Security Policy and Rules

Security Policy and Rules Security Policy and Rules Governing The Use Of The Computing & Communications Facilities at Macquarie University
November 1998

1. Introduction

The provision of extensive computing and communications facilities for use by staff and students of Macquarie University is an indispensable feature of research, teaching and administrative work.

The University Council approved the Security Policy and Rules Governing the Use of Computing and Communications Facilities at Macquarie University in 1991. These Policies and Rules have now been updated to reflect the growing demand for both computing and communications facilities in the University, to assist users of these facilities to ensure that the facilities are properly protected and are used in an effective and lawful way.

All University’s staff and students are responsible for ensuring that computing and communication facilities are used in an effective, efficient, ethical and lawful manner.

2. Purpose

In summary, the security policy and the rules aim to ensure:

The support for the education and research programs of the University,

The provision of uninterrupted services to the University community,

An ability to recover effectively and efficiently from disruptive events,

The preservation of confidential information,

The protection of the University’s computing and communication assets including data, software and hardware.

3. Definitions

(a) "University" means Macquarie University.

(b) "Computing facilities" includes:

(i) all networking services, computer hardware and software owned, leased or used under licence by the University including the University's academic and administrative computer systems;

(ii) computing facilities maintained by other bodies but available for use through an agreement or agreements with the University; and

(iii) all other computing facilities, wherever situated, where access is by means of University provided services.

(c) "Communications facilities" refers to any of the University's facilities used to access or transmit information including, but not necessarily limited to the Campus Backbone Network, Electronic Mail, the Campus Wide Information Service, World Wide Web, X-500 Directory Services, Telecommunications, PABX and Facsimile equipment.

(d) A "server" means a multi-user computer.

(e) A "user" means a staff member, student or authorised visitor to Macquarie University utilising, accessing, or attempting to gain access to the computing or communications facilities at Macquarie University.

(f) An "administrator" means an academic or general staff member of Macquarie University appointed to manage computing or communications facilities.

4. Copyright

The University and all members of the University are personally responsible for complying with the Commonwealth Copyright Act (Act) and with the terms and conditions of the particular contracts or software licences relating to acquired, leased or purchased computer and communications hardware and software.

Copying software without authorisation is a breach of the Act. If such breaches occur, severe penalties may be incurred by the individual concerned.

5. AARNet Access Policy
Revised Policy on Allowed Access to AARNet
(Provision of Carriage Services)
Endorsed by the AVCC on 10 March, 1998

The Australian Vice-Chancellor’s Committee (AVCC) has issued the following policy covering access to the Internet via AARNet members in order to provide a clearer definition of the categories of access to the Internet that should and shouldn’t be allowed via AARNet members.

While the provision of Internet access via AARNet members is restricted to the categories listed below, AARNet members may publish electronic information which would then be accessible to the wider community through other Internet access providers. However, an AARNet member should not publish material where it has no control over content and which could result in the AARNet member being held liable.

AARNet Members (AVCC member institutions, CSIRO, DSTO, ANSTO and AIMS) are required to abide by the following statement of principles:
5.1 Preamble

This policy has been developed from the earlier version which was approved by the Australian Vice-Chancellors’ (AVCC) in October 1995, and takes into account a number of changes impacting on the sector including: the arrangements with the AVCC’s suppliers: the 1997 Telecommunications Act (‘Act’) and the exemptions from the Carrier and Carrier Service obligations of that Act granted to eligible tertiary education institutions (specifically AVCC Member institutions) by the Minister for Communications, the Information Economy and Arts.

Importantly, whereas the previous policy comprised a statement of principles endorsed by AVCC Members, the revised policy encompasses legislative and contractual obligations on the use of the AARNet infrastructure resulting from arrangements with the AVCC’s Internet access and backbone network provider and, for the first time, restrictions flowing from the Act, together with the exemptions under subsections 51 (1) and 95 (1) of the Act.

Unless otherwise stated, the access policies below refer to the use of telecommunication services and plant and therefore address the carriage of data, images, video and voice. Legislation affecting the provision of on-line is currently being drafted by the Government and will be the subject of further advice to Members. In the meantime, AARNet Members may publish electronic information that would then be accessible to the wider community through other carriage service providers (eg ISPs). However, AARNet Members must abide by the obligations of the Copyright Act and Trade Practices Act, particularly where these Acts apply to electronic publishing and provision of information. AARNet members should not publish material in circumstances where they have no control over its contents, and which could result in AARNet Members being liable.

AARNet Members (AVCC Member institutions CSIRO, DSTO, ANSTO, and AIMS) must abide by the policies set out below.

AARNet member must ensure that those non-AARNet Members to whom they allow access abide by the policies set out below.

Those users authorised under points 1 and 2 below are together known as permitted users for the purpose of this policy.

The AVCC believes that the following is a fair and accurate statement of the contractual and legislative requirements applying in relation to the use of and access to AARNet. However, compliance with the contractual and legislative requirements remains the responsibility of each AARNet Member.

5.2 Access provided to AARNet by AVCC Members

5.2.1 Other than as provided in points 1, 2 and 3 below, AVCC Members may use AARNet for or in connection with research, educational or administrative functions of AVCC Members.

a. This may include providing access for the above purposes to:

staff

students

associated individuals (eg visiting fellows, honorary research associates);

campus based student and staff associations;

entities that are wholly owned by AVCC Members;

Tertiary Admission Centres associated with AVCC Members;

Participants in Cooperative Research Centres, Cooperative Multimedia Centres, and other collaborative ventures where;

- the principle objective of such a collaborative venture is the advancement of university teaching, administration and/or research; and

- each participant in a collaborative venture complies with the policy in point 3 below

publicly funded not-for-profit research agencies that are jointly undertaking teaching, administration and/or research programs with an AVCC Member (eg the Anglo Australian Observatory);

conferences, congress and workshops where there exists an educational , research or professional society association with the AVCC Member (but not in circumstances where the conference, congress or workshop has a principally commercial objective); and

a person or organisation that has contracted with an AVCC Member to provide dial-in access by staff or students to that AVCC Member’s network facilities. Other than payment for the provision of the dial-in services, the person or organisation must not receive any commercial benefit from providing that dial-in access. (This matter is still the subject of negotiation with the AVCC’s supplier and the details of how this may be implemented will be the subject of further advice to members).

b. Access may be granted for

affiliated bodies (eg residential colleges);

those sections or departments of AARNet Members situated within another organisation (eg the teaching and research departments of the AARNet Member within a hospital, however this access must not extend to providing access to the hospital itself); and

the CSIRO, DSTO,ANSTO and AIMS for their use in connection with their research and administration.

Provided that either an AVCC Member owns the Network units used to convey any information or these network units are leased from a carrier. Any AVCC-owned network unit must predominantly carry AVCC traffic referred to in point 5.1 above.

5.2.2 AVCC Members must not provide access to any individual, group or organisation referred to in point 5.2.1 above where that access is for purposes that;

Are not related to the teaching, research or administrative activities of the AVCC Member; or

Are not related to the research or administrative functions of the non-AVCC AARNet Member (CSIRO,DSTO, ANSTO, AIMS);or

Comprise commercial activities (other than those commercial activities that form part of the teaching or research activities of the AARNet Member, such as providing access to AARNet to fee-paying students);

Specifically, AARNet access must not usually be provided to;

vendors and commercial clients of AARNet Members;

organisations (that are not covered in 1.1 above) based on Technology Parks;

government departments and agencies;

TAFE and VET institutions, unless these are an integral part of the University AARNet Member;

Schools and community organisations; and

Members of Alumni associations (except that AARNet Members may provide information services (eg Web page hosting) to members and Alumni associations and to other external bodies. However access to these information services by such associations and bodies, and by other parties, must be provided through carriage service providers).

5.3 Access to AARNet by AARNet Members who are not AVCC Members

5.3.1 The CSIRO, DSTO, ANSTO and AIMS may use AARNet in connection with their research or administration functions provided that either an AVCC member owns the network units used to convey any information or the network units are leased from a carrier. Any AVCC-owned network unit must predominantly carry traffic referred to in point 5.1 above

5.3.2 The CSIRO, DSTO, ANSTO and Aims may provide access to AARNet for non-AARNet members in the circumstances set out in point 5.3.1, provided also that the non-AARNet Member complies with point 5.4 below. 5.4 Access to AARNet by non-AARNet Members

AARNet members who provide access to AARNet members under points 5.1 or 5.2 must ensure that non-Members:

Do not use AARNet access for purposes other than for the purposes they are permitted access

Do not provide access to AARNet to anyone else

Do not undertake commerical activities (other than commercial activities that are related to the teaching, research or administrative functions of AVCC members, or the esearch and administrative functions of non-AVCC members) and

Comply with this and other AARNet policies

5.5 Non-compliant intra-campus traffic

Transit of traffic within an AVCC Member campus network that does not otherwise comply with this policy is allowed under the exemption from carrier and carriage service obligations. Such traffic destined for the wider internet, must be channelled to a carriage service provider through a connection within the campus boundary. This concession under the exemption is intended to facilitate the provision of services on campus while ensuring that traffic that does not otherwise conform with this policy is redirected before leaving the campus.

5.6 Exclusive use of the AVCC’s Supplier’s Telecommunications Services

The telecommunications services (‘Services’) provided to the AVCC by the AVCC’s Internet access and backbone network supplier (‘Supplier’) must be used by AARNet Members for access to AARNet permitted under this policy. The Services encompass access to the international and national Internet and interconnection of Regional Network Organisation hub sites.

Accordingly, for access allowed under this policy, services equivalent in functionality to the Supplier’s Services must not be acquired from another provider unless the Supplier is unwilling or unable to provide that service on the basis agreed with the AVCC.

The Supplier also offers newsfeed and DNS forwarding services and will offer a multicast service. Services such as newsfeeds and multicast sourced from another provider must not transit the gateway between AARNet and the domestic Internet.

5.7 No Benefit to Third Parties

The financial arrangements under the contract with the AVCC;s Supplier for the provision of Services to AARNet Members are currently more attractive than those available elsewhere in the marketplace. The contractual consequence of this is that AARNet Members must not permit any benefit from these arrangements to a person other than a permitted user.

5.8 Indemnities

It is the responsibility of each AARNet member to ensure that it is adequately protected from breach of legislative and contractual obligations by obtaining suitable releases and indemnities from those persons and organisation to whom it provides access to AARNet.

5.9 Register of Non-Members

Each AARNet member must maintain a list of Non-Members to whom it provides AARNet access and must make this information available for review by the AVCC, This information may be required for audit of contractual compliance or Ministerial review. As the current exemptions cease to have effect on 31 December 1999 (or such later date as is determined by the Minister) a Ministerial review is likely to be undertaken prior to this date.

5.10 Obligations under the Telecommunications Act 1997

If an AARNet Member provides access to AARNet that contravenes any provision of the exemptions granted to the AVCC Members from the carrier and carriage service obligations of the Telecommunications Act, that AARNet Member must abide by the requirements of the Act. Compliance with obligations and payment of penalties under the Act are the responsibility of that AARNet Member.

Access that contravenes any provision of the exemptions from carrier and carriage service obligations of the Act granted to AVCC Members must not:

Transit the AARNet backbone network (including the inter-Regional Network Organisation links and the links to the national and international Internet gateways); or

Transit the infrastructure of any other AARNet Member (unless that AARNet Member also complies with the carrier, carriage service and other requirements of the Act).

5.11 Clarifications

Because the legislation is largely untested, the interpretation of the determinations is complex and the application of the principles contained in this policy is not without difficulty the AVCC will, from time to time, issue clarification statements to assist AARNet Members to give effect to this policy document.

6. Internet Security

In 1988 the United States of America Internet community recognised the need for a Computer Emergency Response Team (CERT). This response team is still in existence today and advises on a National and International levels when breaches in computer security are reported.

The need for an Australian based CERT called AUSCERT stemmed from an increase in unauthorised attempts to access computers in Australian tertiary and research institutions. These attacks reached a peak in 1992 when there was no coordinated response team local to Australia. As a result AUSCERT was formed and is contracted by the AVCC to provide security services for all AARNet Members and Affiliates. AUSCERT provides a single trusted point of contact in Australia for the AARNet community to deal with computer security incidents and their prevention. The aim is to reduce the probability of successful attack, reduce the direct costs of security to organisations and lower the risk of consequential damage. AUSCERT also contracts certain security services to other organisations not associated with AARNet.

It was strongly recommended that all AARNet members and affiliates and other associates of AUSCERT register with AUSCERT and Macquarie University has done so through the Office of Computing Services. The AUSCERT registration process establishes two way communication between an organisation and AUSCERT specifically for computer security matters. Macquarie University has registered with AUSCERT with the Director, OCS being the primary contact.

The above describes the organisation at the national and international levels. At the Macquarie University level, the Office of Computing Services provides the equivalent of an MQCERT function.

The University has developed an Incident Report System which is used by the University for its own internal purposes and as a basis of reports made to AUSCERT. All reports are investigated and where appropriate suspension of access and/or disciplinary action is initiated.

7. Disciplinary Action

Any breach of these rules may result in immediate suspension of access to facilities followed by a report to the appropriate Head of School or Office for disciplinary action in accordance with the sanctions set out in these Policies and Rules and the University By-Laws.

8. Disclaimer

The University makes available to users, both internal and external, computing and communication facilities. The University accepts no responsibility for any damage arising directly or indirectly from use of these facilities. The University makes no warranty, express or implied regarding the computing and communications services offered, or their fitness for any particular purpose.

9. Responsibility for Computer and Communications Security.
9.1 Personnel
9.1.1 The Vice-Chancellor is responsible for the overall management of computer and communications security.

9.1.2 The Pro Vice-Chancellor (Administration and Information Services) on advice from Senior Officers, the Director, Office of Computing Services and Heads of Schools, Centres and Offices is responsible for enforcing any regulation or disciplinary action against any person found to violate any laws or University policy and guidelines.

9.1.3 The Director, Office of Computing Services is responsible for computing and communications security relating to all aspects of the operation of computing hardware, software and communication links, including PABX and telephone systems and facilities that are under his or her control. The Computer Security Officer (or other staff where appointed) under the direction of the Director is/are responsible for day to day operational aspects and for the continuous protection of data maintained on computing and communications facilities within the Office of Computing Services.

9.1.4 The Director, Office of Computing Services is responsible for considering and approving requests for the use of computing and communications facilities for consulting purposes.

9.1.5 Senior Officers and Heads of Schools and Centres are responsible for ensuring that appropriate and reasonable security practices are in place within their area of responsibility. This may include identifying who has access to equipment and data and who can amend software programs and data.

9.1.6 All users are responsible for ensuring that they use the University’s computing and communications facilities in an ethical and legal manner and any actions are not to the detriment of others. The use of computing and communications facilities implies agreement to comply with any rules or guidelines determined from time to time by the Pro Vice-Chancellor (Administration and Information Services) or the Director, Office of Computing Services or any other authorised Officer of the University.

9.2 Server Security
To ensure security across the University’s computing and communications facilities:

1. All servers must have a system of registration of users.

2. User accounts on servers must have passwords and these passwords must conform to guidelines and automatically expire at frequent intervals preferably at least every 40 days.

3. Each server must be under the control of an administrator.

4. The data on each server will be backed up at regular intervals with at the very minimum incremental back-ups each week.

9.3 Physical Security

Critical communication links, important servers, and other key equipment should be located in physically secure areas to reduce the risk of theft, sabotage and disruption. Additional security issues that need to be considered are physical access, environmental hazards and power surges.

9.4 System and Application Security

Systems and application security should include restricted access paths, user identification and authentication, access control software and access control for application software to ensure the integrity of data, confidentiality, privacy and availability of data.

9.5 Rules

The following rules address computing and communication usage. Any exemption from these rules must be in writing from the Director, Office of Computing Services.

9.5.1 Access to the University's academic and administrative computing and communication facilities is available to a user for approved teaching, research and administrative purposes. In the case of students this access is only for purposes directly related to their academic programs.

9.5.2 Access to a University computing system will be provided only after the completion of the required access form, and then only after approval by the relevant administrator, on the basis of the rules applying to that system.

9.5.3 The University reserves the right to withdraw the availability of any computing and communications facility without notice.

9.5.4 A user shall not use any other person's computer account unless it is a special group account authorised by the Director, Office of Computing Services or the relevant administrator. A user shall not allow any other person to use their computer account.

9.5.5 A user shall not lend their computer password or attempt to discover or change any other computer user's password.

9.5.6 A user shall use only those resources, facilities and data which have been made available for general access, or those which the user has been authorised to use and only for purposes authorised.

9.5.7 A user shall not copy, disclose or transfer any computer software provided by the University without written permission from the Director, Office of Computing Services or relevant administrator.

9.5.8 A user shall not collect nor discard any electronic, printed or magnetic material which is not their property or property for which they have authorised access.

9.5.9 Users of the University's computing and communications facilities have the right to privacy and security of their computer programs and data. A user shall not copy, disclose, transfer, examine, rename, change, add to or delete software, data or information belonging to another user without that user's permission.

9.5.10 A user shall not use computing and communications facilities to harass others, or interfere with their work. For example, it is a breach of these rules to send obscene, abusive, fraudulent, threatening or repetitive messages to a user or users.

9.5.11 A user shall not attempt to modify system facilities, install viruses, illegally obtain extra resources, degrade the performance of any system, nor attempt to subvert the restrictions associated with any computer system, computer account, network service or personal computer protection software.

9.5.12 A user shall not tamper with terminals, personal computers or any associated equipment. Faults must be reported to the controlling School/Centre/Office or the Office of Computing Services.

9.5.13 A user shall not infringe the provisions of any hardware or software licensing agreements. In case of doubt users should seek advice from the Director, Office of Computing Services or a nominee or relevant administrator.

9.5.14 In relation to web pages all information displayed, referenced, linked or transmitted must include an acknowledgment to the intellectual property ownership and copyright of all articles including linked articles. Furthermore, the user of the computer account under which web pages are created and/or stored will be held responsible for all information displayed, including other web pages referenced or linked.

9.5.15 Information stored, referenced, linked, transmitted or processed by the University’s computing and communication facilities must adhere to the University’s established publication, visual and language guidelines. Users must not make available any print or visual materials that might be offensive to community standards. For further information please consult the Macquarie University Language Guidelines.

9.5.16 A user may not use the computing or communication facilities for or on behalf of any party for the purpose of profit making or commercial activity, unless written permission has been obtained from The Director, Office of Computing Services or relevant Head of School/Office/Centre.

9.5.17 A user who has booked a specific facility and has not abandoned the booking shall have exclusive use of that facility during the booked period.

9.5.18 Notwithstanding the provisions of Clause 9.5.9 the Pro Vice-Chancellor (Administration and Information Services) and nominee(s), and relevant administrators have the right to examine all computer files and to monitor computer usage, to ensure compliance with these rules and to maintain a secure, efficient computing and communications environment.

9.5.19 Notwithstanding clauses 9.5.4,9.5.7,9.5.8,9.5.9 and 9.5.12 above, server administrators have the right and duty to take such actions as to ensure the proper running of the computing facility in their charge. This includes but is not necessarily limited to accessing accounts not their own, deleting files, taking back-ups and collecting materials not their own.

9.5.20 The University regards abuse of any computing or communications facility at other sites whilst they are actively connected to the Macquarie University networks as abuse of computing privileges at Macquarie University.

9.5.21 The University regards abuse of computing laboratories as abuse of computing privileges. Abuse of these laboratories includes:

(i) leaving the room in an untidy condition;

(ii) collecting or discarding any material without the owner's permission;

(iii) smoking, eating or drinking in the laboratories, or related areas;

(iv) stealing paper or other material from printers and storage areas;

(v) using unauthorised software (including computer games) on personal computers or other networked facilities.

The University reserves the right to suspend access to any computing facility until the condition of the affected computing laboratory has been restored to an acceptable level.

9.5.22 It is an offence to remove, deface or corrupt notices or records which are placed in computing laboratories by authorised University staff for the purpose of promulgating these rules or assisting in the orderly use of computing facilities.

In respect of all the preceding rules, an attempt to perform any of the prohibited actions, whether successful or not, will be considered to be an equal offence.

10. Enforcement of Rules

Any Action taken by a user(s) that violates any legal statutes, University By-Laws, policies or guidelines shall be treated as a criminal offence or misconduct and may result in criminal proceedings or disciplinary action (or both) being taken against the offender(s).

The Director, Office of Computing Services (OCS) may take immediate action to deny any user(s) access to those computing and communications facilities under control of OCS as a consequence of any action which is deemed to be detrimental to computing and communications facilities or data and-or in non-compliance with any law, University policy, procedures or guidelines.

Senior Officers, Heads of Schools, Centres and Offices may take immediate action to deny user(s) access to those computing and communication facilities under their control as a consequence of any action which is deemed to be detrimental to the University, its computing and communications facilities or data, and/or in non-compliance with any law, University policy, procedures or guidelines.

Any action taken by the Director, Office of Computing Services, a Senior Officer or a Head of School, Centre or Office to suspend access by a user(s) to computing and/or communications facilities shall be reported in writing to the Pro Vice-Chancellor (Administration and Information Services) who shall recommend what further action should be taken in accordance with the provisions of the appropriate Chapter XV of the University By-Laws.