|
|
| Linia 1: |
Linia 1: |
| − | {{DISPLAYTITLE: NCU CN Security Policy - extract for users}}
| + | #PATRZ [[NCU_CN_Security_Policy_excerpt]] |
| − | | + | |
| − | | + | |
| − | <div class="noautonum">__TOC__</div>
| + | |
| − | | + | |
| − | | + | |
| − | This is a partial translation of Rector's Decree 196 (2017)
| + | |
| − | consisting of rules that directly concern the users of the NCU Computer Network.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | ====Chapter 1 General concepts====
| + | |
| − | =====§ 1=====
| + | |
| − | </center>
| + | |
| − | #At Nicolaus Copernicus University in Toruń, hereinafter referred to as the "NCU", there is a computer network. | + | |
| − | #The computer network of NCU, hereinafter referred to as "NCU CN", covers all NCU premises, in particular locations in Toruń, Piwnice and Bydgoszcz, as well as network services provided by NCU on its own or foreign resources.
| + | |
| − | #The basic role of NCU CN is to support teaching, scientific and university management processes.
| + | |
| − | #NCU shall not be liable for losses resulting from the failure of NCU CN.
| + | |
| − | #NCU CN may be used in a manner that does not violate applicable legal regulations.
| + | |
| − | #Through NCU CN it is not allowed to distribute content or images of commercial, advertising, political, etc. without the consent of the rector or chancellor.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | =====§ 2=====
| + | |
| − | </center>
| + | |
| − | <ol>
| + | |
| − | <li>The security policy of NCU CN, hereinafter referred to as "Policy", introduces unified operating principles for users and network and service administrators to ensure proper data protection.
| + | |
| − | <li>The policy consists of the main document issued as the Rector's order and three annexes defining detailed procedures for the following areas of NCU CN:
| + | |
| − | <ol>
| + | |
| − | <li>account management - [[Polityka bezp zał 1|annex No. 1 - in Polish]];
| + | |
| − | <li>domain management - [[Polityka bezp zał 2|annex No. 2 - in Polish]];
| + | |
| − | <li>external services, provided by the account in NCU CN - [[Polityka bezp zał 3|annex No. 3 - in Polish]].
| + | |
| − | </ol>
| + | |
| − | <li>Responsibility for maintaining the Policy, in particular for submitting update proposals resulting from changes in law and technology, rests with the Information & Communication Technology Centre of the Nicolaus Copernicus University, hereinafter referred to as "UCI"
| + | |
| − | <li>The policy is accompanied by internal documents, approved by the UCI director, specifying the detailed rules of operation within the subsystems constituting NCU CN.
| + | |
| − | <li>If the word should and its variants is used in this text, then should be interpreted that any exceptions for a given rule must be justifiable and documented.
| + | |
| − | </ol>
| + | |
| − | | + | |
| − | <center>
| + | |
| − | ====Chapter 2 Users of NCU CN====
| + | |
| − | =====§ 5=====
| + | |
| − | </center>
| + | |
| − | #NCU CN user is any person using a device connected to NCU CN or a NCU CN network service.
| + | |
| − | #In order to access the protected resources of NCU CN, it is necessary to have a NCU CN user account, hereinafter referred to as the NCU CN account.
| + | |
| − | #NCU CN account additionally gives you the right to use selected external services, as set out in the Regulations for the use of external services, constituting [[Polityka bezp zał 1|Annex 3 - in Polish]] to this decree.
| + | |
| − | #In some cases, access to specific services requires special accounts linked to services. Such an account is called an account in the service.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | =====§ 6=====
| + | |
| − | </center>
| + | |
| − | <ol>
| + | |
| − | <li>NCU CN account is a registered permission to use NCU CN.
| + | |
| − | <li>the following persons are entitled to an NCU CN account
| + | |
| − | <ol>
| + | |
| − | <li>employees of NCU employed under a contract of employment or a civil law contract;
| + | |
| − | <li>pensioners the NCU;
| + | |
| − | <li>other people, to whom an account is necessary in connection with teaching classes given at the NCU or other activities like courses, practices, etc.;
| + | |
| − | <li>NCU students (including PhD students);
| + | |
| − | <li>guests of NCU during their stay at the university;
| + | |
| − | holders of an alumni card of the NCU;
| + | |
| − | <li>other persons - in particularly justified cases, with the consent of the UCI director.
| + | |
| − | </ol>
| + | |
| − | <li>One person may have only one SK SKU account on main university servers .
| + | |
| − | <li>Employees, pensioners, and students of NCU have the right to maintain their own website, maintained in accordance with § 1 para. 6.
| + | |
| − | </ol>
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 7=====
| + | |
| − | </center>
| + | |
| − | #Procedures regarding the service of NCU CN accounts are included in [[Polityka bezp zał 1|Annex No. 1 - in Polish]].
| + | |
| − | #NCU CN accounts of the alumni card holders of the NCU are governed by the principles set out in the Regulations of the Alumni Program.
| + | |
| − | #An NCU CN account used in violation of § 1 para. 5 is blocked by NCU CN administrator or administrator of the relevant local network. The appropriate supervisor of the user is notified of the fact of blocking NCU CN account, who, after clarifying the case, rules on unblocking of the account.
| + | |
| − | #Additional rules for keeping user accounts in local networks of NCU CN can be specified in the regulations of these networks.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 8=====
| + | |
| − | </center>
| + | |
| − | #NCU CN accounts of persons who have lost their entitlement expire and are cleared after the deadline set for a given account type.
| + | |
| − | #A user who has lost the status entitling him to an NCU CN account, will be informed by an emal form the administrator about the date when the account
| + | |
| − | #The identifier, or email aliases associated with it, of canceled NCU CN accounts will not be re-assigned to another person.
| + | |
| − | #Deadlines and procedures for canceling NCU CN accounts are described in [[Polityka bezp zał 1|Annex 1 - in Polish]].
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 9=====
| + | |
| − | </center>
| + | |
| − | <ol>
| + | |
| − | <li>A functional account is the right to perform tasks or to run information services for the needs of:
| + | |
| − | <ol>
| + | |
| − | <li>organizational units of the NCU;
| + | |
| − | <li>registered student organizations operating at the NCU;
| + | |
| − | <li>student science clubs;
| + | |
| − | <li>other institutions and organizations, made available under separate regulations or arrangements.
| + | |
| − | </ol>
| + | |
| − | <li>Functional accounts of the organizational units of the NCU are run on the order of their manager.
| + | |
| − | <li>Functional accounts of student organizations as well as student clubs are run at their request approved by the rector or dean.
| + | |
| − | <li>Each functional account must have a supervisor appointed by the person responsible for creating such an account.
| + | |
| − | <li>Functional accounts may only be used in accordance with the purpose for which they were granted.
| + | |
| − | </ol>
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 10=====
| + | |
| − | </center>
| + | |
| − | #An account in a service is the right to access a service that does not use the NCU CN account system.
| + | |
| − | #Services can define their own regulations regarding the requirements for accounts in the service, in particular on how to log in to the service, the quality and frequency of changing the password, etc.
| + | |
| − | #Services can define their own rules regarding the expiration dates of accounts and the procedures for removing them.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 11=====
| + | |
| − | </center>
| + | |
| − | #E-mail addresses in the form of ID@umk.pl or ID@cm.umk.pl, where ID is an identifier that meets the requirements of electronic mail, can be assigned only to NCU CN accounts of employees, pensioners and pensioners of NCU, persons listed in § 6 para. 2 point 3 and functional accounts.
| + | |
| − | #An employee of NCU using the NCU CN account on the central university server receives by default the email address ID@umk.pl or ID@cm.umk.pl, where ID is the account identifier; when creating an account, he is informed about the possibility of defining additional e-mail addresses.
| + | |
| − | #PhD students using the NCU CN account on the general university server use e-mail addresses in the form of ID@doktorant.umk.pl, where ID is the PhD student's account ID.
| + | |
| − | #Other students using an NCU CN account at a central student server use e-mail addresses in the form of ID@stud.umk.pl, where ID is the student's account identifier.
| + | |
| − | #Guests of NCU during their stay at the university using the NCU CN account on the general university server of NCU (in accordance with this Policy) use e-mail addresses in the form of ID@v.umk.pl, where ID is the account identifier.
| + | |
| − | #The holders of the alumni card of the Nicolaus Copernicus University use the e-mail addresses defined by the Regulations of the Absolwent Program.
| + | |
| − | Users of NCU CN accounts on local servers use e-mail addresses determined on the basis of regulations concerning these servers.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 12=====
| + | |
| − | </center>
| + | |
| − | #Employees of NCU are obliged to use business e-mail addresses while conducting business correspondence.
| + | |
| − | #It is not recommended to configure automatic forwarding of mail received to the address of NCU to servers outside of NCU. UCI is not responsible for problems related to the delivery of e-mails, if the account is configured to redirect to a server outside of NCU.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 13=====
| + | |
| − | </center>
| + | |
| − | <ol>
| + | |
| − | <li>In order to protect the network, NCU CN user is obliged to take care of the security of their accounts, in particular to protect their passwords and other data used for authentication.
| + | |
| − | <li>The user can not request a password change or reenabling an blocked account by phone if it is not possible to identify the caller.
| + | |
| − | <li>The NCU CN user is forbidden to:
| + | |
| − | <ol>
| + | |
| − | <li>allow other people to use their accounts and related rights;
| + | |
| − | making attempts to use a foreign account and run the application decrypting the password;
| + | |
| − | <li>conduct activities aimed at eavesdropping or interception of information flowing on the network;
| + | |
| − | <li>change of the assigned IP address of devices (except for situations agreed with the administrator of the relevant network);
| + | |
| − | <li>launch applications that may disrupt or destabilize the operation of a computer system or network, or compromise the privacy of system resources;
| + | |
| − | sending mass mail directed to random recipients (spam).
| + | |
| − | </ol>
| + | |
| − | <li>If the user fails to comply with these rules, the administrator may temporarily restrict or block access to the network or service.
| + | |
| − | </ol>
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 14=====
| + | |
| − | </center>
| + | |
| − | #The content of the user's account, in particular the contents of the mailbox, is protected by professional secrecy.
| + | |
| − | #In justified cases, following the decision of the rector or chancellor, the content of the account may be made available to third parties.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | ====Chapter 5 Data and service protection====
| + | |
| − | =====§ 33=====
| + | |
| − | </center>
| + | |
| − | <ol>
| + | |
| − | <li>All IT system administrators are required to maintain professional secrecy. The obligation of secrecy remains in force even after termination of the employment at NCU.
| + | |
| − | <li>Business secret covers in particular:
| + | |
| − | <ol>
| + | |
| − | <li>information on the NCU network and information systems configuration;
| + | |
| − | <li>passwords and other access data;
| + | |
| − | <li>all personal data;
| + | |
| − | <li>the contents of home directories and user correspondence;
| + | |
| − | <li>administration data;
| + | |
| − | <li>system logs containing information about user activity.
| + | |
| − | </ol>
| + | |
| − | <li>Sharing data covered by professional secrecy is possible only on a written request and must be preceded by obtaining the consent of the rector, chancellor or persons authorized by them.
| + | |
| − | </ol>
| + | |
| − | <center>
| + | |
| − | | + | |
| − | ====Chapter 6 Information services====
| + | |
| − | =====§ 36=====
| + | |
| − | </center>
| + | |
| − | #The role of e-mail servers is to deliver messages while protecting of users against spam and messages containing undesirable software.
| + | |
| − | #Messages identified as suspicious, but not classified as evident spam, must be appropriately marked so that the users can define their own rules of conduct.
| + | |
| − | #Users are required to apply the principle of limited trust, and in particular to not take actions such as entering their own password or changing the password in response to the received message.
| + | |
| − | #In order to minimise sending spam from NCU CN and resulting consequences, e-mail may be sent only through properly secured servers.
| + | |
| − | #An e-mail sent from NCU CN must be scanned for spam and unsolicited software; shipments identified as dangerous must be blocked and the user from whose account such correspondence has been sent must be notified.
| + | |
| − | #It is forbidden to use internet forms that allow sending mail to any recipients.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 37=====
| + | |
| − | </center>
| + | |
| − | #Sending mail to all employees or students requires the consent of the rector, vice-chancellor, chancellor, or a person authorized by them.
| + | |
| − | #Consent to sending such e-mail is granted on a one-off basis or permanently.
| + | |
| − | #The user with such consent will be provided by UCI with an address enabling the mailing.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | ====Chapter 7 Managing the network layer====
| + | |
| − | | + | |
| − | =====§ 42=====
| + | |
| − | </center>
| + | |
| − | #NCU maintains a central wireless network connected to the global eduroam system.
| + | |
| − | #Access to the eduroam network requires an active NCU CN account authorizing the use of a network or an account in another institution included in the eduroam system.
| + | |
| − | #NCU CN accounts of employees and students of NCU authorize access to the eduroam network around the world.
| + | |
| − | #NCU CN accounts of NCU alumni are authorize access to eduroam only within the NCU premises.
| + | |
| − | #Devices of persons having eduroam accounts outside of the NCU and holders of the NCU alumni account are placed in a virtual subnet, which is considered to be an external network in relation to NCU. Automatic access to electronic magazines subscribed by NCU is not enabled in this network.
| + | |
| − | #The eduroam network is used to access the network in the NCU area and can not be used to create permanent network connections through, for example, directional antennas and signal amplifiers.
| + | |
| − | #In situations giving rise to the suspicion that the user's account is being abused, for example, a large number of devices are used from one account, or the way of using indicates a permanent link, administrators can block the user's permission to use the network.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 43=====
| + | |
| − | </center>
| + | |
| − | #Within NCU CN it is forbidden to run unsecured wireless networks.
| + | |
| − | #Wireless access devices may be connected to NCU CN only in consultation with the administrator of NCU CN or a person authorized by the administrator of NCU CN to take such decisions in a given area; connecting devices without prior authorization will be treated as a serious breach of the safety of NCU CN.
| + | |
| − | #In justified cases SK SKM administrators can use methods of jamming unknown wireless devices.
| + | |
| − | #Devices using a wireless network must not interfere with the work of other network users, and users of such devices are required to comply with the recommendations of NCU CN administrator.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | | + | |
| − | ====Chapter 8 User devices====
| + | |
| − | | + | |
| − | =====§ 44=====
| + | |
| − | </center>
| + | |
| − | #Workstations owned by NCU should be protected by up-to-date software ensuring the security of the computer system. NCU provides the necessary licenses for security software in accordance with the financial rules determined by the rector.
| + | |
| − | #In the case of personal data processing, it is necessary to provide the protection described in the Privacy Policy of a given personal data processing system.
| + | |
| − | #Descriptions of the protection of various operating systems are constantly updated and available on UCI websites.
| + | |
| − | #The Software Administrator assigned to a given station is responsible for the security of the workstation software.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 45=====
| + | |
| − | </center>
| + | |
| − | Users' private devices can be connected to NCU CN, under the following conditions:
| + | |
| − | #the users of private devices are responsible for the risks that may arise from the lack of proper protection of the devices;
| + | |
| − | #the users are required to properly protect their devices, so as to exclude the possibility of unauthorized access to services, e.g. by means of passwords stored on the device;
| + | |
| − | #if there is a possibility that the device with stored passwords may be used by an unauthorized person, the user is obliged to immediately change all access passwords in the NCU systems;
| + | |
| − | #safety instructions for specific services may introduce additional restrictions on access from private devices.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 46=====
| + | |
| − | </center>
| + | |
| − | If it is determined that a device interfering with the network operation operates in NCU CN or violates the principles of this Policy, the relevant network administrator has the right to immediately disable access of such device to the network.
| + | |
| − | The administrator notifies the user of the device about the identified violations of the Policy, and in justified cases or in the absence of the user's reaction, also the appropriate user's superior.
| + | |
| − | All cases of identified violations of this Policy are registered by administrators.
| + | |
| − | <center>
| + | |
| − | | + | |
| − | ====Chapter 9 Policy of passwords====
| + | |
| − | =====§ 47=====
| + | |
| − | </center>
| + | |
| − | Central service administrators use 2-step authentication on an access server to access servers. The second element of authentication is a random number generated on an external device.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | | + | |
| − | =====§ 48=====
| + | |
| − | </center>
| + | |
| − | #Users are required to keep their access credentials secret. In particular, it is not allowed to pass on an access password to an individual account to anyone.
| + | |
| − | #Passwords must meet security requirements enforced through password change systems.
| + | |
| − | #In systems where personal data is processed, passwords specific to these systems are used and user passwords are changed at least once a month, unless additional security mechanisms such as tokens or one-time password lists are used.
| + | |
| − | #It is allowed to use the SMS service in the NCU systems, but the management policy of the specific system must be governed by the rules for verification of telephone numbers associated with the accounts.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | ====Chapter 10 Change of equipment user and disposal of electronic equipment and media that may contain data====
| + | |
| − | | + | |
| − | =====§ 49=====
| + | |
| − | </center>
| + | |
| − | Before any electronic equipment which may contain data requiring protection is passed to a new user, the current user is obliged to make a risk assessment of possible disclosure of data.
| + | |
| − | If it is necessary, the data needs to be deleted in a way that does not allow it to be recovered. In case of doubt, the user contacts the appropriate network administrator in this matter.
| + | |
| − | | + | |
| − | <center>
| + | |
| − | =====§ 50=====
| + | |
| − | </center>
| + | |
| − | #Electronic equipment is subject to the general principles of utilization adopted at NCU.
| + | |
| − | #Collection and disposal of equipment, which may contain data requiring protection, for example the one on which personal data were processed, can be entrusted only to entities with appropriate qualifications confirmed by an appropriate certificate.
| + | |
| − | #Equipment intended for disposal, which may contain data requiring protection, must be clearly marked, so that it can be properly handed over to the utilizing entity.
| + | |
| − | <center>
| + | |