Regulation 8.1.R7 Guidelines
These guidelines are published by the Vice-Principal (Information) under University Regulation 8.1.R7, Section 10. Regulation 8.1.R7 applies to use of University computing and network facilities.
The Regulation allows the Vice-Principal (Information) to publish guidelines on these matters:-
a. activities which are considered to impose an unreasonable burden on the central facilities or any local facility;
b. journals and other publications, including online publications such as e-zines and website or blog journals, which may be published using the facilities;
c. record-keeping by providers; and
d. appropriate security controls.
Points (a) and (b) are important to everyone - staff, students and other users. Points (c) and (d) are of most interest to IT staff and to those who manage IT staff (whether centrally or in the faculties and departments), but all users should be aware of the record-keeping and security controls that apply. Also, all users should be aware of their role in security and particularly:-
"All users have a responsibility to exercise due care and diligence in the management and maintenance of personal computing equipment in their care, including personally owned equipment which is used in conjunction with University computing and network facilities, to prevent that equipment interfering with the equipment, work or security of others.
"Passwords and any other authentication methods are provided to individuals for their own use only. Users may not allow any other person to use them without the written approval of the relevant service provider. Unauthorised disclosure or sharing of a password or other authentication method is misuse, as is failure to take due care in ensuring security of such access control measures. Users will be held responsible for the consequences."
Guidelines for All Users
1. Activities which are considered to impose an unreasonable burden on the central facilities or any local facility
Most of the facilities are shared, finite resources, designed to have capacity sufficient to meet the reasonable needs of the University community in the course of work or study at the University. In order that all users can get their work done, it's important to avoid activities which impose an unreasonable burden.
1.1 Peer-to-peer
Other than as the need arises in the course of research, teaching, learning or other University business, the use of University facilities with any of the so-called peer-to-peer filesharing systems imposes an unreasonable burden, and in many cases would also be in breach of copyright.
1.2 Spam and email list abuse
Sending unsolicited messages to mailing lists, other than emails within the purpose of the list, imposes an unreasonable burden.
1.3 Excessive personal use of the internet
Personal use, beyond limited personal use as defined by Regulation 8.1.R7, imposes an unreasonable burden. In this context, users are expected to be moderate in causing internet traffic through personal use. As a guide, personal use which generates more than 50 megabytes of internet traffic per week would usually be considered excessive. In this context, users should note that high-quality "internet radio" streams have data rates of around 25 - 50 megabytes per hour.
1.4 Excessive personal use of server space
Similarly, users should be moderate in the use of University servers to store personal material, especially relatively large objects such as photographs, music files or video footage. As a guide, 100 megabytes is acceptable personal use; those with larger requirements should make their own arrangements, using personal equipment or commercial service providers.
2. Journals and other publications, including online publications such as e-zines and website or blog journals, which may be published using the facilities
2.1 University publications
Properly approved official University publications which comply with relevant University standards may be published using the facilities.
2.2 Publications hosted or distributed using external services
Unofficial websites and other online publications require care, particularly if the University is visible in the publication. There are cases where the University is not visible, in which case less constraint applies.
It is acceptable to use a University computer to create a website and post it to a webserver outside the University, so long as the website does not appear to be a University website and use of University facilities does not breach Regulation 8.1.R7 in any way.
Similarly, use of a University computer to post entries to an external weblog ("blog") is acceptable, so long as the use of University facilities does not breach Regulation 8.1.R7 in any way.
A third example in similar spirit is use of a University computer and internet connection to post a publication to a mailing list, using a From: address not associated with the University. This is acceptable, so long as the use of University facilities does not breach Regulation 8.1.R7 in any way.
In all such cases, great care must be taken to avoid giving the impression that a user's personal views are those of the University.
2.3 Publications visibly hosted or distributed using University facilities
Great care must be taken if the University is visible in a publication other than an official University publication- for example, if the publication is a website within the unimelb.edu.au namespace, or if the publication is an email newsletter sent from a University email address, or using a University email listserver.
Such publications must be relevant to the author's activities in the University, and must clearly state that the publication does not necessarily reflect the views, policies or opinions of the University. The publication must not be designed in such a way that it is likely to be mistaken for an official University publication, and must not breach Regulation 8.1.R7 in any way.
It is unacceptable to use University facilities to host or distribute publications associated with or on behalf of an external organisation, unless the external body is an appropriate professional association. Users contemplating such publication are urged to consult a relevant authority before using University facilities for such a purpose.
Paid advertising is not allowed unless by permission of the Vice-Chancellor or nominee. Links to, or mention of, external organisations, may be provided only if there is a clear benefit to the intended audience of the publication and it is not likely to be misinterpreted as advertising.
See also: Web publishing policies and guidelines
Guidelines for Managers and IT Staff
3. Record keeping by providers
Beyond routine use logging, general security and reasonable management controls, service providers are not required to monitor user activities. Nevertheless, they are required to collect, and maintain for at least six months, appropriate logs. One aim of keeping these logs is to enable the University to investigate alleged misuse of the facilities and, in cases where misuse has occurred, to identify the user who did or caused the misuse.
In some cases, providers will collect and maintain appropriate records locally. In other cases, the record-keeping responsibility can be met by arrangements for the Information Division to collect and keep adequate records, particularly in the course of managing the University Network and its connection to the internet.
In the case of computers which are allocated for the use of an individual, it is not necessary to record logins or the like. However, records should be kept of the volume and destination or origin of internet traffic arising from use.
In the case of shared computers (in computer laboratories, for example), a record of logins, identifying the user and the time of login (and, where possible, the time of logout), should be kept. This is in addition to records which should be kept of the volume and destination or origin of internet traffic arising from use.
In the case of email servers, there is no need to retain the content of email messages or attachments. However, for incoming and outgoing messages, the From:, To:, cc: and timestamp headers should be retained.
In the case of file servers, there is no need to retain the content of deleted files, other than in the course of reasonable file backup procedures. A record of logins, identifying the user and the time of login (and, where possible, the time of logout), should be kept.
In the case of web servers, for users who have accounts on the server allowing login via telnet, ftp, file-serving protocols or similar, a record of logins, identifying the user and the time of login (and, where possible, the time of logout), should be kept. Normal web-serving logs should be kept, recording for each serving of an object, at least: the date and time, the URL of the served object, and the ip-name or ip-number of the requestor.
4. Appropriate security controls
All users have a responsibility to exercise due care and diligence in the management and maintenance of personal computing equipment in their care, including personally owned equipment which is used in conjunction with University computing and network facilities, to prevent that equipment interfering with the equipment, work or security of others.
Passwords and any other authentication methods are provided to individuals for their own use only. Users may not allow any other person to use them without the written approval of the relevant service provider. Unauthorised disclosure or sharing of a password or other authentication method is misuse, as is failure to take due care in ensuring security of such access control measures. Users will be held responsible for the consequences.
At the most basic level, departments operating computing and network facilities must appoint a person or persons to administrate those facilities. Those who administrate servers or networks need to be trained in the operation of the relevant technology and need to be registered with the Information Division. Those who administrate servers or networks are required to maintain records of who has access to the facilities.
Physical security has long been one of the first lines of defence in any computing system and is relatively easy to implement. File servers must be located in a lockable room, not in thoroughfares. Access to the room housing the server must be restricted to administrators and their assistants. The room housing the server must be locked outside normal working hours. Computers fitted with a key lock facility must be locked outside normal working hours. Computers not located in private offices must be affixed to workstations using chain locks or other locking devices.
Usernames and passwords are the most common forms of access control. Users, and administrators have a shared responsibility to maintain good practice in password security, by ensuring that they are changed at appropriate intervals, that they are at least 8 characters long, that they are not logical words; and that they are kept secret.
Where available, access logs must be monitored to detect exceptional conditions such as repeated unsuccessful log-in attempts.
See also: IT Security Policy Guidelines
Linda O'Brien, Vice Principal (Information)
February 15 2005
 top of page
|
![The University of Melbourne [logo]](/infostrategy/template-assets-custom/images/internal_logo.gif){kind=logo}
