IT Solutions
> Zum Inhalt

Security Policy of the TU Vienna

Vienna University of Technology
Policy Collection
Keyword: Security
Title: Security Policy
Author: Udo Linauer
Organisational Unit: ZID
Version: September 1st, 2002
Revised by: Georg Gollmann

1. Overview

Vienna University of Technology expects individual users of its IT equipment (computers and networks) to act responsibly. As a reaction to violations of this Security Policy or violation of applicable law, Vienna University of Technology and its organizational units are entitled to withdraw access authorization (temporarily or permanently), to delete data from computers of the TU Vienna as required, and to disconnect computers from the network. If necessary, decisions are made by the "University Information Security Officer", court of second instance is the director of the ZID.

2. Purpose

Vienna University of Technology has the responsibility to take whatever measures are deemed necessary to ensure efficient use of its IT equipment. Therefore the Security Policy contains a list of unacceptable ways of conduct (violations). Every user can file a complaint if any of the points on the list are not respected in order to protect himself against harassment and discrimination, and the TU Vienna and its organizational units against damage and legal consequences. In order to protect TU Vienna's IT equipment, the Security Policy defines standards for the security of computers, networks and data. It provides guidelines for the appropriate use of information systems (minimum responsibilities related to access to and use of computers and network resources). Accordingly, organizational units of the TU Vienna are free to define in writing "more severe" rules for certain areas.

3. Scope

This Policy applies to all members of the Vienna University of Technology as well as to persons who, through agreements, have access to the use of computers and networks of the Vienna University of Technology. In addition, it serves as a basis to reactions in case of attacks from outside the University.

4. Versions

Here, revisions of the document with a short summary of the changes are noted. The Policy is to be reviewed at least every two years and updated whenever necessary. Revisions outside these intervals may become necessary in case of far-reaching changes of technologies used or of an organizatory manner.

Version June 1st, 2000, Initial release, approved by the Rector, valid from 7th June, 2000.
Version September 1st, 2002, Modified formatting for easier referencing.

5. Introduction

The use of computers and networks has become daily routine for the members of the Vienna University of Technology. Misuse may obstruct the work of others. The Vienna University of Technology therefore expects that users act responsibly, observe all laws and regulations, and respect the rights of others.

Principally every individual user or institute or organizational unit of the TU Vienna sets the guidelines how computers and networks are used. This concept - that everything is permitted what is not forbidden - has proved to be a useful practice and shall be kept. The experience of the last years, however, has shown clearly that there must be a general consent on, firstly,

misuse

that is not to be tolerated and on how to enforce measures against such misuse; and secondly,

minimum requirements for the use of IT equipment

must be defined.

The Security Policy formalizes these two points and gives users a basis for deciding what is considered appropriate usage of computers and networks.

Because of a maximum openness misuse cannot generally be eliminated. The Security Policy helps to recognize misuse in order to minimize consequences for the individual user and the TU Vienna. In this way, violations will no longer be without consequences.

The TU Vienna does not carry out general monitoring of users and data. Therefore users are required to solve any problems on the institute level or to report to the ZID. The document "Security Policy of the TU Vienna - How to ?" contains a list of contact addresses as well as further explanations to the subjects addressed in the Security Policy. This document is updated on a regular basis.

6. Policy Violation

Violations of the Security Policy include one or more of the following acts (see also detailed description in the document "Security Policy of the TU Vienna - How to ?") A. Use of electronic communication facilities for attacking individuals or groups of persons (disregarding "netiquette").

A1) Distribution or circulation of information that includes vilification or insult of persons based on their skin colour, nationality, religion, sex, political attitude or sexual preferences.

A2) Distribution of private information of an individual or a group of persons.

A3) Repeated and undesirable sending of messages.

B. Use of electronic communication facilities obstructing the work of others

B1) Sending "mail bombs" or use of similar techniques.

B2) Deliberately wasting computing resources.

B3) Sending excessive electronic messages (spam mail). Exception: distribution of official notes in analogy to in-house postal services.

B4) Sending or circulating electronic chain-letters.

B5) Manipulation of electronic data.

B6) Attempting to gain unauthorized access to information resources.

C. Violation against license agreements or other contractual agreements

C1) Copying and distributing of copyright protected material on computers of the TU Vienna and/or over networks of the TU Vienna, in contradiction to license agreements or other contracts.

C2) Disclosure of access authorization or making access available to others (with or without charge) without permission covered by agreements.

D. Use of electronic communication facilities for attacking computers, networks or services

D1) Portscans (automated exploring of servers and services). Exception: security tests by arrangement with the system administrator.

D2) Unauthorized access to information resources or attempting to gain unauthorized access (hacking). Exception: security tests by arrangement with the system administrator. Any hacking activities must be reported to the ZID!

D3) Damaging or interfering with electronic services (denial of service attacks). Must be reported to the ZID!

D4) Distribution or circulation of viruses, computer worms, trojan horses, or other destructive programs.

D5) Spying out of passwords or the attempt to spy out (e.g. password sniffer).

D6) Manipulation or forgery of mail headers, electronic directories or other electronic data, especially attempting to impersonate someone else, IP-spoofing, etc. Exception: use of Network Address Translation (NAT) or similar technologies in case of a firewall.

D7) Taking advantage of recognized security loopholes and/or administrative shortcomings.

7. Standards for Administration of IT Systems

In order to guarantee the regular operation of a computer or an active network com-ponent, at least the following points must be fulfilled.

1. Professional installation and configuration
2. Installation of necessary patches, especially of security patches
3. Installation of necessary upgrades
4. Regular change of passwords. Choice of safe passwords or installation of strong authentification methods (e.g. public key). Regular examination of existing accounts on actuality (at least at the end of each semester).
5. Report personnel changes of the system administrator to the ZID.
6. If possible provide secure login (without clear text passwords), obligatory in case of remote administration.

Ad 1.-4.) If not maintained properly, a computer can jeopardize the operation of parts of the TUNET (for example hacking, mail relaying). Assistance and support may be obtained from the ZID, department "Standardsoftware".

Ad 5.) The TUNET data base with its web interface is an easy-to-use tool for retriev-ing data concerning system administration. Changes in personnel must be reported to the ZID, department "Kommunikation", per e-mail. It is very important that the system administrators are known, because in case of attacks (for example hacking) fast contact is indispensable. Moreover certain services e.g. security scans of a computer can only be performed by arrangement of the system administrator and/or the head of an institute or the director of a university institution.

System administrators may address questions concerning the operation of a computer to the ZID, department "Standardsoftware", questions concerning active network components to the department "Kommunikation".

Individual users must report to the appropriate system administrator any known loop-hole of system security and ask for corrective actions.

8. Enforcement Procedures

Experience shows that most violations occur out of ignorance of the Security Policy or because of technical shortcomings. In such cases it is sufficient to inform the originator about the Security Policy of the TU Vienna and to ask for the omission of further violations. In violations against the "netiquette" or against license agreements data must be deleted from servers, if necessary. If violations also affect other institutes, university institutions or organizations (also outside of the TU Vienna) the appropriate system administrators and also the ZID must be contacted and informed (for example user authorizations on other computers have to be revoked).

If the direct contact remains without effect or the originator cannot be found or does not respond, the ZID is to be contacted and informed, best by e-mail (e-mail-address see document "Security Policy of the TU Vienna - How to ?"). Beside the description of the problem the report should state against which point of the Security Policy the violation took place. If necessary, the Information Security Officer decides whether a particular use is not consistent with the Security Policy, court of second instance is the director of the ZID.

Measures taken by the ZID

1. The ZID will ask the network or system administrator of the computer (network), where the incident occurred, to take appropriate actions, to revoke access authorizations and to delete data from servers.

2. If the system administrator of the computer involved is not available or not able to take appropriate actions, the ZID will contact the head of the institute or the director of the university institution.

3. If the measure in item 2 remains without success, the ZID has to remove the computer from the network or discontinue services.

4. If circumstances demand it (imminent danger), the ZID can also take actions without consulting the system administrators. The appropriate system administrator or the head of the institute or the director of the university institution will immediately be contacted and informed about the measures taken.

5. The ZID may demand a written acknowledgement of the Policy from the originator of an incident (sample protocol in the document " Security Policy of the TU Vienna - How to ?").

9. Definitions

active network component router, switch etc.
user end user
electronic communication use of computers, networks (TUNET, telephone etc.) and related services.
network any communication network (for example TUNET, telephone networks
Service any service provided or distributed by the ZID.
system administrator person responsible to manage a computer or a network component, registered in the TUNET data base as technical contact.
TUNET data communication infrastructure of the Vienna University of Technology.
TU Vienna Vienna University of Technology with its organizational units, affiliated research institutes and inter-university institutions.
use the utilization of services provided or distributed by the ZID, of communication facilities (e.g. lines, equipment) operated, rented or owned by the ZID, of software operated or maintained by the ZID and of all information made available.
ZID "Zentraler Informatikdienst", Information Technology Services