NCU CN Security Policy: Różnice pomiędzy wersjami

Z Uniwersyteckie Centrum Informatyczne

Linia 13: Linia 13:
 
</center>
 
</center>
  
# A computer network operates at the Nicolaus Copernicus University in Toruń, hereinafter referred to as "NCU".
+
# At Nicolaus Copernicus University in Toruń, hereinafter referred to as the "NCU", there is a computer network.
 
# The NCU computer network, hereinafter referred to as "NCU CN", covers all NCU facilities, in particular locations in Toruń, Piwnice and Bydgoszcz and network services provided by the NCU on its own or external resources.
 
# The NCU computer network, hereinafter referred to as "NCU CN", covers all NCU facilities, in particular locations in Toruń, Piwnice and Bydgoszcz and network services provided by the NCU on its own or external resources.
# The basic role of NCU CN is to support didactic, scientific and university management processes.
+
# The basic role of NCU CN is to support teaching, scientific and university management processes.
# NCU is not responsible for losses resulting from the failure of NCU CN.
+
# NCU shall not be liable for losses resulting from the failure of NCU CN.
 
# NCU CN may be used in a way that does not violate applicable law.
 
# NCU CN may be used in a way that does not violate applicable law.
# Do not distribute commercial or advertising content or images of commercial, advertising, political nature, etc. without the Rector's or Chancellor's consent.
+
# It is not allowed to distribute through NCU CN content or images of commercial, advertising, political, etc. without the consent of the rector or chancellor.
  
 
<center>
 
<center>
Linia 24: Linia 24:
 
</center>
 
</center>
  
# The security policy of the Nicolaus Copernicus University computer network, hereinafter referred to as the "Policy", introduces uniform operating principles for users and network and service administrators to ensure adequate data protection.
+
# The security policy of NCU CN, hereinafter referred to as the "Policy", introduces uniform operating principles for users and network and service administrators to ensure adequate data protection.
 
# The policy consists of a basic document issued as ordinance of the rector and three annexes specifying detailed operating procedures in the following areas of the NCU CN:
 
# The policy consists of a basic document issued as ordinance of the rector and three annexes specifying detailed operating procedures in the following areas of the NCU CN:
## account management - [[Security_Policy_1 | Annex 1]];
+
## account management - [[Security policy 1 | Annex 1]];
## domain management - [[Security_Policy_2 | Annex 2]];
+
## domain management - [[Security Policy 2 | Annex 2]];
## external services made available by the account in NCU CN - ​​[[Security_Policy_3 | Annex 3]].
+
## external services made available by the account in NCU CN - ​​[[Security policy 3 | Annex 3]].
 
# Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, lies with the University's Nicolaus Copernicus University Information Center, hereinafter referred to as "UCI"
 
# Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, lies with the University's Nicolaus Copernicus University Information Center, hereinafter referred to as "UCI"
 
# The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed operating principles within the subsystems constituting the NCU CN.
 
# The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed operating principles within the subsystems constituting the NCU CN.
Linia 59: Linia 59:
 
</center>
 
</center>
  
# Users of NCU CN are anyone using a device connected to NCU CN or a NCU CN network service.
+
# NCU CN user is any person using a device connected to NCU CN or a NCU CN network service.
 
# In order to access the protected resources of NCU CN, it is necessary to have a NCU CN user account, hereinafter referred to as NCU CN.
 
# In order to access the protected resources of NCU CN, it is necessary to have a NCU CN user account, hereinafter referred to as NCU CN.
# NCU account also gives the right to use selected external services, specified in the Regulations for the use of external services, which is [[Security_Policy_3 | Annex 3]] to this ordinance.
+
# NCU account also gives the right to use selected external services, specified in the Regulations for the use of external services, which is [[Security Policy 3 | Annex 3]] to this ordinance.
 
# In some cases, access to specific services requires special accounts associated with the services. This account is called the service account.
 
# In some cases, access to specific services requires special accounts associated with the services. This account is called the service account.
  
Linia 70: Linia 70:
 
# NCU CN account can be owned by:
 
# NCU CN account can be owned by:
 
## NCU employees employed under an employment contract or civil law contract;
 
## NCU employees employed under an employment contract or civil law contract;
## retirees and pensioners of the Nicolaus Copernicus University;
+
## retirees and pensioners of the NCU;
## other people who need an account in connection with the didactic classes conducted at the Nicolaus Copernicus University or courses, apprenticeships held at the Nicolaus Copernicus University;
+
## other people who need an account in connection with the teaching classes given at NCU or other activities like courses, practices, etc.;
## students of the Nicolaus Copernicus University (including PhD students);
+
## students of NCU (including PhD students);
 
## NCU guests during their stay at the university;
 
## NCU guests during their stay at the university;
 
## holders of the NCU graduate card;
 
## holders of the NCU graduate card;
 
## other people - in particularly justified cases, with the consent of the UCI director.
 
## other people - in particularly justified cases, with the consent of the UCI director.
# On the university servers one person may have only one NCU CN account.
+
# One person may have only one SK SKU account on main university servers.
# Employees, retirees, pensioners and students of the Nicolaus Copernicus University have the right to maintain their own website, maintained in accordance with § 1 para. 6.
+
# Employees, retirees, pensioners and students of NCU have the right to maintain their own website, maintained in accordance with § 1 para. 6.
  
 
<center>
 
<center>
 
=====§ 7=====
 
=====§ 7=====
 
</center>
 
</center>
# Procedures regarding the handling of NCU CN accounts are included in [[Security_Policy_1 | Annex 1]].
+
# Procedures regarding the handling of NCU CN accounts are included in [[Security policy 1 | Annex 1]].
# NCU CN accounts of the NCU graduate card holders are run on the terms set out in the Regulations of the Graduate Program.
+
# NCU CN accounts of the alumni card holders of the NCU are governed by the principles set out in the Regulations of the Alumni Program.
 
# NCU CN account used in violation of § 1 para. 5 is blocked by the administrator of the NCU CN or the administrator of the respective local network. The appropriate supervisor of the user is notified about the fact of blocking the NCU CN account, who, after explaining the case, decides to unblock the account.
 
# NCU CN account used in violation of § 1 para. 5 is blocked by the administrator of the NCU CN or the administrator of the respective local network. The appropriate supervisor of the user is notified about the fact of blocking the NCU CN account, who, after explaining the case, decides to unblock the account.
 
# Additional rules of keeping NCU users' accounts in local networks of NCU CN may be specified in the regulations of these networks.
 
# Additional rules of keeping NCU users' accounts in local networks of NCU CN may be specified in the regulations of these networks.
Linia 90: Linia 90:
 
=====§ 8=====
 
=====§ 8=====
 
</center>
 
</center>
# NCU CN accounts of persons who have lost the right to have them lose their validity and are terminated after the expiry of the period prescribed for the type of account.
+
# NCU CN accounts of persons who have lost their entitlement expire and are cleared after the deadline set for a given account type.
# The user who has lost the status entitling him to have an NCU CN account, the administrator notifies about the date of account deactivation by e-mail.
+
# A user who has lost the status entitling him to an NCU CN account, will be informed by an e-maol from the administrator about the date when the account.
 
# Identifier, or the associated e-mail aliases of canceled NCU CN account will not be reassigned to another person.
 
# Identifier, or the associated e-mail aliases of canceled NCU CN account will not be reassigned to another person.
# Dates and procedure for canceling the NCU CN account are described in [[Security_Policy_1| Annex 1]].
+
# Dates and procedure for canceling the NCU CN account are described in [[Security policy 1 | Annex 1]].
 +
 
  
 
<center>
 
<center>
 
=====§ 9 =====
 
=====§ 9 =====
 
</center>
 
</center>
# Functional account is the right to carry out tasks or provide information services for the purposes of:
+
# Functional account is the entitlement to carry out tasks or provide information services for the purposes of:
## organizational units of the Nicolaus Copernicus University;
+
## organizational units of NCU;
## registered student and local government organizations operating in the Nicolaus Copernicus University;
+
## registered student and local government organizations operating in NCU;
 
## student research clubs;
 
## student research clubs;
 
## other institutions and organizations, made available under separate regulations or arrangements.
 
## other institutions and organizations, made available under separate regulations or arrangements.
 
# Functional accounts of NCU organizational units are run at the request of their manager.
 
# Functional accounts of NCU organizational units are run at the request of their manager.
 
# Functional accounts of student and local government organizations and student groups are maintained at their request approved by the rector or dean.
 
# Functional accounts of student and local government organizations and student groups are maintained at their request approved by the rector or dean.
# Each functional account must have a guardian appointed by the person competent to set up such an account.
+
# Each functional account must have a supervisor appointed by the person competent to set up such an account.
 
# Functional accounts can only be used for the purpose for which they were granted.
 
# Functional accounts can only be used for the purpose for which they were granted.
  
Linia 118: Linia 119:
 
=====§ 11=====
 
=====§ 11=====
 
</center>
 
</center>
# Email addresses in the form of ID@umk.pl or ID@cm.umk.pl, where ID is an identifier that meets the requirements of electronic mail can be assigned only to the accounts of NCU CN employees, NCU retirees and pensioners, persons listed in § 6 para. 2 point 3 and functional accounts.
+
# Email addresses in the form of ID@umk.pl or ID@cm.umk.pl, where ID is an identifier that meets the requirements of electronic mail can be assigned only to NCU CN accounts of employees, NCU retirees and pensioners, persons listed in § 6 para. 2 point 3 and functional accounts.
# The NCU employee using the NCU CN account on the university-wide server receives by default the e-mail address ID@umk.pl or ID@cm.umk.pl, where ID is the account identifier; when setting up an account, he is informed about the possibility of defining additional e-mail addresses.
+
# NCU employees using the NCU CN account on the central university server receive by default the e-mail address ID@umk.pl or ID@cm.umk.pl, where ID is the account identifier; when setting up an account, they are informed about the possibility of defining additional e-mail addresses.
# Doctoral students using the NCU CN account on the university-wide server use e-mail addresses in the form ID@doktorant.umk.pl, where ID is the identifier of the doctoral student's account.
+
# PhD students using the NCU CN account on the central university server use e-mail addresses in the form ID@doktorant.umk.pl, where ID is the identifier of the PhD student's account.
# Other students using the NCU CN account on the university-wide student server use email addresses in the form ID@stud.umk.pl, where ID is the student's account identifier.
+
# Other students using the NCU CN account on the central university student server use email addresses in the form ID@stud.umk.pl, where ID is the student's account identifier.
# NCU guests during their stay at the university using the NCU CN account on the university NCU general server (in accordance with this Policy) use e-mail addresses in the form ID@v.umk.pl, where ID is the account identifier.
+
# NCU guests during their stay at the university using the NCU CN account on the university NCU central server (in accordance with this Policy) use e-mail addresses in the form ID@v.umk.pl, where ID is the account identifier.
# NCU graduate card holders use the e-mail addresses specified in the Regulations of the Graduate Program.
+
# NCU alumni card holders use the e-mail addresses specified in the Regulations of the Graduate Program.
 
# Users of NCU CN accounts on local servers use e-mail addresses determined on the basis of regulations regarding these servers.
 
# Users of NCU CN accounts on local servers use e-mail addresses determined on the basis of regulations regarding these servers.
  
Linia 136: Linia 137:
 
</center>
 
</center>
 
# In order to protect the network, the NCU CN user is obliged to ensure the security of their accounts, in particular to protect their passwords and other authentication data.
 
# In order to protect the network, the NCU CN user is obliged to ensure the security of their accounts, in particular to protect their passwords and other authentication data.
# The user cannot request to change the password or open blocked access by phone if the caller cannot be identified.
+
# The user cannot request to change the password or reenabling blocked access by phone if the caller cannot be identified.
 
# It is forbidden for the user of NCU CN:
 
# It is forbidden for the user of NCU CN:
 
## enabling others to use their accounts and associated permissions;
 
## enabling others to use their accounts and associated permissions;
## attempting to use a foreign account and running password decryption applications;
+
## attempting to use another user's account and running password decryption applications;
 
## conducting activities aimed at eavesdropping or intercepting information flowing on the network;
 
## conducting activities aimed at eavesdropping or intercepting information flowing on the network;
 
## changes in the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
 
## changes in the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
Linia 314: Linia 315:
 
=====§ 33=====
 
=====§ 33=====
 
</center>
 
</center>
# All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force also after termination of employment at the Nicolaus Copernicus University.
+
# All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force also after termination of employment at NCU.
 
# Secrets covered in particular:
 
# Secrets covered in particular:
## information on the configuration of the Nicolaus Copernicus University network and IT systems;
+
## information on the configuration of the NCU network and IT systems;
 
## passwords and other access data;
 
## passwords and other access data;
 
## any personal information;
 
## any personal information;
Linia 341: Linia 342:
 
=====§ 36=====
 
=====§ 36=====
 
</center>
 
</center>
# The task of servers supporting e-mail is to deliver messages while protecting users against spam and messages containing unwanted software.
+
# The task of e-mail servers is to deliver messages while protecting users against spam and messages containing unwanted software.
# Messages identified as suspicious but not classified as obvious spam must be marked accordingly so that the user can define his own rules of conduct.
+
# Messages identified as suspicious but not classified as obvious spam must be marked accordingly so that the users can define their own rules of conduct.
# Users are obliged to apply the principle of limited trust, and in particular not to take actions such as entering their own password or changing the password in response to a received letter.
+
# Users are obliged to apply the principle of limited trust, and in particular not to take actions such as entering their own password or changing the password in response to a received message.
 
# Due to the risks of sending spam from the NCU CN and related consequences, e-mail can only be sent via properly secured servers.
 
# Due to the risks of sending spam from the NCU CN and related consequences, e-mail can only be sent via properly secured servers.
 
# Email sent from the NCU CN must be scanned for spam and containment of unwanted software; messages identified as dangerous must be blocked, and the user from whose account such correspondence was sent must be notified.
 
# Email sent from the NCU CN must be scanned for spam and containment of unwanted software; messages identified as dangerous must be blocked, and the user from whose account such correspondence was sent must be notified.
# It is forbidden to use web forms that allow sending mail to any recipients.
+
# It is forbidden to use web forms that allow sending mail to arbitrary recipients.
  
 
<center>
 
<center>
Linia 353: Linia 354:
 
# Sending mail to all employees or students requires the consent of the rector, vice rector, chancellor, or a person authorized by them.
 
# Sending mail to all employees or students requires the consent of the rector, vice rector, chancellor, or a person authorized by them.
 
# Permission to send such mail is granted once or permanently.
 
# Permission to send such mail is granted once or permanently.
# UCI provides the address to the user with such consent allowing the mailing to be sent.
+
# The user with such consent will be provided by UCI with an address enabling the mailing.
  
 
<center>
 
<center>
Linia 394: Linia 395:
 
# NCU staff and students accounts authorize access to the eduroam network worldwide.
 
# NCU staff and students accounts authorize access to the eduroam network worldwide.
 
# NCU graduate accounts authorize access to eduroam only within the NCU area.
 
# NCU graduate accounts authorize access to eduroam only within the NCU area.
# Devices of persons having eduroam accounts outside the Nicolaus Copernicus University and holders of the NCU graduate account are placed in a virtual subnet, which is treated as an external network in relation to the Nicolaus Copernicus University. This network does not have automatic access to electronic magazines subscribed by the Nicolaus Copernicus University.
+
# Devices of persons having eduroam accounts outside NCU and holders of the NCU graduate accounts are placed in a virtual subnet, which is treated as an external network in relation to NCU. This network does not have automatic access to electronic magazines subscribed by NCU.
# The eduroam network is used to access the network in the Nicolaus Copernicus University area and cannot be used to create permanent network connections through e.g. directional antennas and signal amplifiers.
+
# The eduroam network is used to access the network in the NCU area and cannot be used to create permanent network connections through e.g. directional antennas and signal amplifiers.
 
# In situations that give rise to the suspicion that a user account is being abused, e.g. a large number of devices use one account, or the method of use indicates a permanent connection, administrators may block the user's permission to use the network.
 
# In situations that give rise to the suspicion that a user account is being abused, e.g. a large number of devices use one account, or the method of use indicates a permanent connection, administrators may block the user's permission to use the network.
  
Linia 402: Linia 403:
 
</center>
 
</center>
 
# It is forbidden to run unsecured wireless networks inside NCU CN.
 
# It is forbidden to run unsecured wireless networks inside NCU CN.
# Access devices for wireless communication may be connected to the NCU CN only in consultation with the NCU CN administrator or a person authorized by the NCU CN administrator to make such decisions in a specific area; connecting devices without agreement will be treated as a serious breach of security of the Nicolaus Copernicus University.
+
# Access devices for wireless communication may be connected to the NCU CN only in consultation with the NCU CN administrator or a person authorized by the NCU CN administrator to make such decisions in a specific area; connecting devices without agreement will be treated as a serious breach of security of NCU.
 
# In justified cases, NCU CN administrators may use methods to jam unknown wireless devices.
 
# In justified cases, NCU CN administrators may use methods to jam unknown wireless devices.
 
# Devices using a wireless network may not interfere with other network users, and users of such devices are required to follow the instructions of the NCU CN administrator.
 
# Devices using a wireless network may not interfere with other network users, and users of such devices are required to follow the instructions of the NCU CN administrator.
Linia 410: Linia 411:
 
=====§ 44=====
 
=====§ 44=====
 
</center>
 
</center>
# Workstations owned by the Nicolaus Copernicus University should be protected by constantly updated software ensuring the security of the computer system. The Nicolaus Copernicus University provides necessary licenses for security software in accordance with the financial rules set by the rector.
+
# Workstations owned by NCU should be protected by constantly updated software ensuring the security of the computer system. NCU provides necessary licenses for security software in accordance with the financial rules set by the rector.
 
# In the case of personal data processing, it is necessary to ensure the protection described in the Security Instruction of the given personal data processing system.
 
# In the case of personal data processing, it is necessary to ensure the protection described in the Security Instruction of the given personal data processing system.
 
# Descriptions of protection for various operating systems are constantly updated and available on UCI websites.
 
# Descriptions of protection for various operating systems are constantly updated and available on UCI websites.
Linia 417: Linia 418:
 
<center>
 
<center>
 
=====§ 45=====
 
=====§ 45=====
</center>¶ Private user devices may be connected in NCU CN, subject to the following rules:
+
</center>
 +
Users' private devices may be connected in NCU CN, subject to the following rules:
  
# the user using the private device bears responsibility for threats that may result from the lack of proper protection of his device;
+
# the users of the private device bear responsibility for threats that may result from the lack of proper protection of their devices;
# the user is required to properly protect his own device so as to exclude unauthorized access to services, e.g. by using passwords saved on the device;
+
# the users are required to properly protect their own devices so as to exclude unauthorized access to services, e.g. by using passwords saved on the device;
# if it is suspected that the device has fallen into the wrong hands, the user is obliged to immediately change all access passwords in the NCU systems;
+
# if there is a possibility that the device with stored passwords may be used by an unauthorized person, the user is obliged to immediately change all access passwords in the NCU systems;
 
# specific service security instructions may impose additional restrictions on access from private devices.
 
# specific service security instructions may impose additional restrictions on access from private devices.
 +
  
 
<center>
 
<center>
 
=====§ 46=====
 
=====§ 46=====
 
</center>
 
</center>
# In the event that in the NCU CN operates a device that disrupts the network or violates the principles of this Policy, the relevant network administrator has the right to immediately disable the access of such device to the network.
+
# If it is determined that a device interfering with the network operation operates in NCU CN or violates the principles of this Policy, the relevant network administrator has the right to immediately disable access of such device to the network.
 
# The administrator notifies the user of the device about the identified cases of violation of the Policy, and in justified cases or in the absence of a response from the user, also the appropriate user superior.
 
# The administrator notifies the user of the device about the identified cases of violation of the Policy, and in justified cases or in the absence of a response from the user, also the appropriate user superior.
 
# All cases of identified violations of this Policy are recorded by administrators.
 
# All cases of identified violations of this Policy are recorded by administrators.
Linia 454: Linia 457:
 
=====§ 50=====
 
=====§ 50=====
 
</center>
 
</center>
# Electronic equipment is subject to the general principles of utilization adopted at the Nicolaus Copernicus University.
+
# Electronic equipment is subject to the general principles of utilization adopted at NCU.
 
# The receipt and disposal of equipment that may contain data that requires protection, for example, on which personal data was processed, can only be entrusted to entities with appropriate permissions confirmed by an appropriate certificate.
 
# The receipt and disposal of equipment that may contain data that requires protection, for example, on which personal data was processed, can only be entrusted to entities with appropriate permissions confirmed by an appropriate certificate.
 
# Equipment to be disposed of that may contain data that requires protection must be appropriately marked on the casing so that it can be properly transferred to the disposal entity.
 
# Equipment to be disposed of that may contain data that requires protection must be appropriately marked on the casing so that it can be properly transferred to the disposal entity.
Linia 460: Linia 463:
 
<center>
 
<center>
 
=====§ 51=====
 
=====§ 51=====
</center>If data carriers containing data that require protection have not been subjected to the data eradication procedure, they can be entrusted for disposal only to entities with appropriate certification.
+
</center>
 +
If data carriers containing data that require protection have not been subjected to the data eradication procedure, they can be entrusted for disposal only to entities with appropriate certification.
 
=====§ 52=====
 
=====§ 52=====
 
If equipment containing data carriers with data requiring protection is subject to warranty repair, then one of the following conditions must be met:
 
If equipment containing data carriers with data requiring protection is subject to warranty repair, then one of the following conditions must be met:

Wersja z 14:58, 18 maj 2020

This is a translation of the Polish original document and as such is not formally binding

ORDINANCE No. 196
Rector of the Nicolaus Copernicus University in Toruń
of December 19, 2017

Security policy for the computer network of the Nicolaus Copernicus University in Toruń

Based on Article. 66 section 2 of the Act of 27 July 2005 Law on Higher Education (Journal of Laws of 2016 r., Item 1842, as amended)

the following is administered:

Chapter 1 General concepts

§ 1
  1. At Nicolaus Copernicus University in Toruń, hereinafter referred to as the "NCU", there is a computer network.
  2. The NCU computer network, hereinafter referred to as "NCU CN", covers all NCU facilities, in particular locations in Toruń, Piwnice and Bydgoszcz and network services provided by the NCU on its own or external resources.
  3. The basic role of NCU CN is to support teaching, scientific and university management processes.
  4. NCU shall not be liable for losses resulting from the failure of NCU CN.
  5. NCU CN may be used in a way that does not violate applicable law.
  6. It is not allowed to distribute through NCU CN content or images of commercial, advertising, political, etc. without the consent of the rector or chancellor.
§ 2
  1. The security policy of NCU CN, hereinafter referred to as the "Policy", introduces uniform operating principles for users and network and service administrators to ensure adequate data protection.
  2. The policy consists of a basic document issued as ordinance of the rector and three annexes specifying detailed operating procedures in the following areas of the NCU CN:
    1. account management - Annex 1;
    2. domain management - Annex 2;
    3. external services made available by the account in NCU CN - ​​ Annex 3.
  3. Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, lies with the University's Nicolaus Copernicus University Information Center, hereinafter referred to as "UCI"
  4. The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed operating principles within the subsystems constituting the NCU CN.
  5. If the word should and its variants are used in the text, it should be interpreted as an order from which derogations may occur in particularly justified situations. Such deviations must be documented.
§ 3
  1. Dedicated guest access networks, such as e.g. a section of the eduroam network dedicated to external users, or the conference service network, are treated as external resources to the NCU CN, and outgoing traffic from these networks and directed to the rest of the NCU is filtered on these same rules as traffic outside the Nicolaus Copernicus University.
  2. Dedicated guest access networks must have their own regulations available at least in Polish and English.
§ 4
  1. NCU main domain is umk.pl, which means that on general university pages and pages of NCU units, other university pages are addressed only through this domain.
  2. The right to apply for registration of names in the umk.pl domain have only: rector, chancellor, deans, heads of general university and inter-faculty units.
  3. Each registered name in the umk.pl domain must have a designated guardian.
  4. Names in the umk.pl domain are registered by the NCU CN administrator at the written request of an authorized person.
  5. The domain validity period and the procedure for their liquidation is described in Annex 2.

Chapter 2 Users of NCU CN 

§ 5
  1. NCU CN user is any person using a device connected to NCU CN or a NCU CN network service.
  2. In order to access the protected resources of NCU CN, it is necessary to have a NCU CN user account, hereinafter referred to as NCU CN.
  3. NCU account also gives the right to use selected external services, specified in the Regulations for the use of external services, which is Annex 3 to this ordinance.
  4. In some cases, access to specific services requires special accounts associated with the services. This account is called the service account.
§ 6 
  1. NCU CN account is a registered entitlement to use NCU CN.
  2. NCU CN account can be owned by:
    1. NCU employees employed under an employment contract or civil law contract;
    2. retirees and pensioners of the NCU;
    3. other people who need an account in connection with the teaching classes given at NCU or other activities like courses, practices, etc.;
    4. students of NCU (including PhD students);
    5. NCU guests during their stay at the university;
    6. holders of the NCU graduate card;
    7. other people - in particularly justified cases, with the consent of the UCI director.
  3. One person may have only one SK SKU account on main university servers.
  4. Employees, retirees, pensioners and students of NCU have the right to maintain their own website, maintained in accordance with § 1 para. 6.
§ 7
  1. Procedures regarding the handling of NCU CN accounts are included in Annex 1.
  2. NCU CN accounts of the alumni card holders of the NCU are governed by the principles set out in the Regulations of the Alumni Program.
  3. NCU CN account used in violation of § 1 para. 5 is blocked by the administrator of the NCU CN or the administrator of the respective local network. The appropriate supervisor of the user is notified about the fact of blocking the NCU CN account, who, after explaining the case, decides to unblock the account.
  4. Additional rules of keeping NCU users' accounts in local networks of NCU CN may be specified in the regulations of these networks.
§ 8
  1. NCU CN accounts of persons who have lost their entitlement expire and are cleared after the deadline set for a given account type.
  2. A user who has lost the status entitling him to an NCU CN account, will be informed by an e-maol from the administrator about the date when the account.
  3. Identifier, or the associated e-mail aliases of canceled NCU CN account will not be reassigned to another person.
  4. Dates and procedure for canceling the NCU CN account are described in Annex 1.


§ 9 
  1. Functional account is the entitlement to carry out tasks or provide information services for the purposes of:
    1. organizational units of NCU;
    2. registered student and local government organizations operating in NCU;
    3. student research clubs;
    4. other institutions and organizations, made available under separate regulations or arrangements.
  2. Functional accounts of NCU organizational units are run at the request of their manager.
  3. Functional accounts of student and local government organizations and student groups are maintained at their request approved by the rector or dean.
  4. Each functional account must have a supervisor appointed by the person competent to set up such an account.
  5. Functional accounts can only be used for the purpose for which they were granted.
§ 10 
  1. Account in the service is the right to access the service that does not use the NCU CN account system.
  2. Services may define their own regulations regarding the requirements for service accounts, in particular regarding the manner of logging into the service, requirements regarding the quality and frequency of password changes, etc.
  3. Services can define their own policies regarding account expiration dates and procedures for deleting them.
§ 11
  1. Email addresses in the form of ID@umk.pl or ID@cm.umk.pl, where ID is an identifier that meets the requirements of electronic mail can be assigned only to NCU CN accounts of employees, NCU retirees and pensioners, persons listed in § 6 para. 2 point 3 and functional accounts.
  2. NCU employees using the NCU CN account on the central university server receive by default the e-mail address ID@umk.pl or ID@cm.umk.pl, where ID is the account identifier; when setting up an account, they are informed about the possibility of defining additional e-mail addresses.
  3. PhD students using the NCU CN account on the central university server use e-mail addresses in the form ID@doktorant.umk.pl, where ID is the identifier of the PhD student's account.
  4. Other students using the NCU CN account on the central university student server use email addresses in the form ID@stud.umk.pl, where ID is the student's account identifier.
  5. NCU guests during their stay at the university using the NCU CN account on the university NCU central server (in accordance with this Policy) use e-mail addresses in the form ID@v.umk.pl, where ID is the account identifier.
  6. NCU alumni card holders use the e-mail addresses specified in the Regulations of the Graduate Program.
  7. Users of NCU CN accounts on local servers use e-mail addresses determined on the basis of regulations regarding these servers.
§ 12 
  1. NCU employees are required to use their business e-mail addresses during business correspondence.
  2. It is not recommended to configure automatic redirection of mail received to the NCU address to servers outside the NCU. UCI shall not be liable for problems related to the delivery of mail if the account is configured with redirection to a server outside the NCU.
§ 13
  1. In order to protect the network, the NCU CN user is obliged to ensure the security of their accounts, in particular to protect their passwords and other authentication data.
  2. The user cannot request to change the password or reenabling blocked access by phone if the caller cannot be identified.
  3. It is forbidden for the user of NCU CN:
    1. enabling others to use their accounts and associated permissions;
    2. attempting to use another user's account and running password decryption applications;
    3. conducting activities aimed at eavesdropping or intercepting information flowing on the network;
    4. changes in the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
    5. launching applications that may disrupt or destabilize the operation of the system or computer network, or violate the privacy of system resources;
    6. sending bulk mail to random recipients (spam).
  4. If the user fails to comply with the above rules, the administrator may temporarily limit or block access to the network or service.
§ 14
  1. The content of the user's account, in particular the content of the mailbox is protected by professional secrecy.
  2. In justified cases, by the decision of the rector or chancellor, the content of the account may be disclosed to third parties.

Chapter 3 Description of NCU CN

§ 15

NCU CN components in Toruń and Piwnice:

  1. NCU central service server network administered directly by UCI, serving various types of services and requiring different types of access for users, divided into sub-areas in both logical and geographical terms;
  2. UCI internal network including UCI employee work stations divided into access areas;
  3. NCU administration network, administered by the UCI Department of Administration Informatisation, mostly using separate rooms and a separate cable infrastructure or separate transmission channels as part of the TORMAN network;
  4. local networks of NCU organizational units, usually having territorial and address separation (separate IP routing), which can be administered by their parent units or their administration can be entrusted to UCI, and networks of organizational units are connected via edge devices of the TORMAN network;
  5. NCU wireless network managed by the UCI;
  6. student network and assistant hotels.
§ 16
¶ Components of NCU CN in Bydgoszcz:
  1. local networks of the NCU Collegium Medicum directly administered by the Department of Collegium Medicum Informatisation, serving various types of services and requiring different types of access for users, divided into sub-areas in both logical and geographical terms. Local networks can operate through devices and infrastructure of the BYDMAN network;
  2. local Network of the NCU CM administration, administered directly by the Department of Collegium Medicum Informatisation, connected to the central cable infrastructure;
  3. the networks of organizational units, which are usually part of the local NCU CM networks, having address separation in exceptional situations, can be administered by parent units or administration can be entrusted to the Department of Collegium Medicum Informatisation;
  4. NCU wireless network managed by the Department of Collegium Medicum Informatisation;
  5. student network and assistant hotels.
 §17

Network management in NCU locations other than those listed in § 15 and 16 depends on the status of the location and must be regulated by the management responsible for the location.

§ 18
NCU CN dependence on external factors:
  1. NCU CN uses the TORMAN, BYDMAN and other telecommunications connections through the use of dedicated optical fibers and digital channels;
  2. this Policy does not regulate the matters of the TORMAN network and treats it as an external object, however, it presents expectations regarding the availability of resources of the TORMAN network and other operators;
  3. in justified cases NCU CN may use the services of commercial operators.
§ 19


  1. NCU CN administrator is performed by UCI on behalf of which acts:
    1. outside Collegium Medicum - head of the UCI Department of University Network Services or another person authorized by the UCI director;
    2. at Collegium Medicum - head of the Department of Collegium Medicum Informatisation or another person authorized by him.
  2. The manager of an organizational unit with a local network appoints the administrator of this network and notifies the UCI director about his decision.
  3. The Administrator cooperating with the NCU CN Administrator is responsible for the operation of the local network.
  4. The administrator of the local network maintains the accounts of NCU CN on the computers in his network and is obliged to guarantee that the account management rules comply with § 6.
  5. The administrator of the local network is obliged to ensure that the protection of network sockets is implemented in accordance with § 41.
  6. The administrator of the local network cooperates with the NCU CN Administrator in order to maintain the continuity, consistency and security of the NCU CN.
  7. The network of student houses and assistant hotels is managed by administrators appointed by the Chancellor in consultation with the director of UCI and cooperating with the head of the Department of Student Homes and Assistant Hotels.

Chapter 4 Physical security and fault tolerance

§ 20
  1. NCU CN should be implemented in a trouble-free manner ensuring automatic switching to backup systems. The implementation of this principle must take into account the balance of costs and risk analysis.
  2. Single points of failure, as well as systems that do not switch automatically must be inventoried, and the manner of response to their failure must be prepared and properly documented.
  3. Main points of NCU CN, in particular locations where servers are located, must be connected by more than one fiber optic route to ensure system continuity in the event of failure of one fiber optic route.
§ 21


  1. Central services are provided with the principles of trouble-free operation, including data dispersion in both logical and geographical terms.
  2. Realization of services takes into account their smooth transfer to another server in automatic mode or requiring administrator intervention. The choice of security method, determining the maximum allowable failure time depends on the criticality of the service and is described in an internal document [server redundancy].
§ 22
  1. Servers, data storage arrays, server network switches are placed in several independent locations, hereinafter referred to as server rooms, ensuring the possibility of migrating resources.
  2. Server rooms are closed, air-conditioned and placed in buildings covered by doormans' supervision or electronically. Access to the rooms is limited to a group of authorized administrators. It is recommended that the server rooms be equipped with electronic locks connected to the input recorder.
  3. Personal cleaners must be authorized and trained; authorization and the fact of training must be documented.
  4. Renovations and repairs carried out in server rooms are initially agreed with administrators and take place under their supervision.
  5. Server rooms should be monitored with cameras recording at least the moment of entering the room.
  6. Servers, arrays and switches are connected to the power grid protected by UPS devices and, if possible, also by electricity generators.
  7. Virtualization servers, arrays and switches implementing a server cluster are located so that each element has a spare component located in a server room powered by an emergency electricity generator.
  8. Key devices are equipped with multiple power supplies connected to separate circuits.
  9. The server room must be air-conditioned to ensure that the temperature is maintained for at least 4 hours, even when no external power is available.
  10. UPS devices and emergency generators are subject to the efficiency tests procedure described in the internal document [server rooms].
  11. Document [server rooms] contains a list of server rooms together with a description of their security.

Chapter 5 Data and service protection

§ 23

The unit responsible for the functioning of basic network services and coordinating activities related to the provision of network services at NCU CN is UCI, and in the case of services run locally at Collegium Medicum - Department of Collegium Medicum Informatisation.

§ 24
  1. Service servers (physical or virtual) are placed in separate virtual networks depending on their functions and the way of users' access. In particular, servers where users can log in, run their own programs, websites and services are placed on a separate network. The list of dedicated subnets and the separation of service servers is described in the internal document [server subnets].
  2. Access to the network of central service servers and administration servers is protected by firewall systems. The rules for accessing the firewall configuration, documentation of introduced changes and redundancy of firewall are described in the internal document [firewall].
  3. Access to virtual servers is protected by a password system in accordance with the principles described in chapter 9 of this document.
§ 25
  1. Designated administrators are responsible for ensuring that the data stored on the servers are properly protected.
  2. Data stored on servers must be protected in a way tailored to specific needs.
  3. Important data should be protected from loss, unauthorized modification and accidental deletion.
  4. If, based on the specifics of the resource or service provided, or the nature of the data stored, it is reasonable to apply a lower level of protection than that referred to in paragraph 3, users of these resources and services shall be informed of the level of risk.
  5. If you keep several copies of your data, ensure that you store them in different locations.
  6. The detailed rules for maintaining backups depend on the specific system and are described in the internal document [rules for creating backups].
  7. Each backup system must have a description of the operation and description of the data recovery procedure. The description of the data recovery procedure must be easily available also in the event of a broad IT system failure.
§ 26
  1. System logs collect information on system operation and user activity.
  2. System logs regarding key elements of system security are automatically created on the central system of logs, so that in the event of a burglary prevent the burglary traces from blurring.
  3. System logs are treated as documents covered by professional secrecy.
  4. The time and manner of storing logs depends on their type and is described in detail in an internal document [instructions for storing system logs], subject to the following general principles:
    1. logs containing information on user activity are stored for no more than one year and are automatically deleted after that time;
    2. longer records of system logs created for statistical purposes are allowed, these statements should not contain information that identifies user actions;
    3. individual IT services may, in justified cases, store their own logs for a longer time, this information is placed in the privacy policy published by the given service.
§ 27
  1. Physical servers, arrays, network devices, virtual servers and central services are monitored by specialized software.
  2. In the event of a service failure, the monitoring system attempts to restart the service automatically.
  3. Information on critical failures is sent via e-mail and via an additional communication channel, e.g. SMS messages, to the entire group of administrators responsible for a given area of ​​operation.
  4. Monitoring the availability of servers and services should be implemented by at least two servers located in different locations, and an additional communication channel referred to in paragraph 3, should enable sending a message without the participation of NCU CN, so as to make the message system independent from the failure of NCU CN components.
§ 28
  1. Service servers must be updated by installing current security patches.
  2. In the event of receiving information about the emergence of a threat, UCI sends information to the appropriate group of recipients, but this does not relieve the administrators of the NCU CN subnet from the responsibility for the security of the networks they administer.
  3. Particular attention is paid to threats affecting secure communication between users and servers, the task of administrators is to maintain an appropriate level of security, even if it means restricting access from some users' devices.
§ 29
¶ Administrators have the right to limit the amount of server resources made available, and in justified cases they may limit access to network services, operations such as running the program, reading / writing files or connecting to another system.
§ 30
  1. Services available via the network launched on NCU CN servers must use secure software.
  2. In the event that the commissioning of software that implements services available over the network is ordered, for example, website execution, the administrator must ensure that he reserves the funds necessary to provide support for the software throughout its lifetime.
§ 31
  1. If it is determined that unauthorized persons have accessed the service server, administrators take appropriate corrective action.
  2. All violations of access rules are logged.
  3. If unauthorized access concerns a user account, administrators block the account and, if possible, notify the user.
  4. If unauthorized access concerns the server management level, then the server administrator should check the logs and audit the system software, and then take action to eliminate the cause of this incident.
§ 32
  1. In all cases where security elements are associated with access to the server, such as login data transfer, document handling, or personal data processing, the connection between the server and workstation must be via an encrypted channel.
  2. The server providing the secure service enforces the use of an encrypted channel, and the encryption parameters must comply with current security recommendations.
  3. In the case of personal data processing, it is necessary to ensure the protection described in the Security Instruction of the given personal data processing system.
§ 33
  1. All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force also after termination of employment at NCU.
  2. Secrets covered in particular:
    1. information on the configuration of the NCU network and IT systems;
    2. passwords and other access data;
    3. any personal information;
    4. content of home directories and user correspondence;
    5. administration data;
    6. system logs containing information on user activity.
  3. The disclosure of data covered by professional secrecy is only possible upon written request and must be preceded by the consent of the rector, chancellor or persons authorized by them.

Chapter 6 Information services

§ 34
  1. UCI maintains the university name server (DNS) for the needs of NCU CN. Access to the name server in the local network takes place in consultation with the administrator of NCU CN.
  2. The service of NCU subdomains on servers located outside NCU CN may take place only in particularly justified cases and requires the consent of the rector.
§ 35
  1. UCI maintains the university's e-mail server, is responsible for its proper configuration and continuous availability.
  2. Network services launched under names registered in the umk.pl domain run on NCU CN servers. Domain registration cannot be used only to redirect the service to a server outside the NCU or embed content downloaded from an external server.
  3. Local networks NCU CN may have their own e-mail servers or use a university server. The administrator of the NCU CN has the right to decide to block access to the e-mail service in the local network after it has been found to malfunction.
§ 36
  1. The task of e-mail servers is to deliver messages while protecting users against spam and messages containing unwanted software.
  2. Messages identified as suspicious but not classified as obvious spam must be marked accordingly so that the users can define their own rules of conduct.
  3. Users are obliged to apply the principle of limited trust, and in particular not to take actions such as entering their own password or changing the password in response to a received message.
  4. Due to the risks of sending spam from the NCU CN and related consequences, e-mail can only be sent via properly secured servers.
  5. Email sent from the NCU CN must be scanned for spam and containment of unwanted software; messages identified as dangerous must be blocked, and the user from whose account such correspondence was sent must be notified.
  6. It is forbidden to use web forms that allow sending mail to arbitrary recipients.
§ 37
  1. Sending mail to all employees or students requires the consent of the rector, vice rector, chancellor, or a person authorized by them.
  2. Permission to send such mail is granted once or permanently.
  3. The user with such consent will be provided by UCI with an address enabling the mailing.
§ 38
  1. UCI maintains the university's web server, is responsible for its proper configuration and continuous availability.
  2. NCU CN local networks may have their own WWW servers or use a university server. The administrator of the NCU CN has the right to decide on blocking access to the website in the local network after finding improper functioning of this service.
§ 39
  1. The web server administrator specifies the technical conditions for maintaining user web pages.
  2. Users' websites are used for educational and scientific purposes, and in the case of organizational units and organizations - for purposes consistent with their statutory activities.
  3. The user is responsible for the content of his website. In particular, § 1 para. 5.

Chapter 7 Managing the network layer

§ 40
  1. Individual NCU buildings are wired for the needs of NCU CN connections.
  2. Connections between buildings, depending on the situation, can be implemented using routes and devices of the TORMAN network and networks of external telecommunications operators.
  3. TORMAN network monitoring includes both the devices of the TORMAN network itself and selected devices of the local network.
  4. Network concentration points in buildings should be located in closed, air-conditioned rooms, and in the absence of such a possibility devices must be installed in lockable cabinets. Access to keys must be limited and registered.
  5. Networks in buildings are supported by managed switches with monitoring option as well as access control to individual sockets.
  6. Connections between switch sockets and end sockets of the network must be documented.
  7. In the case of construction projects whose scope includes the modernization or construction of cabling in the building, an indispensable element of the investment acceptance is the structural network cabling acceptance protocol confirming the compliance of the cabling performance with the assumed standards and receipt of complete as-built documentation of the structural network.
§ 41
  1. Connecting devices to the wired network that is part of NCU CN is protected.
  2. Network sockets in public areas are configured to identify the user using such a socket.
  3. The minimum requirement for protection in rooms with restricted access is the control of addresses assigned by the DHCP server and network monitoring for the appearance of unknown devices in it.
§ 42
  1. NCU maintains a central wireless network connected to the global eduroam system.
  2. Access to the eduroam network requires an active NCU CN account authorizing the use of the network or an account in another institution included in the eduroam system.
  3. NCU staff and students accounts authorize access to the eduroam network worldwide.
  4. NCU graduate accounts authorize access to eduroam only within the NCU area.
  5. Devices of persons having eduroam accounts outside NCU and holders of the NCU graduate accounts are placed in a virtual subnet, which is treated as an external network in relation to NCU. This network does not have automatic access to electronic magazines subscribed by NCU.
  6. The eduroam network is used to access the network in the NCU area and cannot be used to create permanent network connections through e.g. directional antennas and signal amplifiers.
  7. In situations that give rise to the suspicion that a user account is being abused, e.g. a large number of devices use one account, or the method of use indicates a permanent connection, administrators may block the user's permission to use the network.
§ 43
  1. It is forbidden to run unsecured wireless networks inside NCU CN.
  2. Access devices for wireless communication may be connected to the NCU CN only in consultation with the NCU CN administrator or a person authorized by the NCU CN administrator to make such decisions in a specific area; connecting devices without agreement will be treated as a serious breach of security of NCU.
  3. In justified cases, NCU CN administrators may use methods to jam unknown wireless devices.
  4. Devices using a wireless network may not interfere with other network users, and users of such devices are required to follow the instructions of the NCU CN administrator.

Chapter 8 User devices

§ 44
  1. Workstations owned by NCU should be protected by constantly updated software ensuring the security of the computer system. NCU provides necessary licenses for security software in accordance with the financial rules set by the rector.
  2. In the case of personal data processing, it is necessary to ensure the protection described in the Security Instruction of the given personal data processing system.
  3. Descriptions of protection for various operating systems are constantly updated and available on UCI websites.
  4. The Software Administrator assigned to the station is responsible for the security of the workstation software.
§ 45

Users' private devices may be connected in NCU CN, subject to the following rules:

  1. the users of the private device bear responsibility for threats that may result from the lack of proper protection of their devices;
  2. the users are required to properly protect their own devices so as to exclude unauthorized access to services, e.g. by using passwords saved on the device;
  3. if there is a possibility that the device with stored passwords may be used by an unauthorized person, the user is obliged to immediately change all access passwords in the NCU systems;
  4. specific service security instructions may impose additional restrictions on access from private devices.


§ 46
  1. If it is determined that a device interfering with the network operation operates in NCU CN or violates the principles of this Policy, the relevant network administrator has the right to immediately disable access of such device to the network.
  2. The administrator notifies the user of the device about the identified cases of violation of the Policy, and in justified cases or in the absence of a response from the user, also the appropriate user superior.
  3. All cases of identified violations of this Policy are recorded by administrators.

Chapter 9 Password policy

§ 47

Central service administrators use two-step authentication on the access server to access servers. The second element of authentication is a random number generated on an external device.

§ 48
  1. Users are required to keep access data secret. In particular, it is not allowed to give anyone the access password to an individual account.
  2. Passwords must meet security requirements enforced by password changing systems.
  3. In systems where personal data are processed, passwords specific to these systems are used and users' passwords are changed at least once a month, unless additional security mechanisms are used, e.g. tokens or lists of one-time passwords.
  4. It is permissible to set up a new password in the NCU systems by the SMS service, while the management policy of the particular system must regulate the rules for verifying the phone numbers associated with the accounts.

Chapter 10 Change of equipment user and disposal of electronic equipment and media that may contain data

§ 49

The user of electronic equipment provided to another user which may contain data requiring protection is obliged to assess the risk associated with the possible disclosure of data. If it is necessary, user erases the data in a way that prevents recovery. In case of doubt, the user contacts the relevant network administrator in this matter.

§ 50
  1. Electronic equipment is subject to the general principles of utilization adopted at NCU.
  2. The receipt and disposal of equipment that may contain data that requires protection, for example, on which personal data was processed, can only be entrusted to entities with appropriate permissions confirmed by an appropriate certificate.
  3. Equipment to be disposed of that may contain data that requires protection must be appropriately marked on the casing so that it can be properly transferred to the disposal entity.
§ 51

If data carriers containing data that require protection have not been subjected to the data eradication procedure, they can be entrusted for disposal only to entities with appropriate certification.

§ 52

If equipment containing data carriers with data requiring protection is subject to warranty repair, then one of the following conditions must be met:

  1. data on the storage medium is stored in encrypted form;
  2. the data carrier cannot be handed over to the company carrying out the repair, only the exchange of the carrier is allowed, leaving the original carrier with the owner.

Chapter 11 Final provisions

§ 53
  1. Expire:
    1. Ordinance No. 144 of the Rector of the Nicolaus Copernicus University of October 19, 2009 regarding the use of e-mail business addresses by the NCU employees for official purposes (NCU Legal Bulletin No. 9, item 283);
    2. Decree No. 76 of the Rector of the Nicolaus Copernicus University of 18 September 2007 - Regulations of the Computer Network of the Nicolaus Copernicus University in Toruń (NCU Legal Bulletin No. 7, item 178).
  2. The ordinance shall enter into force on December 19, 2017, with the exception of §20 - §22 and §24 - §26, which shall enter into force on July 1, 2018.

Rector
prof. dr hab. Andrzej Tretyn