Purpose of the IT Policy:
CBIT recognizes the role of ICT in the institute’s mission and related administrative activities as well as the importance in the academic environment for protecting information in all forms. Due to the increased usage and sharing of digital content and information by the students, faculty and staff both within and outside the institute, an increased effort must be made to protect the information and technology resources that support it. Increased protection of our Computers and Communication resources to assure the usability and availability of those resources is the primary purpose of this IT policy. The ethical principles that apply to everyday community life also apply to computing and communications. Every user of the institute has two basic rights: Privacy and a fair share of resources. If any person violates these two principles then it is unethical.
The IT policy lays down the general guidelines for the use of computing and communication resources. It is not possible to enumerate all the cases, but a thumb rule is that any activity which causes inconvenience to others, depletes the computer resources, or jeopardizes the security of the systems, or violates intellectual property rights of software, amounts to unethical use. Further, it should be noted that the punishment set out for various cases may change depending on the severity and offence. Faculty, staff and students with authorized accounts may use the IT facilities for academic purpose, official institute business, and for special purposes so long as such use does not violate any law, institute IT policy or IT act of the Government of India.
Scope of IT Policy:
- People to Whom Policy Applies: Everyone who accesses the Institute IT resources, whether belong to the institute or not, whether on campus or from remote locations, including but not limited to students, faculty, staff, contractors, consultants, temporary employees, guests, and volunteers. By accessing institute IT resources, the user agrees to comply with this Policy.
- Definition of IT resources: IT resources as per of this Policy include, but not limited to, Institute communication lines, networks, Wi-Fi, Servers, exchanges, internet connections, terminals, applications, PCs, Laptops, printers, scanners, audio & video equipment, mails, storage, e-content. IT resources include those owned by the institute are those used by the institute under license or contract, including but not limited to information recorded on all types of electronic media, computer hardware and software, paper, computer networks, and telephone systems. IT resources also includes, but not limited to PCs, servers, Laptops and other devices owned by the institute and the IT resources that are intentionally connected to the institute-owned IT resources (other temporary legitimate access via the world wide web access) while so connected.
- Policy change: As and when it is considered appropriate and new policies or the changes in policy will take effect immediately after a brief announcement by any means, email, printed notices, or through the news groups.
- Every user is assigned an ID to use shared system (like servers, HPC systems, printers etc.). Nobody else should use an ID without explicit permission from the owner.
- All the files and information belong to somebody, shall be assumed to be private and confidential unless the owner has explicitly made them available to others or declares public access.
- Messages sent to other users through various platforms should always identify the sender
- The network traffic both on internet/intranet is implicitly private.
- All the records including logs relating to the use of computing and information resources are confidential.
- Nobody should attempt deliberately to degrade or disrupt computing and communication systems performance or to interfere with the work of others. Any attempt to disrupt service or performance on systems on/off campus can result in the loss of network privileges and disciplinary action. Some of the denial of service attacks is Mail bombing (sending thousands of mail messages to a group or individual), Ping flooding (launching continuous ping requests at a specific machine), “Smurf attacks”, “SYN floods”, etc.
- Vulnerabilities in computer systems or knowledge of a special password should not be used to alter computer systems, obtain extra resources, or take resources from another person,
- Computing equipment owned by academic/administrative units or individuals should be used only with the owner’s permission.
- The IT resources are provided for the institute purpose only. Any use of computing for commercial purposes or personal financial gain must be authorized in advance. While the institute makes computer resources available primarily to achieve its goals of education and research, it realizes the need to encourage the personal use of computing for the convenience of the campus community. The extent to which these resources are used for personal reasons is limited to strictly non-profit-oriented tasks. Thus, it is reasonable to allow the use of computing resources for computer mail, document preparation or other activity that can facilitate convenience or enhance productivity. Any personal use of computing resources that produces individual financial gain is prohibited unless permission has been taken and an account has been issued which releases this restriction.
- It is unethical to make so excessive a use of system resources (like servers, HPC, GPUs etc.] that other users cannot obtain access to these resources. Examples: excessive use of disk space, CPU time, bandwidth etc. The excessive usage is determined by the system administrator and such user is to be held responsible for any further such infractions.
- Computing and communication resources are institute resources. Theft, mutilation, and abuse of these resources violate the nature and spirit of community and intellectual inquiry.
- Usage of Subscribes Hardware/Software/Services: All the services subscribed by the institute like AWS, MS Office 365, antivirus, plagiarism software, institute owned mail service, video-conferencing etc. shall be used as per the policies and limitations imposed by the third parties and the institute. If any violation by a user, the institute reserves the right to initiate disciplinary actions.
- System Administration
- On rare occasions, computing staff may access others’ files, but only when strictly necessary for the maintenance of a system. There may be technical reasons why a small number of system personnel must have access to all information on the system, much as custodial personnel must have keys to all offices in the institute building. Such personnel bear a special responsibility not to abuse such privileges. It is improper for them to pursue a user’s files for any purpose unrelated to their official functions or to appropriate or divulge any information which the user has protected from public access.
- If any vulnerability found in the security of any computer system, it should be reported to the system administrator and not used for personal gain or to disrupt the work of others.
- Disruption of programs and databases is controlled by the laws of Copyright, licensing agreements, and Trade secret laws. These must be observed.
- Individual users are responsible for the security and integrity of their systems. In case of system hacking, it is recommended that the system must be either shut down of be removed from the institute network as soon as possible to localize any potential damage and to stop the attack from spreading. In such cases, if the system administrator cannot be contacted in a reasonable time, concerned authority reserves the right to disable the network connection. Once the system administrator is made aware of the situation and agrees to take reasonable steps to ensure that the machine is not compromised, network privileges may be restored.
- In cases where the machine continues to pose a security concern despite the efforts of the system administrator, the institute reserves the right to keep the machine away from the network until the problem is rectified.
- In cases where the machine habitually causes the problems, by action, as a “target” of incoming attacks, or because of a lack of responsible behaviour on the owner’s part. Computing centre may initiate action to permanently ban the user from having machines on the campus network.
- Anonymous Mailers: All the electronic communications at CBIT must accurately identify the sender. Anonymous and masquerading mail forwarders are explicitly prohibited by the IT policy.
- Copyright Material (e-books, journals, movie files, e-content etc.): It is a common misconception that the creation and subsequent distribution of material is an acceptable activity. The distribution of copyrighted materials is illegal and is in direct violation of the Computing Code of Ethics. For copyrighted material, we do not have a license to distribute. Copyright material from any website using CBIT resources is prohibited.
- Obscene material should never be digitally stored or manipulated or shared.
- Software Privacy: Distributing licensed software is illegal and constitutes a violation of the Computing Code of Ethics.
- Backup of critical data should be in compliance with the requirements of IT Act of India.
- COMMUNICATIONS (Network cards/controllers, Switches, Apps etc.)
- General Guidelines:
- It should be noted that the institute resources, such as Campus Network comprising of network cards, Wi-Fi controllers, Access points and security appliances are provided for institute purposes. Allowing non-associated users to have account on campus or dedicated remote access systems could be considered as a violation of this policy.
- Bulk emails communicated through G-Apps, cbit.ac.in, cbit.org.in, CBIT-CAMU App will be permitted after due approval of the competent authority.
- Dynamic assigned IP addresses are considered to be “registered” for the period of the dynamic lease to any device on the communication network.
- Under any circumstances no machine may be configured with IP addresses that have not been assigned by Computer Centre. By assigning an unregistered IP address or an IP addressed to another, you may deprive other users of network service and/or make it considerably more difficult to diagnose network problems on the campus network.
- The Servers/VMs which have public IP addresses issued to the concerned academic/administrative unit will be liable for any breach of security.
- Using a different MAC address other than the registered one with Computer Centre will also result in the machine being removed from the network. Users purchasing new network cards/controllers, or who otherwise need to change their MAC address must inform Computer Centre in order to ensure that the information listed above is kept accurate and up-to-date.
- Routers, VPNs & Access Points(APs)
- Routers/VPNs/Access Points are generally used to connect multiple network segments together and should not be necessary for individual users on our campus. If misconfigured, routers can cause severe problems for all users on a network segment. Therefore, all the Wi-Fi Aps/Routers are mandated to be configured by the Campus Network Facility. For these reasons, systems connected to the campus network at any site are not permitted to act as routers. If anyone other than the authorized/CNF personnel configures switches/APs then such activity is considered as violation.
- Most operating systems do not provide routing functionality and are perfectly safe to attach to our network in any configuration. Some like Windows/ POSIX/ Linux/Servers have the capability to provide routing functionality. For such systems, you should ensure that routing is not configured and are permitted to be attached to the campus network unless explicit permission is obtained in advance from CC/CNF.
- DHCP: Systems on the network are not permitted to be configured as DHCP servers. DHCP allows systems to obtain the correct IP address during the boot process. User owned DHCP servers may override the distribution of IP addresses by the official DHCP servers, causing the client systems to obtain an incorrect address, denying it access to the network.
- Domain Names: All registered machines being used for website hosting or for any research activity on the CBIT/External network using the domain ‘cbit.ac.in’ or ‘cbit.org.in’, must have the security compliance in place or given access through VPN.
- Network Traffic: IT should be considered private, because may ‘packet sniffing’, or other deliberate attempts to read network information which is not intended for your use will be grounded for loss of network privileges for a period of not less than one full semester. In some cases, the loss of privileges may be permanent. Note that it is permissible to run a packet sniffer explicitly configured in non-promiscuous mode (you may sniff packets going to or from your machines). This allows users to explore aspects of networking while protecting the privacy of others.
- The connections to campus services, dedicated remote access services and Internet services are provided to allow students, staff and faculty to fully participate in the teaching, research and administrative activities of CBIT, Hyderabad. In general, we encourage individuals to provide useful, interesting and inventive content to the Internet community, so long as it remains feasible for us to do so.
- It may not remain feasible to provide unlimited connectivity for systems which are not strictly serving the institute’s missions. Because of this possibility, we reserve the right to request the users to reduce the amount of traffic being caused by their service, or where necessary to remove such systems or services from the campus network. In all but extreme cases, we will contact the owner of the system before removing it from the network.
- Misconfigured Services: There may be times when a machine is unintentionally misconfigured and subsequently causes a problem on the campus network. In such cases, the machine will be immediately disconnected from the campus network to preserve the best possible service for the majority of the users. The owner of this system will be notified via electronic mail and via telephone.
- The machine will only be allowed back onto the network after the owner notifies Competent Authority or the person who sent the electronic mail. That they have reconfigured the machine, resolving the problem.
- Network Maintenance: Computer Centre will periodically conduct scans of various areas of the network and subnets that helps to maintain a reasonable network environment for the majority of the users. Results of such scanning would help to discover misconfigurations and may help to discover activities that violate laws, institute policies or guidelines. Based on this the appropriate actions will be taken to resolve the problem or issues.
- SOCIAL MEDIA
- The personal account or statements don’t represent the institute. You should not attribute or state or imply that your personal opinions and content are authorized or endorsed by the institute. We advise using a disclaimer such as “opinions are my own” to avoid misunderstandings.
- Avoid sharing of Intellectual Property like trademarks on a personal account without approval. Confidentiality policies and laws always apply.
- Avoid any defamatory, offensive or derogatory content. It may be considered as a violation of institute’s anti-harassment policy, if directed towards students, Faculty, staff members.
- Do not use official email IDs to register on social networks, blogs or other online tools utilized for personal use.
- Refrain from using social media while on work time or on equipment we provide, unless it is work-related as authorized by the institute.
- PUNISHMENTS FOR DEGREE OF IMPROPER BEHAVIOUR
- Violation of policy will be treated as academic misconduct, misdemeanour, or indiscipline as appropriate.
- Improper behaviour in the use of computer/communication system is punishable under the general institution policies and regulations.
- The offenses mentioned in this statement range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. Most serious of all are offenses that compromise the integrity of the academic process, such as alerting grade records or plagiarism. Appropriate disciplinary action depends not on the nature of the offense, but also on the intent and previous history of the offender.
- Playing games using institute’s computing and communication resources, unless they are related to academic/research activities
- Locking the screen of machines belonging to the institute
- Sending junk/fake mail to all the users
- Forwarding chain emails
- Misusing Facility
- Security related misuse
- Anonymous mail forwarding
- Software related misuse
- Network related misuse
Minimum punishment is suspension of Computer Access for two weeks. Additionally financial fine may be imposed.
- Unnecessary downloads from the Internet
- Giving accounts to other persons, sometimes outsiders
- Storing pornographic material on the disk
- Viewing pornographic material on terminals
- Using personal account to do outside (non-inside) work for which the individual is paid.
Minimum punishment is suspension of access facilities for SIX months and cases being sent to concerned authorities for disciplinary action.
Security related misuse
- Breaking security of the system
- Trying to capture password of other users
- Damaging/gaining access to the data of other users
This type of abuse is taken most seriously. These cases will be sent to concerned authorities for necessary disciplinary action. Anyone found involved in this type of activities will have access being denied for one year.
Anonymous email forwarding: Running of such a service grounds removal of campus network privileges for a period of not less than one full year.
Software related misuse
- Using any kind of software without correct licenses
This type of abuse is taken most seriously. Anyone found involved in this activity, the access facilities will be denied and will be liable for direct action from the software provider/manufacturer/company for any breaches of licensing without any responsibility of the institute.
- Downloading/ Distributing Copyrighted materials
Users found to be misusing network connections will have their privileges revoked for not less than one semester and subsequent disciplinary action.
Network related misuse
- Using an IP address which is not assigned or using MAC address which is different from the one registered with Computer Centre.
This kind of misuse grounds to lose campus network privileges for a period of not less than one full semester.
- No router is permitted to be attached to any portion of the campus network without the approval of the Campus Network Facility.
Users who cause problems due to this configuration will face disciplinary action in addition to the loss of network connectivity for the system.
- Domain Name violation
Systems violating domain name guidelines will be immediately disconnected from the campus network for a period of not less than one semester.