Faculty of Science Department of Information Systems

Lab policy

  1. Objective
    The security and availability of our computers and information systems is vital to the Department of Information Systems. This document outlines the policies and procedures implemented by the Department of Information Systems (DIS), focusing on the use of the Department's computing facilities by students. It aims to ensure the safe, organised and fair use of these resources and establishes the rights and expectations of the users. Before a person is authorised to use any DIS computer, they must agree to and sign a document, signifying their acceptance of the guidelines and rules set out in this document. The policy is aimed at protecting the resources and information of the Department of Information Systems, from intentional or accidental disclosure, manipulation, modification, erasure, copying, or misuse.
    to top

  2. Scope
    The guidelines stated in this document, refer to the use of the Department of Information Systems network and hardware resources. This includes the use of any of the departmental machines from the computer laboratories, or from any other form of connection. Users should be aware of possible policies that their ISP may enforce, and of the rules and regulations of The University of Melbourne
    This security policy applies to all users, including students, staff and guests. Users will be granted differing levels of privileges and access, but all will need to agree to the established security policy guidelines.
    to top

  3. Responsibilities
    All users, on acceptance of the policy guidelines, will be responsible for safeguarding the assets of the Department of Information Systems. Users are responsible for their own behaviour, as well as reporting any violations of the network security policy, to either the Network Administrator(s) or to the Helpdesk.
    Employees of the Helpdesk will also be responsible for the regular supervision of the computer laboratories, to ensure that violations of the security policy are minimised. Users should be aware that the actions of others can affect their ability to use the departmental resources, and hence must report any breaches if necessary, through a system of anonymity.
    to top

  4. Acceptable Use Policy
    All facilities of the department should be used for academic purposes. For further information please refer to the AARNET guidelines.
    Do not play music or sounds through the speakers, as this will generate too much noise in the laboratory, and will inhibit other people's work. Accounts may be suspended if noise levels get unbearable in the laboratories. In addition, offensive language is not permitted in laboratories.
    Users should never intentionally interfere with, or compromise the integrity of a University computer system. They should not impersonate another user in communication, or destroy or alter programs belonging to another user. These, and similar acts, are serious violations of University policy, and common civility. If a gap in system security is discovered it should be communicated immediately to the department.
    Users should view their access to resources such as e-mail and the Internet, as a privilege rather than a right, and as a consequence if they abuse this privilege, then they will lose it. Cheating is not allowed in the Department of Information Systems, especially through the transmission of work via email. DIS does not permit hate mail, or chain mail to be sent by users. As stated in section 5.0, E-mail and Internet access is for educational use only. Abuse of these rules and guidelines will lead to necessary punishment and/or loss of access.
    to top

  5. Physical Security
    This section outlines access to the resources within the Department. This covers access to the resources of DIS, as well as the surveillance and alarm system within the building. Physical security is an important aspect, and again users should be aware of their own actions, as well as those of others. Any behaviour observed, that threatens the physical security of the resources, or safety of individuals, must be reported to the department.
    1. Access
      Users will have access to the computer laboratories, during lab hours as established by the department. When the laboratories are open after hours, users will need a personal access card to access the building, which will record who has entered or exited the building, and at what time. These records may be used if an inquiry is made into incidents occurring in the building. Students of the Department of Information Systems, can borrow an access card to gain entry to the building after hours. Card owners will be held accountable for security incidents that occur, therefore users must not lend their card to others. Also, do not allow others to enter with you. All lost or stolen cards must be reported immediately to the department.
      Staff areas will be restricted to authorised staff, or postgraduate students after office hours. Server rooms and wiring closets are restricted to authorised staff access at all times.

    2. Theft
      Computer laboratories and corridors are under constant video surveillance. These tapes may be reviewed if security incidents occur. An alarm system is linked to the doors to ensure that unauthorised entry does not go undetected after hours. Equipment in the laboratories is protected by an optical fibre system connected to a VERY LOUD alarm and to university security.
      An attempt to steal equipment falls under the jurisdiction of the police, and will be referred to the relevant authority. If one of our users is involved, action may be taken which may include the suspension of a users account. Section 10 outlines the penalties of breaking the policy. Further action may be initiated by the relevant authorities.

    3. Equipment Installation
      Hardware may only be installed by Network Administrator(s) or other authorised personnel. Users without proper authorisation must not tamper with the departmental hardware.

    4. Behaviour
      The following general actions are violations of the policy:

      a. User has brought in food or drink into the laboratories
      b. User is playing games during peak usage of the laboratories
      c. User is damaging equipment in the laboratories
      d. User displays abusive behaviour anytime

      Any incident of the above nature will cause action to be taken as outlined in Section 10 of this policy. Further action may be initiated by the relevant authorities.

    to top

  6. Network Security
    1. Access Control
      The following mechanisms are required to restrict and control access of authorised users to network facilities:
      • Identification and verification of the identity of each authorised user via an effective logon process.
        The logon process consists of each user specifying their username and password. The username and password will be given to the student, when they sign their acceptance of this document. Students will log on to the domain STUDENT, Staff will log on to the domain UNIMELB, and network administrators will have local access to each PC.
        All users are responsible for ensuring that they logoff successfully when they leave their PC. If a user forgets to logoff, they will have action taken against them, as outlined in Section 10 of this policy.

      • Recording of successful and unsuccessful system access.
        After five unsuccessful logons the user will have their account disabled, and will need to see the Help Desk staff to have their account re-established. If users suspect that unauthorised access to their account has occurred, they can ask Technical Services personnel to check the recorded logons. This investigation is supported by the camera surveillance system as discussed in Section 4.2.

      • Providing a password management system which ensures secure passwords.
        The system has a set of rules which determines what bad passwords are, and then checks the user's password against these. An example is using common English words, or passwords such as 'password', or the user's name.
        Each user will be allocated a username at the commencement of their relationship with the department. They will also be given a password, which will need to be changed at first logon. The password must:

        a. be of a minimum length of 8 characters and consist of both alpha and alpha-numeric characters.
        b. be changed at least every 65 days; and
        c. be different to the past five passwords, when changing.

        Once a password expires you will be immediately asked to provide a new password before the system will allow you to logon. Failure to provide a new password, will cause your exclusion from the system. Users must not disclose their password to anyone - as they are accountable for all activities carried out with their accounts. Detection of several users using the same account, will cause action to be taken which may include the suspension of a users account. Section 10 outlines the penalties of breaking the policy.

      • Recording of successful and unsuccessful system access.
        After five unsuccessful logons, the user will have their account disabled, and will need to see the Help Desk staff to have their account re-established. If users suspect that unauthorised access to their account has occurred, they can ask Technical Services personnel to check the recorded logons. This investigation is supported by the camera surveillance system as discussed in Section 4.2.

    2. Network Auditing
      Users should be aware that Auditing takes place, which ensures that users who violate the security policy, will be punished. Auditing highlights installation of software, logons and logoffs.

    3. Remote Access
      Users are allowed to connect to the departmental network from home via an ISP. They should be aware of the possible security threats associated with their files, and hence should ensure that appropriate information be protected, and that only they have access to their User ID and Password information.

    4. Directory Services
      Each user of the system will be allocated disk space on the student server, as well as on the web server for a personal web page. There are several public drives that all users have read access to. There are restrictions placed on users, depending on their position within the department, in regard to provided server space, as well as access level. If these restrictions are exceeded, then users will lose their right to save on to the server, as well as run the risk of having their account suspended, depending on their actions.
      Each user is responsible for their own directory, which only they and staff have the authority to access. Users are not allowed to modify existing files on the hard drive of each PC, nor are they permitted to leave files. This ensures that illegal software and games do not get installed. Public drives will be available with licensed or freeware programs, to be distributed amongst users for educational purposes. Users found in breach of this policy, will face action as outlined in Section 10.

    5. Internet Services
      All students can access the Internet from the computer laboratories. Students should be aware however, that Internet usage is only for academic work. This is established by The University of Melbourne, as well as AARNet guidelines. Violations of these policies, incur fines for breach of the AARNet guidelines. Students should also be aware that Internet usage increases the chances of damage occurring to DIS resources, as well as the higher demand placed on the resources. This includes viewing of web sites, as well as downloading of files with potential for virus infection.
      Each student may create a personal web page, which can only be used for non-commercial use, and must adhere to the guidelines set by The University of Melbourne. Students should realise that these pages reflect on the Department, and must be of an appropriate nature.

    6. Offensive Material & Behaviour
      Material that is or may be considered offensive, must not be downloaded, viewed or distributed. Students that download or view such material, will have action taken against them, which may include the suspension of a users account. Section 10 outlines the penalties of breaking the policy. Further disciplinary action may be initiated by the Sexual Harassment Officer.
      In addition, offensive behaviour in laboratories, such as offensive language or actions, will not be taken lightly. Sexual harassment is governed by University policy, and hence Technical Services personnel may be forced to refer the incident to a higher authority for disciplinary action. University Policy stipulates that all incidents that constitute sexual harassment, must be reported to the Sexual Harassment Officer.

    7. E-mail
      All students have an e-mail account which is intended for educational purposes. Email generated or sent to this account can be viewed by the department if the user is suspected of a security breach. If the e-mail account is used for purposes other than educational, then that user may lose their privileges in regard to sending e-mail.
      The department generates a large volume of official E-mail. In order to attempt to keep the network load down, E-mail that is considered 'SPAM' or 'Chain E-mail' is banned. The use of E-mail for this type of message, is not using the facilities provided in an acceptable manner according to University and AARNet regulations, and is also not accepted net etiquette. Students will be restricted to sending e-mail messages of approximately four Megabytes or less, to ensure these resources are utilised appropriately.
      All account holders are reminded that use of E-mail should ONLY be for academic purposes. The University specifically forbids the transmission of obscene, offensive or defamatory electronic mail. Perpetrators may be subject to legal action.

    8. Printing
      Students are provided with printing facilities so that they can complete their assignments. These facilities are currently offered free of cost for Research Students only, for reasonable amounts of printing. All other students must use the Unicard Printing System http://www.studentit.unimelb.edu.au/doit/print.html One of the network drives holds a printer inquiry tool, that will allow Reserch Students only, to determine how much print quota is still available. Once the quota has been exceeded, printing will be disabled.

    to top

  7. Software Security
    Academic staff and Network Administrator(s) are responsible for authorising and installing software on DIS resources. Periodic scans will be made to ensure that illegal or unauthorised software does not get installed, or used on the DIS servers, workstations and network. For those with authorisation to download software from the Internet, they must scan the software with a current virus detection program, to ensure that it is virus free.
    to top

  8. Disaster Contingency Plan
    As information is of great importance to the Department of Information Systems, it is vital that users and administrators are aware of the plan for the occurrence of natural disaster, and/or attacks from hackers and users. Network Administrator(s) will be responsible for dealing with attack(s).
    1. Security
      Protecting user accounts, files, disks, printouts and other information is the responsibility of each user. All reasonable precautions should be taken in the choice and use of passwords, to prevent unauthorised use, as discussed in Section 5.1. Users should not attempt to access the accounts, files, or disks of others, and should not give others access to their account, files or disks. Knowledge or suspicion of unauthorised access should be communicated to the Department of Information Systems immediately.

    2. Backup of Work
      Users must ensure that they back up their own work regularly. Whilst every effort is made by the department to back up data, departmental backups are PRIMARILY made in case of server failure. Individual user files or directories, will only be restored by special request, and in extreme cases. Periodic information recovery plan tests are conducted, to ensure that methods of data storage and retrieval, are appropriate. These will be conducted regularly, in line with the current backup cycle at the time.

    3. Natural Disaster
      In the event of a natural disaster, such as a fire, the department has established procedures. This includes procedures for coping with the disaster at the time of occurrence, as well as a recovery plan. These plans will be documented within the department.

    4. Equipment Faults
      All users should report all equipment faults, no matter how inconsequential, via E-Mail to helpdesk@dis.unimelb.edu.au. In the event of E-mail not working, users should notify the Help Desk. Technical staff will attempt to fix the fault as soon as possible.

    to top

  9. Security Awareness
    The following sections detail how the security policy will be distributed, reviewed and how users will be trained.
    1. Distribution
      The distribution of this policy will be in electronic and hard copy form. New users of the system will need to read and agree to the policy before their account is created and/or activated. Other users will have access to a hard copy form, available from the department, via Exchange, or through the World Wide Web (WWW).

    2. Review
      It is important to realise that this security policy is an evolving document, and will be reviewed on an ongoing basis. This is to ensure that relevant issues are always addressed by the document, avoiding the situation where it becomes redundant. The review of this security policy will take place on a semi-annual basis. Any significant changes might require users to sign another form, demonstrating their acceptance of the altered rules of behaviou, as established by the security policy.

    3. Training
      Each new user of the system will need to attend an introduction session to the computer laboratories. This will be the responsibility of the Helpdesk employees. The session should detail how to log on, and basic uses of the system, as well as discussing security issues and ensuring all users are aware of this document, and agreement to it as a prerequisite for having an account activated, on the departmental network. If the need arises, then refresher sessions will be organised for other users before re-activation of accounts, on an annual basis.

    to top

  10. Compliance
    1. DIS Penalties
      Each user will be required to agree to the guidelines and rules established in this policy, before they are authorised to use the DIS resources. This will ensure that users can be held accountable for their actions, and cannot plead ignorance. Technical Services personnel will be responsible for investigating security breaches and enforcing penalties. Violations of this security policy may result in one of the following penalties being enforced whilst the incident is investigated depending on the nature of the offence:
      • Suspension of user account for after hours access
      • Suspension of user account for hours outside their prescribed laboratory classes
      • Full suspension of user account
      All details regarding the incident may be referred to other relevant authorities, who may choose to initiate further action outside the departments control. Breaches of this policy are not only punishable by DIS penalties, but further action could be taken through University penalties and the Crimes Act.

    2. University Penalties
      This section summarises some of the various policies of the University of Melbourne. Penalties for breaking these policies are generally of a legal nature. For further information about these policies please refer to the student information guide produced by ITS.
      • Warning
        Staff and students of the University, are entitled to use the University's computing facilities, only for legitimate University purposes. They may be required to produce University identification cards, at any time to verify their status. All others must be authorised in writing by the relevant Head of Department, before they are allowed to use the facilities.

      • Copyright
        The reproduction of computer programs is prohibited by the Copyright Act, except where the copyright owner has given specific permission, or a licence to copy.
        A copyright owner is entitled to take legal action, against a person who infringes that owner's copyright.
        The University absolutely forbids the use of its computer facilities, for a purpose which constitutes an infringement of copyright.
        The University absolutely forbids the copying or reproduction of computer programs, held by or licensed to it (public domain or shareware excepted). Reproduction includes reverse assembly and reverse compilation of programs.

      • Hacking
        Unauthorised access to accounts, files, or data held on the University computing system, or any other system, may be a criminal offence, and further action may be taken by the relevant authorities.

      • E-mail and WWW
        The University absolutely forbids the use of electronic mail, or access to the WWW, for anything except legitimate University purposes. The transmission or publication of obscene, offensive, or defamatory material is prohibited. Perpetrators may be subject to legal action.
        The University will take disciplinary action, under the University Statutes, against staff or students of the University who breach copyright, access systems without authority, or abuse the E-mail system.
        Legal action will be taken against unauthorised users of the University's computing facilities.

    3. Crimes (Computer) Act of 1988
      Under the Victorian Government legislation, Computer Trespass is a criminal offence. Possible penalties include a term of imprisonment. Computer Trespass includes gaining access to, or entering a computer system, or part of a computer system, without lawful authority to do so. Computer Trespass is an offence regardless of whether or not the trespasser gains, or intends to gain financial benefit, alters or damages, or intends to damage files or programs.

    to top

  11. Definition of Terms
    1. Asset - something of value.
    2. Availability - ensuring that information and services are available when required.
    3. Confidentiality - protecting sensitive information from unauthorised disclosure or intelligible interception.
    4. Data - the representation of facts, concepts, or instructions in a formalised manner, suitable for communication, interpretation, or processing by human or by automatic means.
    5. Information - the meaning that is currently assigned to data, by means of the conventions applied to those data.
    6. Integrity - safeguarding the accuracy and completeness of information and computer software.
    7. Organisation - group of people collectively responsible for a defined set of activities. E.g. a Faculty, a School, an administrative unit.
    8. Owner - individual or organisation having responsibility for specified information assets and for the maintenance of appropriate security measures.
    9. Permission - establishing authorised or permitted usage of resources and information, to ensure that they are used for their intended purpose and by their intended users.
    10. Security incident - any event that has, or could have, resulted in loss or damage to organisational assets, or an action that is in breach of organisational security procedures.
    11. User - individual or organisation that makes use of information or information technology.
    12. User ID - Login name or token used to identify a user of an IT system. Usually used with a password known only to the user.
to top


 
 
top of page