Note: To read the full text ICT policy, please download it here ICTC Policy 14-Nov-2014

Statement of Purpose

The purpose of this ICT Policy is to outline the acceptable use guidelines for ICT equipment and services at the University. This policy intends to promote a culture of openness, trust and integrity. These are general guidelines on what can be done, and what should not be done, on the University ICT Infrastructure in order to ensure efficient and effective use of University ICT resources; protect ICT resources from injurious actions, including virus attacks, data loss, unauthorized access, network and system failures and legal problems. (Refer to Section 1.2, 2nd Paragraph on Pg.8 of the ICT policy for more information)

Scope of the University ICT Policy

This policy applies to any person accessing/ developing/ implementing and/ or using ICT-based informaton and ICT resources owned, managed, supported or operated by, or on behalf of the University. This includes all University staff and students; any other organizations accessing services over University ICT resources; persons contracted to develop, repair or maintain University's ICT resources; and suppliers of outsourced ICT services. This policy applies to all ICT equipment, software or other facilities tha5t is owned or leased by the University.

Adherence to this policy applies to all these and other relevant parties.

1. Wireless Networks

1.1 Definition

Wireless LAN also known as Hotspot or Wi-Fi are networks rolled out using radio waves to provide mobile network access as defined under IEEE 802.11 protocol.

1.2 Structure of Wireless Networks

a) Installation. configuration, maintenance and operation of wireless networks serving on any property owned or rented by the University are the sole responsilibility of ICTC. Any independently installed wireless communication equipment is prohibited.

b) Any request for installation of wireless device must be approved by Director, ICTC.

c) Wireless access points shall terminate at a point of connection to the University Network Backbone. In cases where it is not feasible to establisha single connection, multiple wireless gateways may be installed limited to a maximum of three hops.

d) Wireless networks connecting to the University network shall meet overall University network security and management requirements including approved network identifiers.

(Refer to Section 2.9, 4th Paragraph on Pg.13 of the ICT policy for more information)

2. Virtual Private Networks (VPN)

2.1 Definition

Virtual Private Network (VPN) extends university network across the Internet enabling users to send and receive data across shared or public networks as if they are directly connected to the University network, while ensuring security and applicable policies are observed.

2.2 Structure of Virtual Private Networks

a) Authorized users of University ICT services shall be granted rights to use VPN connections if they intend to gain access to the University ICT intranet services through public networks.

b) By using the VPN technology users are subject to the same rules and policies that apply while on campus.

c) Users of this service are responsible for procurement and cost associated with acquiring basic Internet connectivity, and any related products or service.

d) It is the respnsibility of the user with VPN privileges to ensure that unaouthorized users are not allowed access to the University networks through their credentials.

e) All VPN services are to be used solely for the approved University business or academic purpose

f) All VPN service usage shall be logged and subject to auditing.

g) Network protocols used on VPNs and communicating through the gateway must use approved configuration parameters including approved network credentials.

(Refer to Section 2.10, 1st Paragraph on Pg.14 of the ICT policy for more information)

3. Connection to and Usage of ICT Facilities

3.1 Connecting to the ICT Network

a) All connections to the University's ICT networks must conform to the protocols defined by the ICTC and with the requirements that apply to Internet Protocol (IP) addresses.

b) Only designated members of staff of the ICTC, or other staff authorized specifically by the Director of ICT may make connections of desktop services equipment to the ICT network.

c) Computer workstations connected to the ICT network will not be set up to offer services to other users, for example, to act as servers, unless the prior written consent of the Director of the ICT has been obtained. Such consent will normally exclude all external access (stated under paragraph 3.2 below)

3.2 External Access to Servers on the Backbone Network

a) External access means access by persons external to the University; access to the backbone network from external locations.

b) Where specific external access is required to servers on the backbone network, the Director ICT shall ensure that this access is strictly controlled and limited to specific external locations or persons.

c) The Director ICT will monitor compliance with access arrangements as stipulated in this ICT Policy and the relevant ICT Security Policy on Server Security issues by the University from time to time.

d) Abuses of or failure to comply with these arrangements shall result in immediate restriction or disconnection from the network.

3.3 Domain Name Services

All Domain Name Services (DNS) activities hosted within the University shall be managed and monitored centrally, for thw whole University, by the ICTC.

3.4 Electronic Mail

Electronic mail or email shall be received and stored on central servers managed by the ICTC from where it can be accessed or downloaded by individual account holders.

3.5 Suspension and/ or Termination of Access to ICT Networks

a) A user's access to the University's ICT networks will be revoked automatically:

i. at the end of studies, employment or research contract;

ii. at the request of the Director/ Dean of Faculty/ Head of Resource Centre/ Head of Department or Head of Unit;

iii. where there is a breach of these regulations

b) The University reserves the right to revoke a user's access to the University's ICT Network where the user is suspended pursuant to a disciplinary investigation.

c) The Registrar Administration/ Academic Registrar will establish mechanisms to ensure that changes in student/ employment status are communicated immediately to the Director of ICT so that their network access and email accounts can be suspended or deleted as appropriate immediately.

Procedures on Restriction of Use

a) Appropriate procedures shall apply in restricting usage after a formal complaint has been lodged or a breach of policy or rule has been reported or detected.

b) Any breach of ICT policy shall be reported or communicated in writing to the Director, ICT.

c) Upon receipt of any such complaint, the Director, ICT shall classify the complaint as “serious” or “non-serious”. A “non-serious” complaint shall be defined as a breach of policy which does not subject the University to a cost nor any high risk.

d) When a complaint is classified as “non-serious”, the Director, ICT is authorized to impose any one of the following penalties:

i. Suspension of the account for a minimum period of four weeks

ii. Permanent disabling of the account

e) When a complaint is classified as “serious” the Director, ICT shall refer the complaint to the Vice Chancellor for appropriate action. The possible penalties may be one or a combination of the following:

i. Suspension of the account which will be communicated to the relevant Director/ Dean and/ or Head of Department of Section;

ii. Suspension of the account shall be for a minimum period of four weeks. Formal approval of the relevant Director/ Dean and/ or Head of Department or Head of Section and a signed undertaking to abide by the Rules of Use shall be required before reinstatement of the account.

iii. Permanent disabling of the account shall be taken, where the severity of the offense warrants such action.

iv. accounts may be reinstated before the end of the suspension period where either the student or staff presents information to the Director, ICT which indicates that he or she was not involved in the transgression of the Rules of Use, or the Director/ Dean and/ or Head of Department or Head of Section requests the account to be reinstated for employment/ course related work only (e.g.completion of an assignment). In this case the user is required to sign an undertaking to abide by the rules of use.

v. A system administrator can make a recommendation to disable an account to the Director, ICT. The Director, ICT shall review the request and if it is considered to be, on the balance of probability, a transgression of the ICT policy, the account shall be suspended.

vi. An account may also be suspended, if a request has been made to the Director, ICT from a systems administrator of another system, with a reasonable and accepted case for suspension.

vii. Users should note that suspension of access to ICT facilities also includes access to the terminal server password access, and as such dial-up modem access will be disabled where a user account is suspended.

3.6 Additional or Changed Equipment

a) The Director, ICT shall be advised in advance and at the earliest opportunity, of any plan to ass items of desktop services equipment to or to replace or to relocate desktop equipment that are connected or that may require connection to the University's ICT network.

b) The Director ICT shall assess the likely impact on the University's ICT networks of the proposed change. The Director ICT shall give approal for the proposed change only where appropriate adjustments can be made to accomodate any effects on network traffic that this change may cause.

3.7 External data Communications

a) All external data communications shall be channeled through University approved links.

b) No external network connections shall be made without the rpior written consent of the Director, ICT.

c) The installation and use of lesaed or private links on premises owned, managed or occupied by the Unive5rsity shall require the prioe written consent of the Estates Manager.

d) The use of modems, leased or other means of access to other networks on equipment located on premises owned, managed or occupied by the University that are lined to the University ICT network infrastructure, is prohibited, unless a proposal and justification for such connection has been authorized in writing by the Director, ICT.

3.8 Web Cache Provision

a) The ICTC shall be responsible for provision and management of University web cache facilities for incoming web traffic.

b) All web access shall be set up to ensure use of the University's web cache facility for incoming web traffic under the ICT Internet Usage Policy.

3.9 Web Filtering

The Director, ICT shall be responsible for the implementation of appropriate filtering facilities for web-based and non-web Internet traffic, including MP3 traffic and other high bandwidth intensive services that may not have direct educational or research value, where and when necessary in conformity with the ICT policy and relevant ICT guidelines that promote efficient and high availability of Internet services to the majority of users.

(Refer to Section 2.1.2, from the 5th Paragraph on Pg.15-18 of the ICT policy for more information)

4. ICT Security and Internet Policy

4.1 Definitions of terms

a) Spam - Unauthorized and/or unsolicited electronic mass mailings

b) “Chain letters,” “Ponzi,” “pyramid” schemes- Messages that purport to tell the addressee how, for a relatively small investment, the addressee can make huge amounts of money. There are several variations, but they are all based on a common fraudulent concept — that the addressee pays a relatively small amount of money to a few people above the addressee in a chain, with the expectation that later a very large numbers of people will be making similar payments to the addressee.

c) Port scanning- Attempting to learn about the weaknesses of a computer or a network device by repeatedly probing it with a series of requests for information.

d) Network sniffing -Attaching a device or a program to a network to monitor and record data traveling between computers on the network.

e) Spoofing -The deliberate inducement of a user or a computer device to take an incorrect action by Impersonating, mimicking, or masquerading as a legitimate source.

f) Denial of service -Procedures or actions that can prevent a system from servicing normal and legitimate requests as expected.

g) Ping attack - A form of a denial of service attack, where a system on a network gets “pinged,” that is, receives a echo-request, by another system at a fast repeating rate thus tying up the computer so no one else can contact it.

4.2 General use and ownership policy

4.2.1 Roles

a) While the ICTC is committed to the provision of a reasonable level of privacy, the ICTC shall not guarantee confidentiality of personal information stored or transmitted on any network or device belonging to the University. The data created and transmitted by users on the ICT systems shall always be treated as the property of the University.

b) The ICTC shall protect the University's network and the mission-critical University data and systems. The ICTC shall not guarantee protection of personal data residing on University ICT infrastructure.

c) Users shall exercise good judgment regarding the reasonableness of personal use of ICT services. They shall be guided by ICT policies concerning personal use of ICT Internet, Intranet or Extranet systems. In the absence of or uncertainty in such policies or uncertainty, they shall consult the relevant ICT staff.

d) For security and network maintenance purposes, authorized staff within the ICTC shall monitor equipment, systems and network traffic at any time as provided for in the network and development policy.

e) The ICTC shall reserve the right to audit networks and systems on a periodic basis to ensure compliance with this ICT Policy.

4.2.2 Securing confidential and proprietary information

a) University data contained in ICT systems shall be classified as either confidential or non-confidential. Examples of confidential information include but are not limited to: payroll data, human resource data, and research data. Employees shall take all necessary steps to prevent unauthorized access to confidential information

b) Users shall keep passwords secure and shall not share accounts. Harambee or shared accounts are strongly discouraged. Authorized users are responsible for the security of their passwords and accounts. System level passwords shall be changed on a monthly basis; user level passwords shall be changed at least once every 3 months.

c) All PCs, laptops and workstations shall be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host is unattended.

d) Postings by users from the University email address to newsgroups shall contain a disclaimer stating that the opinions expressed are strictly the user’s and not necessarily those of the University, unless posting is in the course and within the scope of official duties.

e) All hosts connected to the University Internet, intranet or extranet, whether owned by the user or the University shall at all times be required to execute approved virus-scanning software with a current virus database.

f) The user shall exercise caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

4.2.3 Unacceptable System and Network Activities

The following activities shall be strictly prohibited, with no exceptions:

a) Violations of the rights of any person or company protected by Kenya’s copyright, trade mark, patent, or other intellectual property (IP) law and the University’s Intellectual Property Policy, other relevant policies, or the University’s code of conduct.

b) Introduction of malicious programs into the network or server, for instance viruses, worms, Trojan horses or e-mail bombs.

c) Sharing of the University user accounts and passwords– users shall take full responsibility for any abuse of shared accounts

d) Using the University computing resources to actively engage in procuring or transmitting material that could amount to sexual harassment or constitute creation of a hostile work environment.

e) Making fraudulent offers of products, items, or services originating from any the University account.

f) Causing a security breach or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which one is not an intended recipient or logging onto a server that one is not expressly authorized to access, unless this is within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged attacks, packet spoofing, denial of service, and forged routing information for malicious purposes.

g) Port scanning or security scanning unless prior notification to ICT management is made.

h) Executing any form of network monitoring which will intercept data not intended for the originator’s host computer, unless this activity is a part of an employee's normal job or duty.

i) Circumventing user authentication or security of any host, network or account.

j) Interfering with or denying service to other network users, also known as denial of service attack.

k) Using any program, script or command, or sending messages of any kind, with the intent to interfere with, or disable, another user's terminal session, via any means, locally or via the Internet, intranet or extranet.

l) Using the University network or infrastructure services, including dial-up Internet connection, to offer services to others within or outside the University premises on free or commercial terms.

4.2.4 Wireless users responsibilities

a) Any person attaching a wireless device to the wireless network is responsible for the security of the computer device and for any intentional or unintentional activities from or to the network pathway that the device is using.

b) The University accepts no responsibility for any loss or damage to your machine as a result of connection to the wireless network.

c) Users have the responsibility to ensure that they are running up to date antivirus software and that their installed software are fully patched with the latest service packs and hot fixes.

d) Users will authenticate on the wireless network for each session.

e) Wireless network users should ensure that their computer systems are properly configured and operated so that they do not cause inconveniences to other Wi-Fi network users and the University network users.

f) Wireless network is provided in support of teaching, research or related academic activities to access the University network and Internet in lecture theatres, classrooms, libraries and other common areas. Use of the University Wi-Fi network for other purposes is prohibited.

g) Wireless network users should get their network addresses automatically; a valid network address will be granted when connected. Use of other network addresses is prohibited.

h) Setting up routing or other special network functions is prohibited.

The user agrees to: i) use the service for the institutional and personal ends for which it was granted, in particular agreeing to not use the service for commercial ends;

ii) not send advertising or promotional messages via email or communications to other users and/or discussion groups without proper consent being issued or without receiving an explicit invitation to do so (spam);

iii) not transfer large amounts of data, if not absolutely necessary;

iv) not violate confidentiality rights and the privacy of personal correspondence;

v) not use ad-hoc networks or other tools (e.g. sniffer) within coverage areas that could negatively influence network performance or violate the privacy rights of other university users;

vi) respect netiquette in use on the internet, standardized in the document known as “RFC 1855”

vii) respect the University’s ICT Policy

viii) respect the rules and operational indications distributed by UoN

ix) not transmit materials and/or messages that encourage third parties to behave with illicit conduct and/or criminal behavior liable to penal or civil violations

x) Not put information on the web that could present forms or content of a pornographic, obscene, blasphemous, racist, defamatory or offensive nature.

4.2.5 Appropriate use of electronic mail

Electronic mail and communications facilities provided by the University are intended for teaching, learning, research, outreach and administrative purposes. Electronic mail may be used for personal communications within appropriate limits. Appropriate Use and Responsibility of Users

Users should explicitly recognize their responsibility for the content, dissemination and management of the messages they send. This responsibility means ensuring that messages:

i) Do not contain information that is harmful to the University community

ii) Are courteous and polite;

iii) Are consistent with University policies;

iv) Protect others’ right to privacy and confidentiality;

v) Do not contain obscene, offensive or slanderous material;

vi) Are not used for purposes that conflict with the University’s interests;

vii) Do not unnecessarily or frivolously overload the email system (e.g. spamming and junk mail are not allowed);

viii) Are not for commercial purposes Confidentiality and Security

a) Electronic mail is inherently NOT SECURE.

b) As the University networks and computers are the property of the University, the University retains the right to allow authorized ICTC officers to monitor and examine the information stored within.

c) It is recommended that personal confidential material not be stored on or sent through University equipment.

d) End-users must ensure the integrity of their password and abide by University guidelines on passwords.

e) Sensitive confidential material should NOT be sent through the electronic mail system unless it is encrypted.

f) Confidential information should be redirected only where there is a need and with the permission of the originator, where possible.

g) Users should be aware that a message is not deleted from the system until all recipients of the message and of any forwarded or attached copies have deleted their copies.

h) Electronic mail messages can be forged in the same way as faxes and memoranda. If a message is suspect, users should verify authenticity with the ICTC. User Indemnity

Users agree to indemnify the University for any Loss or damage arising out of use of University’s email.

4.3 Bring Your Own Device (BYOD)

a) Employees who prefer to use their personally-owned IT equipment for work purposes must secure corporate data to the same extent as on corporate ICT equipment, and must not introduce unacceptable risks (such as malware) onto the corporate networks by failing to secure their own equipment

b) BYOD users must use appropriate forms of user authentication approved by Information Security, such as user IDs, passwords and authentication devices.

c) The following classes or types of corporate data are not suitable for BYOD and are not permitted on PODs:

(i)	Anything classified SECRET; 
(ii)	Other currently unclassified but highly valuable or sensitive corporate information which is likely to be classified as SECRET or above; 
(iii)	Large quantities of corporate data (i.e. greater than 1 Gb in aggregate on any one POD or storage device). 

d) The University has the right to control its information. This includes the right to backup, retrieve, modify, determine access and/or delete corporate data without reference to the owner or user of the POD.

e) The University has the right to seize and forensically examine any POD believed to contain, or to have contained, corporate data where necessary for investigatory or control purposes.

f) Suitable antivirus software must be properly installed and running on all PODs.

g) POD users must ensure that valuable corporate data created or modified on PODs are backed up regularly, preferably by connecting to the corporate network and synchronizing the data between POD and a network drive, otherwise on removable media stored securely.

h) Any POD used to access, store or process sensitive information must encrypt data transferred over the network (e.g. using SSL or a VPN) and while stored on the POD or on separate storage media (e.g. hard disk, CD/DVD, USB/flash memory stick)

i) Since ICT User support does not have the resources or expertise to support all possible devices and software, PODs used for BYOD will receive limited support on a ‘best endeavors’ basis for academic purposes only.

j) While employees have a reasonable expectation of privacy over their personal information on their own equipment, the University’s right to control its data and manage PODs may occasionally result in support personnel unintentionally gaining access to their personal information. To reduce the possibility of such disclosure, POD users are advised to keep their personal data separate from University data on the POD in separate directories, clearly named (e.g. “Private” and “BYOD”).

k) Take care not to infringe other people’s privacy rights, for example do not use PODs to make audio-visual recordings at work.

4.4 Password Policy

4.4.1 Rules

a) All system-level passwords such as root, enable, Windows server administration, application administration accounts, shall be changed at least once every month.

b) All user-level passwords such as email, web, and desktop computer shall be changed at least once every three months.

c) User accounts that have system-level privileges granted through group memberships or programs such as “sudo” shall have passwords distinct from all other accounts held by such users.

d) Passwords shall not be inserted into email messages or other forms of electronic communication.

e) Passwords for the University accounts shall not be used for other non University access such as personal ISP account, Yahoo Mail, and Bank ATM.

f) All passwords shall be treated as sensitive, confidential University information. Users shall not share the University passwords with anyone, including administrative assistants or secretaries.

g) Users shall not use the “Remember Password” feature of applications like Eudora, Outlook, and Netscape Messenger.

h) Users shall not write passwords down and store them anywhere in their offices.

i) Where an account or password is suspected to be compromised the affected passwords shall be changed immediately. The ICTC shall be alerted immediately to investigate the incident, if it affects critical University information systems or processes.

j) As a proactive defense procedure, password cracking or guessing tools may be performed on a periodic or random basis by the relevant staff of the ICTC or its delegates. If a password is guessed or cracked during one of these scans, the affected user shall be required to change the password immediately.

k) All user-level and system-level passwords shall conform to the guidelines described below.

4.4.2 General password construction guidelines

Computer passwords are used for various purposes at the University. Since very few systems have support for one-time tokens, that is, dynamic passwords that are only used once, all users shall familiarize themselves with the following information on how to select strong passwords.

Poor, weak passwords have the following characteristics:

a) The password contains less than eight characters

b) The password is a word found in an English, Swahili or other dictionary

c) The password is a common usage word such as:

i)	Names of family, pets, friends, co-workers, or fantasy characters. 
ii)	Computer terms and names, commands, site, company, hardware, software. 
iii)	The words "university", "nairobi", " kenya" or any such derivation. 
iv)	Birthdays and other personal information such as addresses and phone numbers. 
v)	Word or number patterns like aaabbb, qwerty, zyxwvuts, or 123321.  
vi)	Any of the above spelled backwards. 
vii)	Any of the above preceded or followed by a digit such as ecret1, 1secret. 

Strong passwords have the following characteristics: a) Contain both upper and lower case characters like a-z, A-Z.

b) Have digits and punctuation characters as well as letters such as 0-9, !@#$%^&*()_+|~-=\`{}[]:”;'<>?, or /.

c) Are at least eight alphanumeric characters long.

d) Are not words in any language, slang, dialect, or jargon, among others.

e) Are not based on personal information, or names of family, among others.

4.4.3 Application development standards

Application developers shall ensure that their programs contain the following security precautions. a) Shall support authentication of individual users, not groups.

b) Shall not store passwords in clear text or in any easily reversible form.

c) Shall provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

d) Shall support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

(Refer to Section 3, on Pg.19-24 of the ICT policy for more information)

by_using_the_uon_network_you_have_agreed_with_the_following.txt · Last modified: 2014/12/17 09:46 by kimemia
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki