Understand your responsibilities

Using the LUMS wired and wireless network, email, Internet and computers all come with responsibility and a contract which you implicitly agree to when you become a member of the LUMS community. The second you connect to the network or log into a LUMS computer, you are accountable for what you do and how you use it, and are deemed to be in acceptance of the LUMS Acceptable Use of Computing Resources Policy, as follows.

 

LUMS Acceptable Use of Computing Resources Policy

I. Purpose of Policy

The purpose of this policy is to outline the acceptable use of information technology resources at Lahore University of Management Sciences in order to:

1. Comply with legal and contractual requirements
2. Protect the University against damaging legal consequences
3. Safeguard these resources

 

II. Scope of Policy

This policy is applicable across the University and individually applies to:

• All individuals who have access to University information and technologies
• External parties that provide information processing services to the University

 

III. Definitions

Approvals

The formal endorsement of a document in the form of physical signature after review from relevant stakeholders

Copyright

Exclusive rights to print, publish material.

Confidential Information

Privileged communication shared with only a few people for furthering certain purposes

Form

A form is an informational document with spaces (fields) for input of relevant information for which the document is associated. A form after it has been filled maybe a statement, IT request or an order.

IT

Information Technology

Cybercrime

Also called computer crime, the use of a computer connected over a network wired or wirelessly as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy.

ITSM

Information Technology Security Manager

Application

Any software (in-house developed or outsource vendor product)

License

Authorize use for a certain purpose.

Policy

A document that defines the set boundaries through which standard operating procedures can be developed and maintained.

Procedure

A document that defines detailed process-specific instructions on how to perform particular tasks or react in particular situations.

Guideline

A general statement(s) document that helps in determining the course of action

Proprietary Data

Internally generated data or documents that contain technical or other types of information controlled by a firm to safeguard its competitive edge.

Responsibility

The liability and onus of an employee in the IT department to carry out the implementation of process and adhere to relevant IT policy and procedure document(s).

Security

On a network, protection of a computer system and its data from harm or loss, implemented especially so that only authorized users can gain access to shared files. 

 

IV. Policy Statements

Computers and other information technology resources are essential tools in accomplishing the University's mission. Information technology resources are valuable community assets to be used and managed responsibly to ensure their integrity, confidentiality, and availability for appropriate research, education, outreach and administrative objectives of the Lahore University of Management Sciences.

• University community members are granted access to these resources in support of accomplishing the University’s mission.
   
• All users of University information technology resources, whether or not affiliated with the University, must follow University policies; Government of Pakistan Laws, provincial laws; and contractual obligations. These include but are not limited to information security, data privacy, commercial use, and those that prohibit harassment, theft, copyright and licensing infringement, and unlawful intrusion and unethical conduct.

Units that grant guest access to information technology resources must make their guests aware of their acceptable use responsibilities by circulating all or part of this policy.

 

4.1 Acceptable Use of Internet

Restricted to business use only

The Internet shall only be used as part of the normal execution of a user’s job responsibilities.

Representation of LUMS

Internet connections shall only be used for valid business purposes. As such, any information posted to discussion groups bearing LUMS address shall only reflect LUMS positions.
Internet rules and behavior

Using LUMS facilities or equipment to make abusive, unethical or "inappropriate" use of the Internet will not be tolerated and may be considered grounds for disciplinary action, including termination of employment. Examples of inappropriate employee Internet use include, but are not limited to, the following:

• Conducting or participating in illegal activities, including gambling
   
• Accessing or downloading pornographic material
   
• Solicitations for any purpose which are not expressly approved by management
   
• Revealing or publicizing proprietary or confidential information
   
• Representing personal opinions as those of LUMS
   
• Making or posting indecent remarks
   
• Uploading or downloading commercial software in violation of its license
   
• Uploading or mailing of LUMS confidential documents without the permission / authorization of the concerned parties
   
• Downloading any software or electronic files without reasonable virus protection measures in place especially from less than reputable websites that may lead to viruses, spywares and other malicious software

Prohibitions of user internet activities

To prevent any appearance of inappropriate conduct on the Internet and to reduce risk to the organization, users shall not:

• Enter into contractual agreements via the Internet; e.g. enter into binding contracts on behalf of LUMS over the Internet
   
• Use LUMS logos or internal materials in any web page or Internet posting unless it has been approved, in advance, by the management
   
• Use software files, images, or other information downloaded from the Internet that has not been released for free public use
   
• If a business need exists, then protective methods and software must be installed on the user’s work-station to prevent hackers to get access to the data on the user’s work-station
   
• Introduce material considered indecent, offensive, or is related to the production, use, storage, or transmission of sexually explicit or offensive items on  LUMS’s network or systems
   
• Attempt to gain illegal access to remote systems on the Internet
   
• Attempt to inappropriately telnet to or port scan remote systems on the Internet
   
• Use or possess Internet scanning or security vulnerability assessment tools, such as SATAN, ISS, NESSUS or NMAP without the permission of the IT Security Manager
   
• Post material in violation of copyright law
   
• Establish Internet or other external network connections that could allow unauthorized users to gain access into LUMS systems and information assets.

Sensitive information

• Confidential information shall not be transmitted over Internet without reasonable security measures (such as encryption or other appropriate method) in place. An encryption algorithm approved by the IT Security Manager shall be used to protect this information.
   
• Card numbers (Debit/Credit etc.), telephone calling card numbers, login usernames and passwords, and other parameters that can be used to gain access to goods or services shall not be sent over the Internet in plain text.

Employee hosting private websites

Employees are not allowed to produce web pages or sites that reference LUMS or affiliates, masquerade as LUMS, or in any way disclose any other information about LUMS without the written permission of the management. Employees are not allowed to host personal sites on LUMS facilities.

New business channels

Users are prohibited from using new or existing Internet connections to establish new business channels, without the approval of the relevant Manager. These channels include electronic data interchange (EDI) arrangements etc.

Passwords

All Internet passwords and user IDs shall meet LUMS password standards as described in the Use of Password Security Policy.

Virus scanning

All information downloaded to LUMS computing resources via the Internet shall be screened with virus detection software prior to use. Refer to the Anti-Malware Security Policy.

Anonymous File Transfer Protocol (FTP) systems

Users shall not place LUMS material (software, internal memos, etc.) on any publicly accessible Internet computer, which supports anonymous FTP or similar services, unless the Information Security Manager has first approved the posting of these materials.

Protection approach

1. Employees must verify the validity of the source before using any content or software from the internet.
    
2. Employees must always have standard security measures set in place when using the internet. Employees must have: a) Corporate standard anti-virus installed. This must be kept up-to-date with updates installed as they become available; and b) Firewall running
    
3. Employees will only access the internet using LUMS’s equipment (routers, LAN, wireless LAN technology etc.) within LUMS premises.
    
4. Physical access control must be maintained by positioning any displays/monitors that may contain confidential data in such a way as to minimize unauthorized access or view. Such information should not be viewable through a window, by persons walking by, or by persons waiting in public reception areas
    
5. To maximize the security of standalone workstations as well as workstations connected to the network, the user must have been assigned access, username and password
    
6. When the user is leaving his/her desktop, he/she must lock the computer. Also each desktop should lock computer with user’s password screen saver that engages after the keyboard and/or the mouse have been idle for a period of 5 minutes or more
    
7. Anti-Malware software should be installed on each desktop computer & laptop, and designated staff shall make certain that the desktop/laptop has the most current anti-malware software and appropriate patches installed. Moreover user’s effort can be minimized by using an automated anti-malware/anti-virus updates
    
8. Only approved and licensed software should be installed on the workstation
    
9. Backup of user’s data will be taken by support team through a formal request initiated by the User and approved by his/her Head of the Department. Moreover it covers the following:
    

• Any data residing on user’s computer shall be the responsibility of the user.
• Any user’s data residing on user’s network group shall backup and restore through a formal request initiated by the user
• Any other data contained in central repositories is the responsibility of systems team

 

4.2 Acceptable Use of Laptops

1. Laptop users may install software on their machines depending upon the nature of work. Otherwise, IST helpdesk must be contacted. Software downloaded from the Internet or obtained illegally must not be loaded onto the Laptop. (Refer to Approved Software List)
    
2. The laptop must have an anti-virus software suit (package) installed. Users must not be allowed to alter the configuration of this package unless explicit permission has been obtained from IST helpdesk. The anti-virus system’s database of virus definitions must be updated on a regular basis, each day if possible, but at least once a week. Virus definitions can be updated directly through internet or by accessing LUMS’s LAN.
    
3. Password Security is the responsibility of the system user and BIOS security is the responsibility of IST helpdesk. Exceptions should be handled at the time of allocation
    
4. Where sensitive data is to be kept on hard disks, the use of encryption software or a hardware package should be considered, to provide additional protection to the data if the machine is lost or stolen
    
5. Laptop has been provided by LUMS for business use only. When away from office (off-site) it is user’s responsibility to use the laptop properly, protect it from being damaged and keep it in his/her safe custody
    
6. Regular backups of all confidential data should be made to a separate system (your LAN, personal drive, cloud etc.) where possible to help prevent the loss of critical information. The restoration of backed up data must be tested on a regular basis
    
7. Any observation that constitutes a loss of hardware, data or information should be reported directly to IST helpdesk, who will instigate investigation procedures to try and establish the nature and potential threat of the incident. Incidents could involve:
   
   - Loss of Hardware
   - Loss of Software/Data
   - Virus/Hackers attack
   - Unauthorized access
   - Misuse of System/Privileges
   - Illegal software download
   - Leaving laptop unguarded at public place or in a vehicle
    
8. The software and information held on laptop is subject to the same audit procedures as the LUMS’s computer systems. This also covers information and data stored on removable media e.g. removable storage devices (e.g. USB pen or sticks etc.)
    
9. Relevant department is responsible of entry/exit for the user taking a Laptop off-site, as per travel plan or users having notebooks permanently given to them
    

4.3 Acceptable Use of Computers, Software and Data

1. All LUMS users must follow all license provisions regulating the use and distribution of computer software
    
2. Measures should be taken to protect an asset from unauthorized modification, destruction, or disclosure, whether accidental or intentional
    
3. Computer resources shall be used only for LUMS business purposes not for private (personal) use
    
4. Users may only access files or data if they belong to them or publicly available, or if the owner of the data has given permission to access them
    
5. Software(s) and computer data which are purchased and/or developed by LUMS to a third party must not be copied and/or disclosed
    
6. Employees, contractors, and third party users using or having access to the organization’s assets must follow acceptable use of information and assets associated with information processing facilities e.g. rules of e-mail and Internet usage
    
7. Telephones (exchange) shall be used by users for conducting company business only and not for their personal use. In case of personal use it should be reported against the issued bill to Finance Office for deduction.
    
8. Personal assets including laptops, cameras, and mobile phones with camera, flash drives (USB), and wireless data exchange devices such as Bluetooth, or infrared enabled devices shall not be used in restricted area unless authorized.

 

V. Waiver of Policy

On the recommendation of Information Technology Steering Committee, the Board of Trustees or Vice Chancellor may waive a part or whole of the policy, excluding the statutory requirements.

 

VI. Title of Position with Maintenance Responsibility

Compliance Manager/Officer shall be responsible for maintenance of the policy including its periodic review and approval of any subsequent modifications to the said policy.

 

VII. Roles and Responsibilities for Policy Implementation

Manager Systems, Network and User Support are responsible for the adherence and implementation of this policy Consequence(s) of Non-Compliance with Policy
Disciplinary process of the university shall be initiated in case non-compliance of policies & procedures is identified.