdropping or interception of information flowing on the network;
- change of the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
- launch applications that may disrupt or destabilize the operation of a computer system or network, or compromise the privacy of system resources; sending mass mail directed to random recipients (spam).
- If the user fails to comply with these rules, the administrator may temporarily restrict or block access to the network or service.
§ 14
- The content of the user's account, in particular the contents of the mailbox, is protected by professional secrecy.
- In justified cases, following the decision of the rector or chancellor, the content of the account may be made available to third parties.
Chapter 5 Data and service protection
§ 33
- All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force even after the employment at NCU.
- Business secret covers in particular:
- information on the UMK network and information systems configuration;
- passwords and other access data;
- all personal data;
- the contents of home directories and user correspondence;
- administration data;
- system logs containing information about user activity.
- Sharing data covered by professional secrecy is possible only on a written request and must be preceded by obtaining the consent of the rector, chancellor or persons authorized by them.
Chapter 6 Information services
§ 36
- The role of e-mail servers is to deliver messages with while protecting of users against spam and messages containing undesirable software.
- Messages identified as suspicious, but not classified as evident spam, must be appropriately marked so that the users can define their own rules of conduct.
- Users are required to apply the principle of limited trust, and in particular to not take actions such as entering their own password or changing the password in response to the received letter.
- In order to minimise sending spam from SK UMK and resulting consequences, e-mail may be sent only through properly secured servers.
- An e-mail sent from SK UMK must be scanned for spam and unsolicited software; shipments identified as dangerous must be blocked and the user from whose account such correspondence has been sent must be notified.
- It is forbidden to use internet forms that allow sending mail to any recipients.
§ 37
- Sending mail to all employees or students requires the consent of the rector, vice-chancellor, chancellor, or a person authorized by them.
- Consent to sending such e-mail is granted on a one-off basis or permanently.
- The user with such consent will be provided by UCI with an address enabling the mailing.
Chapter 7 Managing the network layer
§ 42
- UMK maintains a central wireless network connected to the global eduroam system.
- Access to the eduroam network requires an active SK UMK account authorizing the use of a network or an account in another institution included in the eduroam system.
- SK UMK accounts of employees and students of UMK authorize access to the eduroam network around the world.
- SK UMK accounts of NCU alumni are authorize access to eduroam only within the UMK premises.
- Devices of persons having eduroam accounts outside of the NCU and holders of the UMK alumni account are placed in a virtual subnet, which is considered to be an external network in relation to NCU. Automatic access to electronic magazines subscribed by UMK is nir ebabled in this network.
- The eduroam network is used to access the network in the UMK area and can not be used to create permanent network connections through, for example, directional antennas and signal amplifiers.
- In situations giving rise to the suspicion that the user's account is being abused, for example, a large number of devices are used from one account, or the way of using indicates a permanent link, administrators can block the user's permission to use the network.
§ 43
- Within SK UMK it is forbidden to run unsecured wireless networks.
- Wireless access devices may be connected to SK UMK only in consultation with the administrator of SK UMK or a person authorized by the administrator of SK UMK to take such decisions in a given area; connecting devices without prior authorization will be treated as a serious breach of the safety of SK UMK.
- In justified cases SK SKM administrators can use methods of jamming unknown wireless devices.
- Devices using a wireless network must not interfere with the work of other network users, and users of such devices are required to comply with the recommendations of SK UMK administrator.
Chapter 8 User devices
§ 44
- Workstations owned by UMK should be protected by up-to-date software ensuring the security of the computer system. UMK provides the necessary licenses for security software in accordance with the financial rules determined by the rector.
- In the case of personal data processing, it is necessary to provide the protection described in the Privacy Policy of a given personal data processing system.
- Descriptions of the protection of various operating systems are constantly updated and available on UCI websites.
- The Software Administrator assigned to a given station is responsible for the security of the workstation software.
§ 45
Users' private devices can be connected to SK UMK, under the following conditions:
- the users of private devices are responsible for the risks that may arise from the lack of proper protection of the devices;
- the users are required to properly protect their devices, so as to exclude unauthorized access to services, e.g. by means of passwords stored on the device;
- in the event that it is suspected that the device has fallen into the wrong hands, the user is obliged to immediately change all access passwords in the UMK systems;
- safety instructions for specific services may introduce additional restrictions on access from private devices.
§ 46
If it is determined that a device interfering with the network operation operates in SK UMK or violates the principles of this Policy, the relevant network administrator has the right to immediately disable access of such device to the network. The administrator notifies the user of the device about the identified violations of the Policy, and in justified cases or in the absence of the user's reaction, also the appropriate user's superior. All cases of identified violations of this Policy are registered by administrators.
Chapter 9 Policy of passwords
§ 47
Central service administrators use 2-step authentication on an access server to access servers. The second element of authentication is a random number generated on an external device.
§ 48
- Users are required to keep their access credentials secret. In particular, it is not allowed to pass on an access password to an individual account to anyone.
- Passwords must meet security requirements enforced through password change systems.
- In systems where personal data is processed, passwords specific to these systems are used and user passwords are changed at least once a month, unless additional security mechanisms such as tokens or one-time password lists are used.
- It is allowed to use the SMS service in the UMK systems, but the management policy of the specific system must be governed by the rules for verification of telephone numbers associated with the accounts.
Chapter 10 Change of equipment user and disposal of electronic equipment and media that may contain data
§ 49
Before any electronic equipment which may contain data requiring protection is passed to a new user, the current user is obliged to make a risk assessment of possible disclosure of data. If it is necessary, the data needs to be deleted in a way that does not allow it to be recovered. In case of doubt, the user contacts the appropriate network administrator in this matter.
Chapter 11 Final provisions
§ 53
They lose their power: ordinance No. 144 of the Rector of the Nicolaus Copernicus of 19 October 2009 regarding the use of business addresses from business addresses by employees of the Nicolaus Copernicus University (Legal Bulletin of the Nicolaus Copernicus University No. 9, item 283); ordinance No. 76 of the Rector of the Nicolaus Copernicus University of September 18, 2007 - Computer Network Regulations of the Nicolaus Copernicus University in Toruń (Legal Bulletin of the Nicolaus Copernicus University No. 7, item 178). The order comes into effect on December 19, 2017, with the exception of §20 - §22 and §24 - §26, which come into effect on July 1, 2018. Rector prof. dr hab. Andrzej Tretyn