Guidelines for E-mails
E-mail and other electronic information systems will, in accordance with the University's ICT policy and master plan, reduce the need for paper-based communication. The University makes available e-mail systems for use by its staff and students and encourages the appropriate use of e-mail as an alternative to paper based communication.
Use of E-mail
The e-mail systems are University property and the University reserves the right to monitor and to access any e-mail messages.
The use of e-mail for incidental and occasional personal purposes is permitted for convenience but should not be used for private confidential correspondence.
All users are responsible for ensuring that their e-mail usage is within the regulations and is ethical and lawful.
The sending of text or images that contain material of an offensive, indecent or obscene nature is prohibited.
Users (students/staff) of e-mail should be aware that the following practices are not allowed by the university:
Any use that violates University policies, standards and administrative directives.
The use of another individual's e-mail account using that individual's identity (i.e. the individual's username/password details);
Impersonation or misrepresentation of another individual;
Alterations of source or destination address information;
The use of e-mail that could result in the inadvertent commitment of the University to a contract or agreement if it appears to the other party that he/she has authority to do so;
The e-mailing of some sensitive messages, for example employment decisions;
The use of external e-mail accounts (e.g. Hotmail) for University purposes - this is due to security, sender authorisation and data protection issues. This includes auto-forwarding of university e-mail to external accounts;
The use of e-mail for personal reasons to promote or denigrate companies or organisations, or insult other staff.
Misuse of E-mail
Penalties for misuse of e-mail will depend on the seriousness of the offence, and be in accordance with current University procedures rules and regulations.
Users (staff and students) of e-mail should adhere to the following guidelines for appropriate use:
Check your e-mails regularly;
Be polite. Messages sent by e-mail can often seem abrupt, even when this is not the intention. Use professional courtesy and discretion. The use of all upper-case text in either the subject or the body of an e-mail should also be avoided as this is deemed to be the e-mail equivalent of shouting;
Do not reply “With History” if it is not necessary especially if it incorporates a large attachment.
Set the Out-of-Office flag and arrange for someone to deal with your e-mail if you are away;
Messages should be clearly addressed to those from whom an action or response is expected, "cc" or "bcc" should be used for other recipients of the message;
Use 'reply all' and distribution lists with caution in order to keep the number of your messages to a minimum and reduce the risk of sending messages to the wrong people;
Respect privacy and consider this aspect before forwarding messages;
Delete unwanted or unnecessary e-mail. It is the user's responsibility to manage their own e-mail folders and keep within the quota limits set.
Unsolicited e-mail, especially with an attachment, may contain a virus. If in doubt, delete the e-mail or contact the sender to check before opening;
Do not try to carry out confidential or sensitive tasks or air controversial views on e-mail;
Enter a meaningful 'subject' field to help the reader anticipate the content correctly, and try to keep to one subject per message;
Don't distribute other people's messages without permission;
Avoid subscribing to unnecessary mailing lists. Unsubscribe from mailing lists when they are no longer required;
E-mail transmissions and postings to electronic notice-boards should normally be limited to matters of University business.
Do not forward on e-mail "chain letters". These are e-mails which either ask you to forward them on to all your friends (or to everyone you know) or which state that something bad will happen if you do not forward them on. E-mails of this type, which are warning about something (e.g. computer viruses), are almost certainly hoaxes as well. If you are unsure about any e-mail that you've received contact the helpdesk immediately.
Group account for various departments and faculties shall be set up as and when they are required.
I nformation systems usage guidelines
OUT provides Internet/Intranet access to students and staff for university business use only. The procedures listed below will guide staff and students to determine proper business Information systems resources usage.
Users and Computers Accounts
A staff member or a student is not allowed to share his/her account with somebody else.
The home directory for a user account must not be in the root or usr file system
Each user's home directory has write access by the user only
Any user logins that have not been used for more than three months will be terminated and the data associated with that login will be archived for a maximum of six months.
Regular review of authorised users and their privileges shall be carried out.
Group login accounts are not allowed.
Guest accounts will be deleted or disabled within a week after expiry of its validity.
Disk quotas should be assigned to each user
Time restriction i.e. times of the day, and days of the week, that a user may be logged to the system can be implemented to restrict usage of the system and resources beyond working hours. (Applicable to critical systems such as financial management systems, Exams etc.)
Retired/terminated/dismissed/suspended student or staff user accounts shall be disabled immediately.
Any authorised personal computer or laptop to be used on the system will have its own account.
Only registered personal computers and laptops can be used to gain access to the system.
All new ICT equipment should be reported by users to IET for purposes of registration.
Every account must have a password/pass phrase. Administrators require passwords for every active login without exception. The administrator shall make sure that an incorrect password is never used for an initial assignment, even if password ageing is used. Users must be informed of the proper password requirements. The importance of selecting a password that is not easily determined by others (e.g. birth date, first name).
Users are required to enter their usernames and passwords/pass phrases in order to login to the system.
User password/pass phrase length must be a minimum of six characters and a system administrator password must have a minimum of eight characters (preferably a combination of numbers and characters).
The maximum password/pass phrase lifetime will be set. A shorter period is recommended for system administrator accounts. The last 5 passwords may not be reused.
All equipment and software supplied with default passwords for predefined system accounts will have to be changed immediately upon installation or upgrade.
Administrators will restrict the use of vendor logins. The administrator may activate a password for a vendor for a specific amount of time and for limited privileges. The administrator shall keep a record of these vendor login requests in the form of a log specifying date, time, group, and purpose of use.
A unique password must be assigned to each new account and each user must change his/her password immediately when using the account for the first time.
An authorised password checker programme will be run periodically
Passwords should not be communicated via e-mails
Password ageing should be used wherever and whenever possible. The longer a static password is used, the greater the chance that it can be compromised via a password analyser, a personal watching keystrokes, etc.
Any Unix system will require a password when booting a single-user. If the console to a Unix system is not in a physically secure area, an intruder may gain root access by crashing the system and rebooting single-user. Ideally, a Unix system should boot multi-user and password should be required when booting single-user.
The password to a user's account is the key to the security of information, and more generally the integrity of the University's information systems. A user is responsible for all activities and possible misuse originating from his or her account and it is important that the password is not disclosed to anyone else, whether intentionally or accidentally.
Password should not be written down or permanently stored on a machine or in a database. Use Pass phrase which is easy to remember so that it can not be easily guessed by others.
A user should log off from his/her computer when he/she leaves even if it is for a short time. That is Do not log in and leave your computer un-attended. Remember when you log into the system, you are responsible for all transactions thereafter, up to when you log off.
If a user has forgotten his/her password or must have it reset by the administrator, he/she must do it in person. (Note: Administrator does not know users passwords and has no right to know them. He/she has only the capability of re-setting passwords).
Users are not allowed to share their identifications and passwords. If there is a requirement to grant access to an outside user, that user must follow appropriate procedures to apply for access.
Both the system and application programmes must incorporate multiple levels of password protection where possible.
General Usage
When sensitive information is stored on a backup medium, precautions must be taken to ensure the storage is secure. Particular care should be taken to ensure physical security.
Access to sensitive information should be strictly controlled when temporary staff, consultant or fieldwork students are employed.
Confidential information is not to be transmitted over the Internet without proper encryption. Transmission of harassing, discriminatory or otherwise objectionable E-mail or files (as determined by the recipient) is strictly prohibited.
Disruptive behaviour such as introducing viruses or intentionally destroying or modifying files on the network is strictly prohibited.
Any personal use of the network for commercial or illegal activity is strictly prohibited.
Transmission of any religious or political messages is strictly prohibited.
The usage of the University ICT resources should confirm to the University Mission and Vision and not otherwise.
Controls should be in place in order to minimise the security of organisational information processing facilities and ICT assets accessed by third parties.
Where there is a business need for such third part access, a detailed risk assessment should be carried out to determine security implications and control requirements.
If agreed to work with the third party, controls should be agreed and defined in a contract with the third party.
Third party access may also involve other participants. Contracts offering third party access should include conditions for their access.
Any outsourcing arrangements should address the risks, security controls and procedures for information systems, networks and/or desk top environments in the contract between the parties.
Since maintaining the security of information when the responsibility for information processing has been outsourced to another organisation is difficult, outsourcing information security should therefore be discouraged.
This part of the ICT security policy and procedures applies to all users of the University ICT systems and resources. It is a violation of the said policy to fail to comply with security practices described in this part of the ICT security policy and procedures. Any user who fails to adhere to the policy and procedures will be subject to penalties and disciplinary action, both within and outside the University. Violations will be handled through the University disciplinary procedures as provided for in various rules and regulations.
The University may temporarily suspend, block or restrict access to ICT resources when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University. The University may also refer suspected violations of applicable law to appropriate law enforcement agencies where necessary.
|