|Information & Communications Technology
|Vice-Chancellor, August 2009
|Date Procedure Took Effect
|26 August 2009
|Last approved revision
|30 June 2011
|Director, Information Services
|Manager Information Security
This procedure has been formulated with the following goals in mind:
- to ensure the security, reliability and privacy of the University of Otago's systems and network, and the networks and systems of others.
- to avoid any situation that may cause the University of Otago to incur civil liability.
- to maintain the image and reputation of the University of Otago as a responsible provider.
- to preserve the value of Internet resources as a conduit for free expression.
- to encourage the responsible use of net resources, discouraging practices which degrade the useability of network resources and thus the value of Internet services.
- to preserve the privacy and security of individual users.
This Procedure applies University-wide.
- Information Technology Services
- any computer system that provides services to other computers by use of the network.
- System Administrator
- in the context of this Procedure, the person responsible for the management and upkeep of a server.
1. General Server Procedure
- The provisions of the Responsible Use of Computing and Data Communication Facilities and Services apply to Servers.
- Computer Servers must be run:
- in a professional and ethical manner
- to maintain the privacy and intellectual property rights of the owners of material on the server
- in a secure manner such that the material on them is not subject to unauthorised access or change, and that the Server itself may not become a channel for unauthorised access or change of materials on other peoples Servers
- Each server must have a person, known as the System Administrator, who is responsible for the management and upkeep of the server.
- System Administrators must abide by the guidelines in the Responsible Use of Computing and Data Communication Facilities and Services.
- Subject to the following provisions, the System Administrator will not routinely inspect, monitor or disclose information held on Servers they manage without the consent of the owner of the information.
- Systems Administrators may need to inspect databases in the course of their administration duties. Such access must be limited to the least invasive level of inspection required. This exemption does not entitle disclosure of any personal or confidential information. However accidental disclosure of information consequent on reasonable efforts taken in good faith shall not be a breach of this procedure.
- The University may, subject to requirements of this procedure, disclose anything stored on its Servers, only in the following circumstances:
- when required by the laws of New Zealand, including but not limited to the Official Information Act and the Privacy Act and for the conduct of proceedings before any Court or Tribunal; and/or
- where the University with good reason believes violations of the laws of New Zealand or of University Regulations have occurred; and/or
- where the University with good reason believes failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or significant liability to the University or to members of the University community; and/or
- where critical operational circumstances exist where failure to act would seriously damage the ability of the University to function administratively or to meet its teaching, research or community services obligations.
2. Synchronisation of Log Time Stamps
- All servers should synchronize their times and log timestamps. It is essential for post-compromise forensics and for consistent investigation of events that the log timestamps of all University systems be synchronised. This may be achieved using ntp or a similar time service to query the on campus time servers (timeserv.otago.ac.nz).
- Remote logging of error and security events to a central log host is desirable.
3. Email Server Management Policies
- The following guidelines are recommended for the setup of mail servers to enable the managers of such services to meet the Responsible Use of Computing and Data Communication Facilities and Services guidelines, and to maximise the benefits to the departments and University.
- Departments or organisations within the University running email servers (for example SMTP, GroupWise, exchange, sendmail) must:
- register the existence of that mail server with ITS in order to allow access on and off campus of mail for that server via the University Mail Hub.
- have Postmaster (postmaster@ )and Abuse (abuse@) addresses which are monitored and actioned in a timely manner. If preferred these addresses may be set to forward to firstname.lastname@example.org and email@example.com, respectively.
4. Web Server Management Policies
- The following guidelines are recommended for setup of web servers, to enable the managers of such services to meet the Responsible Use of Computing and Data Communication Facilities and Services guidelines, and to maximise the benefits to the departments and University.
- Departments or organisations within the University running Web servers must:
- register the existence of the web server with ITS, for the purposes of security tracking, for lookup purposes and to ensure that in the event of blocking of http/https traffic on or off campus all valid web servers will continue to be able to operate, and the appropriate people will be able to be notified
- provide a valid WebMaster address. Web server managers should provide a Webmaster@host address that is monitored and actioned in a timely manner. If preferred this may be forwarded to firstname.lastname@example.org
5. Address Allocation (Directory) Server Management Policies
- The University has a large and complex network. This network is dependent on a number of directory services which are used to identify connected components, to manage access, for accounting purposes, for security control and for general management of the network. Included in these services, but not exclusively, are DNS, BootP, DHCP, Novell NDS and Active Directory Services. These services MAY NOT BE RUN by any department, or part of the University, other than those authorised by Information Technology Services.
- Inappropriate or misconfigured operation of any of these servers has the potential to:
- disrupt routing for network packets, effectively bringing the network down
- cause mis-delivery of mail or other name-server dependent protocols
- bypass, compromise or otherwise negatively effect on campus security services
- disrupt network operating systems communication to negatively impact server performance, cause server crashes and data loss, and consume time in determining the source of the problem
- If any such servers are found, which are not operated by, or authorised by, ITS, they will be disconnected from the University's network.
Related policies, procedures and forms
- Information and Communications Technology Regulations 2014
- Email Server Policy
- Server Registration Policy
- Software Licence Compliance Policy
- Anti-virus Procedures
- Internet Domain Names Procedure
- Remote Access Procedure (including VPN)
- Software Security Updates (Patching) Procedure
- University Network Interconnection Procedure