IT Policy

IT Policy

SECURITY POLICY FOR USER

1. Purpose: The policy aims at providing secure and acceptable use of client systems.

2. Scope: This policy is applicable to the employees, Students and Guest users of Veer Narmad South Gujarat University for handling of unclassified information.

3. Policy:
3.1 Acceptable Use of Client Systems
3.1.1 User shall be responsible for the activities carried out on the client system, using the network connection/accounts assigned to him/her.
3.1.2 User’s network access shall be subjected to monitoring / filtering for malicious / unauthorized activities.
3.1.3 For any administrative activities on the client system, user shall adhere to Security Policy for System Administrator.
3.1.4 User shall use account with limited privileges on client system and shall not use administrator privileges.
3.1.5 Backup of important files shall be taken by the user at regular intervals.
3.1.6 System / media containing official information shall be physically secured.
3.1.7 User shall not leave system unattended. The user shall lock out his / her system before leaving the system. Additionally, system idle timeout shall be configured on the client system.
3.1.8 Maintenance or rectification of faults in the client system shall be carried out under close supervision of the user.
3.1.9 User shall check that the system time is as per IST. Any variation shall be reported to the System Administrator / Network Security Administrator.
3.1.10 User shall not engage in any of the following activities:
        3.1.10.1 Circumventing security measures
        3.1.10.2 Unauthorized access to Systems / Data / Programs
        3.1.10.3 Harassing other users by accessing or modifying their data / resources on the system
        3.1.10.4 Creating, accessing, executing, downloading, distributing, storing or displaying any form of anti-national, offensive,
        defamatory,discriminatory, malicious or pornographic material
        3.1.10.5 Making copies of software / data for unauthorized use
        3.1.10.6 Impersonation
        3.1.10.7 Phishing
        3.1.10.8 Social engineering
        3.1.10.9 Unauthorized use of software license
        3.1.10.10 Providing official e-mail address on Internet mail groups / bulletin boards for personal use
        3.1.10.11 Any activity that is in violation of Central Civil Services (Conduct) rules
3.1.11 User shall report security incident to the System Administrator / Network Security Administrator.
3.1.12 User shall ensure that unauthorized Peer to Peer file sharing software is not installed.
3.1.13 User shall ensure that the system is configured as follows:
        3.1.13.1 User shall not share client system with anyone, by default. However, if necessary for any specific reason (such as client system          used in shift-duty), following shall be ensured:
        3.1.13.1.1 1 Explicit approval of competent / designated authority is taken for each client system and every user accessing it.
        3.1.13.1.2 Every user on the shared client system has a separate account.
        3.1.13.1.3 File / Folder access permission is limited to meet functional requirement of the user.
        3.1.13.2 User shall not share hard disk or folders with anyone, by default. However, if necessary, only the required folders shall be shared          with specific user.
        3.1.13.3 Client System has Client System Security (CSS) implemented as per Client System Security Guidelines.
        3.1.13.4 By default all interfaces on the client system are disabled and only those interfaces which are required are enabled.
         For configuration user shall contact the System Administrator.

3.2 Virus and Malicious Code (adware, spyware, malware)
3.2.1 User shall ensure that client system is configured with the authorized anti-virus software.
3.2.2 User shall ensure that anti-virus software and the virus pattern files are up-to-date.
3.2.3 User shall ensure that anti-virus scan is configured to run at regular intervals.
3.2.4 In case a virus does not get cleaned, incident shall be reported to the System Administrator / Network Security Administrator. ``

3.3 Hardware, Operating System and Application Software
3.3.1 User shall use only the software / hardware which are authorized by the University/Department.
3.3.2 The following activities shall be carried out by the System Administrator. However, the User shall ensure the following:
        3.3.2.1 Operating System and other software is installed using authorized source / Original Equipment Manufacturer (OEM) media with          valid license.
        3.3.2.2 While installing the Operating System and other software packages, only the required utilities are installed / enabled.
        3.3.2.3 Latest available service packs, patches and drivers are installed.
        3.3.2.4 Booting from removable media is disabled.
        3.3.2.5 Auto-run on all removable drives is disabled
3.3.3 User shall allow the installation of service packs and patches provided by the patch server.

3.4 E-mail Use
3.4.1 Only the E-mail account provided by the University shall be used for official communication.
3.4.2 Official E-mail shall not be forwarded to personal E-mail account.
3.4.3 E-mail password shall not be shared even for official purpose.
3.4.4 User shall not attempt any unauthorized use of E-mail services, such as:
        3.4.4.1 Distribution of messages anonymously
        3.4.4.2 Misusing other user’s E-mail address
        3.4.4.3 Using a false identity
        3.4.4.4 Sending messages to harass or intimidate others
3.4.5 Password used for online forms / services / registrations / subscriptions shall not be the same as the password of official E-mail account.

3.5 Password Security
3.5.1 Selection of password shall be done as per the Password Management Guidelines.
3.5.2 The following activities shall be carried out by the System Administrator. However, the User shall ensure the following:
        3.5.2.1 Passwords are enabled on BIOS, System login and Screensaver levels. (refer: Password Enabling Procedure)
        3.5.2.2 Auto-logon feature on the client system is disabled. (refer: Auto-Logon Disable Procedure)
        3.5.2.3 User account is locked after a predefined number of failed login attempts.
3.5.3 User shall not share or reveal passwords.
3.5.4 Passwords shall be changed at regular intervals as per the Password Management Guidelines.
3.5.5 5 If a password is suspected to have been disclosed / compromised, it shall be changed immediately and a security incident shall be reported to the System Administrator / Network Security Administrator (refer: Security Incident Management Process).

3.6 Portable Storage Media
3.6.1 User shall use officially issued portable storage media only.
3.6.2 User shall return the portable storage media, if it is no longer a functional requirement or in case of damage / malfunctioning.
3.6.3 User shall ensure that portable storage media used is free from virus.
3.6.4 User shall ensure that the execution of software from portable storage media is not done.

3.7 Network Access Policy Applicable for the User
3.7.1 User shall take prior approval from the competent authority to connect the client system to the network.
3.7.2 A client system authorized to connect to one network shall not connect to any other network.
3.7.3 For wireless connectivity, user shall ensure the following:
        3.7.3.1 By default, the wireless interfaces are disabled.
        3.7.3.2 Client system does not connect to wireless networks / devices without approval from the competent authority.
        3.7.3.3 If permitted, the wireless interface of the client system is enabled to connect to authorize wireless network only.

3.8 Client System Log
3.8.1 User having administrative privilege shall not disable / delete the audit trails / logs on the client system.

4. Review:
This Security Policy shall be reviewed at the time of any change in the IT environment or once every year, whichever is earlier. The review shall be carried out for assessing the following:
4.1 Impact on the risk profile due to, but not limited to, the changes in the deployed technology / network security architecture, regulatory and / or legal requirements.
4.2 The effectiveness of the security controls specified in the policy. As a result of the review, the existing policy may be updated or modified.

5. Enforcement:
Violation of this policy shall amount to misconduct under CCS Conduct rules.

Password Policy
1. Purpose: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of the passwords.

2. Scope: The scope of this policy includes all end-users and personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system/service in the NIC domain. These include personnel with their designated desktop systems. The scope also includes designers and developers of individual applications.

3. Policy
3.1 Policy Statements
3.1.1 For users having accounts for accessing systems/services
        3.1.1.1 Users shall be responsible for all activity performed with their personal user IDs. Users shall not permit others to perform any
         activity with their user IDs or perform any activity with IDs belonging to other users.
        3.1.1.2 All user-level passwords (e.g., email, web, desktop computer, etc.) shall be changed periodically (at least once every three months).
         Users shall not be able to reuse previous passwords.
        3.1.1.3 Password shall be enforced to be of a minimum length and comprising of mix of alphabets, numbers and characters.
        3.1.1.4 Passwords shall not be stored in readable form in batch files, automatic logon scripts, Internet browsers or related data
        communication software, in computers without access control, or in any other location where unauthorized persons might discover or use
        them.
        3.1.1.5 All access codes including user ID passwords, network passwords, PINs etc. shall not be shared with anyone, including personal
         assistants or secretaries. These shall be treated as sensitive, confidential information.
        3.1.1.6 All PINs (Personal Identification Numbers) shall be constructed with the same rules that apply to fixed passwords.
        3.1.1.7 Passwords must not be communicated though email messages or other forms of electronic communication such as phone to
         anyone.
        3.1.1.8 Passwords shall not be revealed on questionnaires or security forms.
        3.1.1.9 Passwords of personal accounts should not be revealed to the controlling officer or any co-worker even while on vacation
         unless permitted to do so by designated authority.
        3.1.1.10 The same password shall not be used for each of the systems/applications to which a user has been granted access
        e.g. a separate password to be used for a Windows account and an UNIX account should be selected.
        3.1.1.11 The "Remember Password" feature of applications shall not be used.
        3.1.1.12 Users shall refuse all offers by software to place a cookie on their computer such that they can automatically log on the next time
        that they visit a particular Internet site.
        3.1.1.13 First time login to systems/services with administrator created passwords, should force changing of password by the user.
        3.1.1.14 If the password is shared with support personnel for resolving problems relating to any service, it shall be changed immediately
        after the support session.
        3.1.1.15 The password shall be changed immediately if the password is suspected of being disclosed, or known to have been disclosed to
         an unauthorized party.

3.1.2 For designers/developers of applications/sites
        3.1.2.1No password shall be traveling in clear text; the hashed form of the password should be used. To get around the possibility of
        replay of the hashed password, it shall be used along with a randomization parameter.
        3.1.2.2 The backend database shall store hash of the individual passwords and never passwords in readable form.
        3.1.2.3 Password shall be enforced to be of a minimum length and comprising of mix of alphabets, numbers and characters.
        3.1.2.4 Users shall be required to change their passwords periodically and not be able to reuse previous passwords.
        3.1.2.5 For Password Change Control, both the old and new passwords are required to be given whenever a password change is required.

3.2 Policy for Constructing a Password:
All user-level and system-level passwords must conform to the following general guidelines described below.
3.2.1 The password shall contain more than eight characters.
3.2.2 The password shall not be a word found in a dictionary (English or foreign).
3.2.3 The password shall not be a derivative of the user ID, e.g. 123.
3.2.4 The password shall not be a slang, dialect, jargon etc.
3.2.5 The password shall not be a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
3.2.6 The password shall not be based on computer terms and names, commands, sites, companies, hardware, software.
3.2.7 The password shall not be based on birthdays and other personal information such as addresses and phone numbers.
3.2.8 The password shall not be a word or number pattern like aaabbb, qwerty, zyxwvuts, 123321, etc. or any of the above spelled backwards.
3.2.9 The password shall not be any of the above preceded or followed by a digit (e.g., secret1, 1secret).
3.2.10 The password shall be a combination of upper and lower case characters (e.g. a-z, A-Z), digits (e.g. 0-9) and punctuation characters as well and other characters (e.g., [email protected]# $%^&*()_+|~-=\`{}[]:";'<>?,./).
3.2.11 Passwords shall not be such that they combine a set of characters that do not change with a set of characters that predictably change.

3.3 Suggestions for Choosing Passwords:
Passwords may be chosen such that they are difficult-to-guess yet easy-to-remember. Methods such as the following may be employed:
3.3.1 String together several words to form a pass-phrase as a password.
3.3.2 Transform a regular word according to a specific method e.g. making every other letter a number reflecting its position in the word.
3.3.3 Combine punctuation and/or numbers with a regular word.
3.3.4 Create acronyms from words in a song, a poem, or any other known sequence of words.
3.3.5 Bump characters in a word a certain number of letters up or down the alphabet.
3.3.6 Shift a word up, down, left or right one row on the keyboard.

4. Responsibilities:
4.1 All individual users having accounts for accessing systems/services in the NIC domain, and system/network administrators of NIC servers/ network equipments shall ensure the implementation of this policy.
4.2 All designers/developers responsible for site/application development shall ensure the incorporation of this policy in the authentication modules, registration modules, password change modules or any other similar modules in their applications.

5. Compliance:
5.1 Personnel authorized as Internal Audit shall periodically review the adequacy of such controls and their compliance.
5.2 Personnel authorized as Application Audit shall check respective applications for password complexity and password policy incorporation.