Issuu on Google+

Information Technology Policy

As Approved by the University Council on April 16, 2008


Birzeit University Information Technology Policy

April 2008

Page 2 of 25

Table of Contents I. Policy Drafting, Maintenance and Revision................................................................ 3 II. Policy Implementation and Enforcement .................................................................. 3 III. Disclaimer ................................................................................................................... 4 IV. Systems and Development ......................................................................................... 4 V. Acceptable Use of IT Resources.................................................................................. 6 VI. Data Classification...................................................................................................... 8 VII. Security ...................................................................................................................... 9 VIII. Access Accounts....................................................................................................... 9 IX. Electronic Mail System ............................................................................................ 11 X. BZU Web Site ............................................................................................................. 13 XI. Electronic Records.................................................................................................... 15 XII. Electronic Documents Management ..................................................................... 16 XIII. System and Data Backup ...................................................................................... 17 XIV. Virus Prevention .................................................................................................... 19 XV. Intrusion Detection.................................................................................................. 19 Appendix A: Glossary .................................................................................................... 20 Appendix B: Password Creation Guidelines ................................................................ 21 Appendix C: Password Expiration Procedure ............................................................. 21 Appendix D: Email Use Guidelines ............................................................................... 22 Appendix E: Mass Electronic Mailings......................................................................... 23 Appendix F: Procedure for Updating BZU Web ......................................................... 24 Appendix G: Network File System................................................................................ 24 Appendix H: Standard Convention for Naming Documents...................................... 25 Appendix I: Birzeit University IT Policy Committee Membership………………....25


Birzeit University Information Technology Policy

April 2008

Page 3 of 25

I. Policy Drafting, Maintenance and Revision 1. The Information Technology Policy upholds the university's mission, educates the university community about the best practices in information technology, promotes university-wide operational efficiencies, and reduces institutional risks. 2. The policy applies to every user of BZU IT resources, as well as developers at any of the university facilities. Users include all students, faculty, staff, alumni, retirees, continuing and distance education students and other university affiliates. 3. The policy was initially drafted by an ad-hoc committee formed by the university president for that purpose and was approved by the University Council. Thereafter, it is maintained in an Information Technology Policy repository accessible to all members of the university community together with supporting documents that include Frequently Asked Questions (FAQ) document and other reference materials. The web site repository copy of the Policy also includes links to appropriate locations in the supporting documents and external documents of relevance. 4. The Office of Planning and Development (P&D)1 maintains the supporting documents in the repository and regularly reviews FAQ document to include new inquiries and interpretations. 5. Feedback by the university community on the IT Policy will be collected and assessed by the director of P&D or the University Council. Changes to this policy shall be initiated by a committee appointed for this purpose by the university president, possibly on the recommendation of P&D. 6. All terms and references used in this policy are defined in Appendix A. 7. The policy shall be revised at regular time intervals, not to exceed 3 years.

II. Policy Implementation and Enforcement 1. The Office of P&D, in collaboration with the Computer Center, is charged with communicating this policy to the user community and providing orientation and training to achieve technical proficiency and appropriate use of IT resources. 2. Requests for interpretation of the policy as applied to particular situations shall be directed to the Office of P&D. 3. All BZU users and developers are required to sign pledges to uphold the highest ethical/professional standards in dealing with IT resources, to familiarize themselves with the IT policy, to adhere to it faithfully and report any violations promptly. 4. It is the responsibility of chairs and directors of university units to ensure that their staff is aware of the existence and content of the IT policy and all its supporting documents. 5. Each university unit is responsible for implementing the IT policy in as far as its operations are concerned. They may develop additional written regulations for use of IT facilities under their control that include additional details, guidelines or restrictions. These regulations must be submitted to the President or respective vice president for approval provided they are consistent with other university policies. 6. The office of P&D shall draft and follow up compliance plans by university units with clearly defined timelines and shall submit regular annual reports on compliance with this policy to the university president. 1

Read Office of Chief Information Officer (CIO), if appointed.


Birzeit University Information Technology Policy

April 2008

Page 4 of 25

7. Reports of violations of the policy are to be submitted to the Information and Procedures Officer, the employee's supervisor or, in the case of a student according to the University regulations . Unlawful practices shall be pursued to the extent of the law. Good faith disclosures of university-related misconduct shall be handled with confidentiality and protected. 8. Where penalties are appropriate, they may include a formal reprimand, loss of user privileges for a definite or indefinite period or termination of employment according to BZU laws and regulations. Sanctions against students shall be subject to the recommendations of the GDC and can include probation, suspension or expulsion from the university. 9. Appeals against any formal disciplinary action related to IT policy taken against faculty members or staff shall be governed by Birzeit University laws and regulations.

III. Disclaimer 1. The University shall make all possible effort to safeguard the integrity of its Information Technology resources and services. 2. The University makes no warranties of any kind, whether expressed or implied, with respect to the information technology services it provides. 3. The University shall not be responsible for damages resulting from the use of communication facilities and services, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a university employee, or by the user's error or omissions. 4. Use of any information obtained via the Internet is at the user's own risk. 5. The university specifically denies any responsibility for the accuracy or quality of information obtained through its electronic communication facilities and services, except material presented as an official unqualified university record. 6. The university shall not accept responsibility for removing material that some users may consider defamatory or otherwise offensive. The University may remove such material at its discretion. Users should be advised, however, that dissemination of such material may subject them to liability in other forums.

IV. Systems and Development a- IT Systems 1. All models for applications: ready made, open source, in-house development will be considered and investigated when making acquisition decisions. Individuals are encouraged to consider the use of open source technology where such sources are applicable. 2. Software used at the university including in-house developed components must adhere to accepted software engineering practices in terms of design, documentation, user-interface, component and system testing. Written certification to this effect shall be made by quality assurance personnel, independent from the design and development teams. 3. IT related systems development and acquisition will make good faith effort to specifically address and account for the needs of the handicapped in each system. Efforts of good faith shall be exercised to take the needs of visually impaired


Birzeit University Information Technology Policy

April 2008

Page 5 of 25

persons in the university into account in deployed IT products. 4. Utmost effort shall be exercised by the University administration to keep BZU abreast of latest proven technologies in line with regional and international trends and to ensure its continued leadership in the IT field locally. 5. IT services shall be extended to all university units in line with the best practices and to maximize the utility of existing IT resources. b- Computer Center Responsibilities 6. The Computer Center at BZU must have a clear, written and approved, organizational structure with clearly defined roles and responsibilities and tasks mandated in writing to ensure accountability. 7. Work deadlines shall be specified and communicated in writing with safety margins to all stakeholders inside and outside the Computer Center. Missed deadlines shall be clearly documented and responsibilities assigned and reported. 8. Potential users shall be involved and consulted in decisions regarding performance characteristics and user interface of developed system. 9. Computer Center shall operate an efficient and transparent system for accepting and monitoring user requests, classifying them and assigning them to staff. Users and administration shall be able to review requests' progress. Upper limits on service time shall be defined and published, and all discrepancies reported and explained to users and administration. 10. Users shall be informed promptly of any degradation of quality of service that may affect their work, with explanations and time limits for service restoration clearly specified. Administration shall be notified of all such occurrences. 11. Academic IT laboratories must maximize their use of their IT resources during their lifetime so that they can be replaced in a timely manner with reasonable returns to BZU. IT facilities sharing and rotation of available resources to proper locations/uses shall be worked out and enforced. c- IT Personnel 12. Hiring IT personnel shall be competitive and in accordance with university-wide policies on hiring and retaining professionals. 13. IT personnel shall be required and encouraged to stay competitive, informed and trained in their fields. Practices encouraging continuing education must be enforced. 14. IT personnel access to data shall be limited to the absolute minimum necessary to execute their work. They should not attempt any changes to university records without proper authorization and logging. 15. IT personnel are required to sign nondisclosure statements and pledge to hold the highest ethical/professional standards before assuming their jobs. IT personnel including former employees shall respect copyright laws and shall refrain from transferring knowledge or systems gained or developed at Birzeit University, in total or in part, to other institutions without the prior consent of the university. 16. Staff performing essential IT functions shall have backup. No university service shall be dependant on a single individual. A clear designation of primary and backup personnel shall be approved and communicated to the proper university authorities.


Birzeit University Information Technology Policy

April 2008

Page 6 of 25

V. Acceptable Use of IT Resources a- General 1. IT resources facilitate the pursuit of excellence in the university's mission of teaching, research, and community outreach. Computing systems, software, internal and external data networks are important to the university community. 2. All users shall comply with institutional and standards for acceptable use of these shared resources and shall abide by relevant university policies and procedures. Violations may result in university disciplinary action or referral to appropriate external authorities. 3. IT resources shall not be used in a manner that violates the law. These include laws related to race-based or gender-based discrimination, criminal laws forbidding harassment, exhibition of obscene materials, distribution, rental or sale of pornography, official misconduct, computer crime and copyright/fair use laws. Personal Use 4. IT resources shall be used primarily for university related educational, research, and administrative activities and any personal use shall be kept to a minimum. Personal use may be excessive if it takes place during regularly scheduled work time, overburdens a network, results in substantial use of system capacity or subjects the institution to increased operating costs. In those instances, the unit supervisor shall provide specific guidance to individual users by formulating unit policies or providing advice on case-by-case basis. 5. IT resources, including the university's electronic address (e-mail, website), shall not be used for personal commercial gain, charitable solicitations, personal political activities or lobbying. b- Restricted Data 6. Users shall abide by all applicable restrictions, whether or not they are built into the operating system or network or can be circumvented by technical means. 7. Accessing restricted data without permission is prohibited and subjects the offender to penalties. Where access to restricted data is permitted, use of such data shall be limited to the purpose for which access is authorized. Secondary use of university data subject to access restriction, without adhering to the restrictions is not be permitted. 8. Patient medical information retained by Birzeit University clinic is further protected against disclosure without specific written consent of the person to whom it pertains, or as otherwise required by law. A general authorization for release of medical or other information is not sufficient for this purpose. 9. Private copies of non-public university data are totally prohibited to be kept by any university employee including Computer Center staff and data management staff. c- Academic Integrity 10. Electronic information shall be subjected to the same principles of academic freedom and privacy applicable to written and spoken communications. BZU does not approve censorship or casual inspection of electronic files. 11. Respect for intellectual labor and creativity are vital to academic discourse and enterprise. This applies to works of all authors and publishers in all media including electronic data. It encompasses respect for the right to acknowledgment,


Birzeit University Information Technology Policy

April 2008

Page 7 of 25

right to privacy, and right to determine the form, manner, and terms of publication and distribution. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade secret and copyright violations, may be grounds for penalties against members of the university community. d- User’s Privacy and Security 12. While the university does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the university's computing resources require the backup of data and communication records, the logging of activity, the monitoring of general usage patterns and other such activities that are necessary for the rendition of service. 13. BZU may inspect files or monitor usage for a limited time when there is probable cause to believe a user has violated this policy. Authorization in writing shall be granted by the university president in consultation with university legal counsel. Such inspections or monitoring shall be conducted with notice to the user, unless such notice would seriously jeopardize substantial interests of the university or of third parties. 14. Although BZU employs various measures to protect the security of its IT resources and user accounts, the university cannot guarantee such security. Users are required to engage in "safe computing" practices by establishing appropriate access restrictions for their accounts, guarding their passwords, changing them regularly and maintaining backup and recovery systems in accordance with disaster recovery guidelines. 15. The university respects encryption rights on its networks and may itself encrypt information and transactions when secured confidentiality is an obligation. 16. Users are advised that network traffic exiting the university is subject to the acceptable use policies of the national and international network connectivity providers. e- Interference 17. Uses that interfere with the proper functioning of the university's information technology resources are prohibited. Such inappropriate uses include, but are not limited to, insertions of viruses into computer systems, tapping a network or running a "sniffer" program, e-mail spam, chain letters, destruction of another user’s files, use of software tools that attack IT resources, violation of security standards and the like. 18. Interference with the ability of other users to make appropriate use of the resources is prohibited. Such inappropriate usage includes invading the privacy of another's files, gaining unauthorized access to the files of another, denial of service attacks, misrepresentation, forgery, use of software tools that attack IT resources and the like. f- University name 19. Users shall take appropriate steps to avoid any possible inference that their communication of a message via the university e-mail system or posting to an electronic forum may connote an official university authorization or endorsement of that message unless such authorization or endorsement are granted by the university officials.


Birzeit University Information Technology Policy

April 2008

Page 8 of 25

VI. Data Classification 1. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance in one of the following categories: a. High Risk Information for which there are legal requirements for preventing disclosure, financial penalties for disclosure or privacy requirements e.g. payroll, personnel, and financial information are in this class. Alternatively, information of high importance also falls in this category e.g. student academic records. b. Confidential Information may expose the university to loss if disclosed and should be protected to prevent unauthorized access e.g. committee memberships, work documents in progress, email depositories. c. Public Information may be freely disseminated 2. Data owners shall determine data classification and ensure the data is protected in a manner appropriate to its classification. 3. Information resources should be categorized and protected according to the requirements set for each classification. Data classification and its corresponding level of protection should be consistent when the data is replicated and in-transit as it flows through the university. 4. No university-owned system or network can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification. 5. Data custodians are responsible for creating data repositories and data transfer procedures which protect data in the manner appropriate to its classification. 6. High risk and confidential Information must be encrypted during transmission over insecure channels. 7. All appropriate data should be backed up and backups must be tested periodically as part of a documented regular process. 8. Backup media must be handled with the same security precautions as the data itself. When systems are disposed of, data must be deleted or disks destroyed consistent with best practices for the data security level. 9. Data must have sufficient granularity to allow the appropriate authorized access. A balance between protecting the data and permitting access for those who need to use it for authorized purposes must be maintained. 10. Where possible, more than one person shall have full access rights to universityowned server storing or transmitting high risk data. 11. All users of systems that contain high risk or confidential data must have a strong password. Password strength must be proportional to data security level. Empowered accounts, such as administrator, root or supervisor accounts, must be changed frequently consistent with guidelines in Appendix B. 12. Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured. 13. Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure. 14. Terminated employees should have their accounts disabled upon transfer or


Birzeit University Information Technology Policy

April 2008

Page 9 of 25

termination and transferred employee access must be reviewed and adjusted to the new roles. Administration units shall report such changes promptly 15. Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff with documented procedures for reviewing of system logs. 16. Activities performed by administrator or super-user must be logged. For performing non-administrative tasks, administrators shall use other less powerful accounts.

VII. Security a- Internet and System Security 1. All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified as high risk or confidential. 2. All systems connected to the Internet must have university authorized versions of the operating system installed. 3. All systems connected to the Internet must be current with security patches as communicated by the administering bodies. 4. System integrity checks of host and server systems housing high risk university data shall be performed regularly and the results shall be communicated to the proper authorities. b- Information Security 5. Information security is concerned with the protection of the university's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction. 6. Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed. The results should be recorded and reported properly. 7. Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. Testing should be performed at least annually and more regularly for sensitive information. 8. Users shall be made aware of data sensitivity, levels of confidentiality and mechanisms for data protection. 9. All university data shall have a data owner who determines the security level and grants/revokes access rights to that data.

VIII. Access Accounts a- Issuing of Access Accounts 1. University IT resources are not to be used by unauthorized persons. No user shall be allowed into the system without proper access account and in some cases additional university accounts are issued for the same user to access specialized services. 2. Access accounts are defined by a user ID and password combination and serve as the primary digital identity at BZU. They provide access to IT services and resources in a manner that enables tracing system accesses where that is needed.


Birzeit University Information Technology Policy

April 2008

Page 10 of 25

3. The Computer Center shall issue and manage access accounts for general-use of computer services and systems, including the university electronic mail system to individuals affiliated to the university. 4. Permanent ID/Password pairs are issued to faculty and staff upon signing of their contract and for students upon being admitted to the university. 5. Clear rules shall govern the creation of access accounts for new employees and their revocation on termination of their BZU affiliation 6. Guest access accounts with temporary ID/Password pairs with a limited validity of one month are issued and renewed upon the request of chairs and directors of units in the university. Access rights to more specialized services such as the administrative mainframe services, the information warehouse or specialized research computing resources have their own specific policies regarding issuing and expiration of accounts. 7. All use of the access account is assumed to be performed by the user assigned to that account. Account owners are held responsible for all activities associated with their accounts. b- Expiration of Accounts 8. The Computer Centre purges access accounts of users as guided by Table 1. It is the responsibility of account holders, prior to the end of their affiliation with the university, to save all files stored in the Computer Center accounts. Graduate students collaborating on research with faculty members are especially encouraged to ensure that all relevant data is moved to appropriate repositories before the end of their affiliation with the university. Table 1; User Classification and Account Expiration Classification Account Expiration Undergraduate and graduate students

Graduation or termination of affiliation to the university

Continuing education students

Last day of classes or termination

Special Students

One semester (renewable)

Full-time and adjunct faculty members

Termination of employment

Retired university faculty members

Open-ended

Part-time faculty members

One semester (renewable)

Regular university staff Visiting faculty members or researchers Contract employee/consultant

Termination of employment Duration of visit Duration of contract

9. Access accounts expire three months after the due date of account expiration unless deemed otherwise appropriate by the direct party responsible for the user in question. 10. Requests for extension to account expiration are submitted electronically to the Computer Center (at accounts@birzeit.edu) for review. c- Access Accounts Passwords


Birzeit University Information Technology Policy

April 2008

Page 11 of 25

11. All IT systems shall require changing of passwords for newly activated access accounts at first use. 12. The Computer Center staff shall not keep, collect or store users’ passwords in a manner that enables them to impersonate others. Any deviation mandated by system maintenance purposes shall be authorized in writing by the Office of P&D with clear specification of the type of maintenance activity, its scope and time limits. 13. The system shall enforce annual expiration of access account passwords. Measures to ensure continuous service around the password change time shall be adopted in accordance with procedure outlined in Appendix C 14. Users are responsible for changing their password before it expires to avoid disruption of their access to BZU services. They are advised to change passwords more frequently for higher security and to adhere to password best practices outlined in Appendix B. Passwords shall not be shared and shall be changed promptly when compromised. 15. The computer system shall retain a history of the last three passwords and reject their reuse by the user.

IX. Electronic Mail System a- General 1. Email is an important method of communication for university business, and carries the same weight as paper-based communications. The purpose of this policy is to describe the acceptable use of the university's email and related services, systems and facilities as outlined in Appendix D. 2. All users, whether they create or receive emails, are responsible for appropriate use of mail system and complying with university policies and guidelines in this regard. Breaches of policies and guidelines can lead to revoking users’ privileges and may subject them to disciplinary action. Students found to be in breach of this policy and guidelines may be subject to disciplinary action. 3. The university retains ownership of the email address and all other parts of the email facility. 4. The University strives to have university officers use professional email addresses to conduct the business of their units. Until the use of professional email becomes mandatory it is the responsibility of the individual officers to separate professional and private email to ensure the continuity of the unit operations. b- Personal Use of Email 5. The university accepts appropriate use of email for private non-commercial purposes as permissible, provided that such use shall not overburden the university’s resources nor interfere with the smooth running of the university business. 6. Users shall ensure that emails addressed to or sent by them for private purposes are marked as personal, in order to distinguish between business and private emails. c- Email Privacy and Confidentiality 7. Users shall be aware that privacy of emails cannot be guaranteed as messages can be intercepted or wrongly addressed or forwarded to third parties.


Birzeit University Information Technology Policy

April 2008

Page 12 of 25

8. The use of encryption, digital signature and other tools to improve confidentiality and/or authentication of email messages is encouraged when dealing with information of sensitive nature. 9. With proper authorization in writing, the university may extend access rights of a specific employee's email account to another designated employee for business purposes or in the event of unexpected or prolonged absences that can adversely affect the running of the institution. In these instances, emails clearly marked as private and/or personal shall be treated with the utmost confidentiality. 10. With proper written authorization, with or without user consent, the university may monitor email trafficking for certain purposes that may include, but are not limited to, monitoring of standards of service, preventing or detecting crime, scanning for unauthorized use and potential viruses or for managing business. Proper documentation of such activities shall be made available to the Office of P&D on regular basis. d- Email Granting and Suspension 11. University email addresses are granted by the Computer Center for staff and students based on common rules and are made public as necessary. 12. Email addresses are granted upon joining the university and suspended after the termination of the users’ affiliation to the university. After email suspension, automatic mail forwarding to a specified address (at @ritaj.ps or an otherwise requested email), goes on effect for one full year. Users are alerted when email forwarding is about to expire. 13. Users shall use an email signature that truly reflects their status at the university and shall refrain from including it in private emails. 14. Archiving of emails is the responsibility of the account owner and all expired accounts shall be cleared in a year from termination. 15. Retired/adjunct faculty members shall retain all email privileges indefinitely unless instructed otherwise by the users themselves or proper authorities within the university hierarchy. 16. Part-timers are issued with an email address for the period of their contract and automatic forwarding service as described above. e-Security against Malicious Emails 17. All incoming messages shall be scanned for known malicious code and where detected the entire message may be discarded at the campus email gateway. 18. Encrypted or password protected file attachment that cannot be examined for malicious code may be discarded. 19. Messages with an executable attachment shall have that attachment deleted before the message is delivered with text being inserted into the message stating the attachment has been removed. 20. Messages with attached office productivity files (documents, spreadsheets, etc), text files, and other non-executable files shall be delivered intact. f- Mass Emailing 21. Mass emailing to large numbers of individuals or groups either within or outside the university must be essential and relevant to the mission of the university and must not adversely affect the normal performance of the university’s email delivery system.


Birzeit University Information Technology Policy

April 2008

Page 13 of 25

22. Mass emailing must have executive-level approval in advance of issuance by the university president or other official designee in the direct chain of command to the targeted recipient community whether inside or outside the university. This is elaborated in Appendix E.

X. BZU Web Site a- Genearl 1. BZU World Wide Web Site (BZU Web) includes the collection of electronic menus, information and publications accessed through web pages and pointers collected under Birzeit University Homepage. These pages may be of an academic, administrative or personal nature related to the university. 2. BZU Web shall be accessible to a large target population including prospective and current students, media, alumni and friends of the institution, and the general public locally, regionally and internationally in order to: a. Promote the university as a reputable institution of higher education, research and development. b. Support the university’s mission c. Augment scholarly activities by using the web as a medium to further partnership and cooperation with external communities in areas of instruction, research and community outreach. d. Highlight the quality and diversity of the academic programs and the accomplishments of university academic community. e. Promote its alumni activities and the alumni sense of community. f. Facilitate recruitment of prospective students. g. Lobbying for issues of primary concern to the university e.g. right2education campaign, fundraising. h. Share knowledge and serve the local and international community (e.g. library acquisition, databases, news and events) b- Responsibilities for BZU Web 3. The Computer Center shall be responsible for providing BZU Web with adequate technical infrastructure for its operation through: • Web Server Administrator responsible for the management and maintenance of web servers and/or databases, software and security and ensuring sufficient bandwidth to enable reasonable speed viewing of content for potential users. • Web Application Developer responsible for the development of database systems applications and scripts that provide dynamic web pages, maintaining the site map, search engine, site links and referential integrity, and providing web-related consulting services to the entire university. 4. The Office of Public Relations shall be responsible for the overall design of the site, the editorial leadership and quality, and developing and maintaining editorial and publishing guidelines through: • Webmaster responsible for planning, managing and coordinating a website or a structure of websites, web page production and web application development, developing web publishing standards, templates and design guidelines as well as receiving and responding to feedback from users in a


Birzeit University Information Technology Policy

April 2008

Page 14 of 25

timely manner. • Web Editor responsible for managing and maintaining the content of the home page or website, including: information collection, prioritization, validation, certification verification, editing and proof reading. 5. All university units (academic, support and administrative) are responsible for ensuring information relating to their units is available on BZU website and that it is current, comprehensive and accessible in an effective manner. A Web Liaison Officer, designated by the unit chair or director, shall be responsible for supplying, updating and verifying the unit’s information on BZU Web. The procedure for updating BZU Web is outlined in Appendix F. 6. Web Review Committee shall be responsible for coordinating the university’s presence on the Web and developing policies and procedures governing BZU website as well as assessing the need for web pages initiation or redesign or change in work procedures. c- Web Publishing 7. The name “Birzeit University”, “BZU” and the university’s logo are the official property of Birzeit University and are not to be used on any website without the written authorization of the university. 8. Where discrepancies arise between official printed materials and electronic information, the information in the printed material shall have precedence and the e-version should be in compliance with the written material once the discrepancy is detected unless the electronic information specifically states that it is the official source in lieu of the printed information. 9. Unit and personal web pages are created according to specifications provided by departments, offices, or individuals and should be approved by their requestors before they are made publicly accessible. 10. The university requires high standards in the content and presentation of material on its website as the reputation and image of the university are manifested in the quality of the information published. 11. While every effort is made to ensure that no material under external copyright is improperly used in BZU web pages, incidents of mistaken use of protected material are remedied by immediate removal of such material. 12. Opinions expressed on any BZU web pages accessible from any server on BZU's domain are not necessarily those of the university. 13. Information of any type should be verified by direct contact with appropriate university officials for accuracy and timeliness. 14. Official web pages shall be created and maintained according to BZU web official design guidelines and templates. They are subject to periodic information and presentation review procedures. Each page shall clearly state last date updated and by who. 15. Unofficial web pages and links to them from official BZU web pages are permitted on university-owned servers as a means of furthering education and research, and fostering exchanges of ideas and opinions. These pages do not represent the official views of the university. While they may contain documents generated by university units, they are not considered the official repository of those documents.


Birzeit University Information Technology Policy

April 2008

Page 15 of 25

16. Web pages posted on or through university-owned server shall be sponsored and administered by a university unit, faculty member or staff member and approved by Webmaster before being linked to an official BZU web page or made accessible from the Internet. 17. An individual or unit or body that wishes to establish an unofficial web page shall indemnify the university against any financial losses resulting from litigation brought as a result of the materials it posts or permits to be posted. 18. The opening menu or home page for any unofficial web page will display a disclaimer stating: “The contents of this web site are the sole responsibility of the (unit or individual's name) and do not necessarily represent the opinions or policies of BZU. The administrator of this site is (name) who may be contacted at (e-mail address).� 19. A web page may be removed from an official BZU server or made inaccessible if it is found to conflict with the university policies and procedures. d- Web Advertising 20. Advertising refers to any situation in which the university or one of its units receive payment or in-kind gifts in exchange for a link or brand placement on a university web page. 21. BZU web is not to be used for advertising or other commercial activities. Any link on the university website to a commercial organization requires the approval of the president of the university or the Vice-President for Administrative and Financial Affairs. 22. Links to commercial vendors may be made in the following specific situations: a. Links to licensed software required for web viewing b. Links to separately contracted vendors that provide services to the university c. Links for sponsorship recognition incorporated within a unit's web page to acknowledge support of the unit's mission-related activities through sponsorship. d. Links for educational purposes that provide information for educational or other mission-related purposes.

XI. Electronic Records 1. Records are defined as recorded information in any form created or received and maintained by the organization or person in the transaction of business or the conduct of affairs and kept as evidence of such activity. 2. This policy outlines a set of institutional requirements for the responsible management of electronic records and information systems created and managed for all defined business functions and activities within Birzeit University. 3. The decision team responsible for electronic information management shall include experts in archives, records management, information technology, data and information management, auditing, risk management and law. 4. Official electronic records shall be maintained within a reliable electronic record keeping system that preserves the context and structure of records and the associated metadata. 5. Electronic record keeping systems shall meet legal and administrative


Birzeit University Information Technology Policy

April 2008

Page 16 of 25

requirements, national and international standards, and best practices with written policies, assigned responsibilities and formal methodologies that fully and accurately document the overall management of the system. 6. Electronic record keeping systems shall include adequate system controls, such as audit trails, routine testing of system hardware and software and procedures for measuring the accuracy of data input and output. 7. Records shall be retained or disposed of in accordance with authorized and approved records retention schedules and policies. Only authorized personnel shall be permitted to create, capture or purge electronic records. 8. Work processes, associated business procedures and tools shall support the creation and management of electronic records. 9. Record keeping systems shall be built into the defined business processes and electronic work environment ensuring that records are captured, secured and usable for immediate and long-term use. 10. Whenever possible, university offices and units shall create models of business processes to determine where and when electronic records are created and used in the course of completing business transactions. Electronic records shall be inviolate and secure. 11. Electronic records shall be protected from accidental or intentional alteration and deletion and preserved without loss of any vital information for useful life of the record or as long as required by law, policy or best practice. 12. Future usability of electronic records shall be ensured through the development of migration or conversion strategies designed to update hardware, software and storage media. 13. Business conducted by electronic means shall be documented adequately to meet record keeping requirements. Accurate and reliable links between the electronic record and the business transaction that created it shall be maintained. 14. Electronic records shall be accessible, searchable and retrievable in a timely manner for reference and secondary uses including audits, legal proceedings, and historical research. 15. Training and user support programs shall be available to ensure that users can access and retrieve electronic records. 16. Access to electronic records shall be controlled according to well-defined criteria. Record keeping systems shall ensure that electronic records are protected from unauthorized access. 17. University offices shall take measures to prevent unauthorized access to private and confidential electronic records by identifying records that are subject to legislative, regulatory and institutional policy restrictions.

XII. Electronic Documents Management 1. Electronic versions of all university documents shall be retained and properly stored. All public documents and forms shall be available to their potential users in electronic form. 2. Templates must be used to generate electronic documents with proper entry of metadata including author, date, and key (index) words. 3. Electronic documents, properly authenticated, constitute official university


Birzeit University Information Technology Policy

4.

5. 6.

7.

8. 9.

April 2008

Page 17 of 25

documents in as far as information delivery is concerned. Hard copies may be requested or required by the recipient, a fact that must be made clear to the potential sender. It is the responsibility of the recipient to archive the final draft of the received document in the proper manner. Electronic documents shall be awarded at least the same level of attention as print documents in terms of accessibility, security, purging, need of authorization and logging. Attention must be given to the nature of electronic documents that allows ease of circulation, exact duplication and modification. Measures to ensure security and integrity of electronic documents shall be encouraged that include encryption, digital signatures, password protection and storage in proper format. Users shall be trained accordingly. All official electronic documents shall be stored on the network file system to enable data backup on a regular basis. The file system structure for a university unit shall reflect the administrative hierarchy of that unit. Appendix G elaborates on this. The use of a document management system (DMS) to facilitate the work of the university units must be encouraged. Electronic documents shall be named in a manner that facilitates efficient recall/retrieval as outlined in the guidelines of Appendix H.

XIII. System and Data Backup 1. System backup includes but is not limited to servers, network storage systems, services, files, information and databases structures and data owned and operated by Birzeit University that are expected to be backed up. 2. Backup is designed to protect data of Birzeit University against loss and to ensure their recovery in case of any kind of disaster in addition to preserving snapshots of the data up to a specific date. a- Timing 3. Full backup on magnetic tapes shall be performed weekly on Thursday evening and if for any reason the full backup fails, the operation is repeated on the following evening. If the operation fails again, it is repeated in the evenings that follow until the operation is successful. 4. Differential backup of new files and old files that changed in content and/or time stamp after the last full backup shall be performed on a daily basis on a network storage system, a process known as staging. b- Tape Storage and Storage Locations 5. Magnetic tapes shall be used for weekly backup and shall be marked with their date in service. They shall contain full snapshot of all file systems, databases and applications of a specified server up to a specific date. 6. Magnetic tapes are not over-written but kept in a secure place before being sent for safekeeping in the Computer Center’s safe outside the University. For


Birzeit University Information Technology Policy

April 2008

Page 18 of 25

additional safety, a copy of the backup must also be maintained outside the country. c- Responsibility 7. The network operator/administrator or a delegated staff member of the Computer Center shall perform the regular backups. The director of C.C. is responsible for ensuring the successful completion of the backup operations. 8. Regular reports on backup activities shall be submitted to the university administration. Repeated backup failures must be reported promptly . d- Testing 9. Regular tests to confirm data restorability from backups shall be repeated at least once every two months and test logs shall be submitted to the director of the computer center and made available to university administration. e- Data and Systems Backup 10. Data backup shall include the following: a. User data stored on the hard drive. b. System state data (MS Active Directory data). c. The system registry. 11. Systems backup shall include but not limited to: a. File servers: Personal files (p:), Group/Department files (G:), Head of Department files (H:) and any other shared file storage system. b. Network Storage Systems. c. Mail server: Information Store (for system recovery), Log files, and mailbox level (for individual mailbox restoration) d. Production web server: configuration files, web pages (data) e. Production database server: Databases, log files, applications, web pages and configuration files. f. Domain controllers: Active Directory, Logon Scripts, configuration files and databases. 12. Users must be made aware of the availability of backup services for their data and systems. f- Data Archiving 13. Current work files shall not be archived. Former employees’ information is kept for two months after termination of employment before being archived on tape. Date of resignation/leaving form shall indicate the tapes containing the relevant data. g- Data Restoration 14. Users must submit formal requests to the helpdesk for data restoration that should specify details of file name, location and the dates it was created, last updated and deleted. Requests must have the prior approval of chair or director of the unit to which the user is affiliated. 15. Requests shall be served in two working days if the deletion date was within the last two months and four working days for longer periods.


Birzeit University Information Technology Policy

April 2008

Page 19 of 25

16. Restoration of services/databases on a production system must have the authorization of the president of the university or the vice presidents and shall be served in four hours on working days and eight hours on non-working days.

XIV. Virus Prevention 1. Intentional introduction of computer viruses or disruptive/destructive programs into the university environment is prohibited and violators shall be subject to strict disciplinary action. 2. Users must be educated and required to take reasonable steps to prevent introducing viruses to network connected computers. 3. All desktop systems that connect to the network must be protected with an approved up-to-date anti-virus software product. 4. All servers and workstations that connect to the network and that are vulnerable to virus or worm attacks must be protected with approved and updated anti-virus software. 5. Headers of all incoming data including electronic mail must be scanned for viruses by the email server where such products exist and are financially feasible to implement. Outgoing electronic mail should be scanned where such capabilities exist. 6. System/network administrators must inform users when a virus has been detected. 7. Virus scanning logs must be maintained whenever email is centrally scanned.

XV. Intrusion Detection 1. Intruder detection must be implemented on all servers and workstations containing data classified as high risk. 2. Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled. 3. Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected.


Birzeit University Information Technology Policy

April 2008

Page 20 of 25

Appendix A: Glossary User

Any individual who uses, logs into, or attempts to use or log into, a system; or who connects to, or attempts to connect to or traverse, a network, whether by hardware or software or both, whether on campus or from remote locations. It includes system sponsors, system managers, faculty, staff, students, and other customers.

IT resources

Facilities, technologies, and information resources required to accomplish information processing, storage, and communication, whether individually controlled or shared, stand-alone or networked. Included in this definition are all information technology units such as, but not limited to, the Computer Center, IT Center of Excellence, classroom technologies, electronic resources, and computing and electronic communication devices and services, such as, but not limited to, computers, printers, modems, e-mail, fax transmissions, video, multi-media, instructional materials, and healthcare and administrative systems. Personal equipment physically connected to the university network, resources under the management or control of the Computer Center or other units of Birzeit University including individual faculties, departments, institutes and centers within the university campus or outside it. A written, printed paper or electronic file that bears the original, official, or legal form of something and can be used to furnish decisive evidence or information.

Document

Administration

IT Providers

The group of people/officers who manage or direct the institution, or a computer system. Any university unit that provides internet or intranet services for users of university information technology resources. They include but not limited to the Computer Center.

Unit supervisor P&D

Planning and Development

Administrator CIO Backup

Chief Information Officer: the management person responsible for the operation of IT resources Saving of files onto an online or offline mass storage media or a magnetic tape in a processed/coded way for the purpose of preventing loss of data in the event of equipment failure or destruction.


Birzeit University Information Technology Policy

Staging Archiving

Restoration

April 2008

Page 21 of 25

Process of saving a processed/encode copy of the files and data on an network file system Saving of old or unused files onto magnetic tape or other offline mass storage media for the purpose of releasing on-line storage room. Process of bringing off line storage data back from the offline media and putting it on an online storage system such as a file server.

Appendix B: Password Creation Guidelines The following password creation guidelines are based upon experience and common sense. The software used to change passwords must screen for most of these guidelines as an aid in creating secure passwords. This does not relieve the user of the responsibility for creating and securing a good password: 1. Passwords must be at least 8 characters in length. Longer passwords are generally better. 2. It must contain at least one alphabetic and one numeric character. 3. It must be significantly different from previous passwords. 4. It cannot be the same as the user ID nor tart or end with the initials of the user issued the user ID. 5. It cannot include the first, middle, or last name of the user issued the user ID. 6. Special characters should be used to strengthen the password. For a list of allowed and disallowed special characters, refer to password best practices. 7. Passwords should not contain information easily obtainable about the user e.g. license plate, ID number, telephone numbers, street address or date of birth.

Appendix C: Password Expiration Procedure 1. Eight weeks before the password expires, the Computer Center sends the user an e-mail notification of the expiration date. 2. This e-mail notification will be sent weekly until the password is changed or expires. 3. When a user’s password is within four weeks of its expiration date, a brief message to that effect will appear on Ritaj screen as a reminder and authentication through Ritaj is denied. 4. A link will be provided to a web form where the individual can change the password. 5. After the password has been successfully changed, access to authentication through Ritaj will be restored. 6. If the password has not been changed within four weeks of its expiration date, weekly e-mail reminders will continue to be sent to notify the account owner of his or her impending password expiration (with instructions on how to change the password). 7. Individuals who do not respond to these warnings and allow their passwords to expire will need to visit the Computer Center help desk to reinstate their access


Birzeit University Information Technology Policy

April 2008

Page 22 of 25

account passwords. 8. Similar arrangements will be applied to other university maintained accounts.

Appendix D: Email Use Guidelines 1. Faculty members, staff and students are expected to check their email regularly but not less than once every two working days. 2. All users must refrain from inappropriate use of email systems that includes, but is not limited to, the creation or transmission of emails that: a. bring the university into disrepute b. consist of unsolicited commercial or advertising material, chain letters or other junk-mail of any kind c. infringe the copyright of another person, including intellectual property rights d. waste staff effort or networked resources, or serve to deny service to other users e. are designed to cause by intent or otherwise annoyance, inconvenience or anxiety to anyone f. contain discriminatory, defamatory, offensive and/or deceptive material g. violate the privacy of others, or unfairly criticize or misrepresent others Sending Emails 3. Sending email from the university email account is equivalent to sending a letter with the university letterhead. 4. The ‘subject’ line in every message must be filled with a meaningful description that reflects the email content. It alerts the recipient to the subject matter and to the level of importance and urgency of the received email. 5. Emails must be restricted to one subject per message and multiple messages must be sent for multiple subjects. This helps recipients to use the ‘subject’ line to manage the messages they have received. 6. Users must create a ‘signature’ that appears at the end of each email indicating sender position and status at the university and contact information. Users must refrain from adding signatures to their private email exchanges. 7. Email messages must be kept fairly brief. 8. Unwanted messages must be regularly deleted to conserve disk space and orderly filing systems must be implemented for kept email messages. 9. Sent emails cannot generally be recalled. 10. Good mannerism and courtesy, common in printed correspondence, shall always be exercised in emails to avoid conveying wrong impressions. It should be remembered that electronic documents can easily be circulated without permission. Replying to Emails 11. Prompt replies are essential to acknowledge receiving of the email even if the email has been wrongly addressed or forwarded. 12. The ‘reply’ option fills the subject field automatically. However, replier must ensure that it still accurately reflects the content of the message. 13. Copies and undisclosed copies of emails designated by the fields of ‘cc’ and ‘bcc’ must be used with the same cautionary attitudes applied to printed


Birzeit University Information Technology Policy

April 2008

Page 23 of 25

correspondence. Email copies must be sent to people who really need to see them and who are in the right chain of command. Forwarding Email 14. Diligence must be exercised when forwarding an email to a third party without permission of the email author. Copyright Law makes it illegal to forward material without permission from the copyright owner. Email Attachments 15. Unnecessary attachments must be avoided and recipients must be warned of any in advance especially if they are large files. 16. This functionality creates an opportunity for distribution of malicious files. Older email programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention. Newer e-mail programs do not normally open attachments automatically and the recipient must open attachments manually. Attackers use new tactics to trick users into starting malicious programs by clicking to open the attachment. This is called "social engineering" and includes: customized text messages text, forging sender name, personalized or official messages and apparently harmless attachments 17. The recommended best practice is to never distribute or open an executable program as an email attachment. Other methods are available to safely share programs with others. 18. File names and extensions tell the computer what to do with the file e.g. document named as "xxx.doc" are opened using Microsoft Word. Other extensions, such as ".exe" tell the computer the file is a program that runs on its own when clicked. If the attached file has no association, the computer will prompt the user to select the correct program to open it. 19. Options for sharing executable programs include: a. Placing the file on a shared drive and specifying its location for other users b. Placing it on a web server and specifying a link to its location. c. Renaming the file so that it does not have a prohibited extension on its name before sending it as an attachment. The recipient must restore the file original name extension before running it.

Appendix E: Mass Electronic Mailings 1. Mass Electronic Mailing is a single electronic mailing received by 100 or more email addresses 2. Mailings Must Be Mission-related – Mass electronic mailings sent by faculty, staff, enrolled students and others assigned University email accounts using University-owned or contracted resources to individuals or groups within or outside the University must be related to the University’s mission. 3. Certain Mailings Must Be Approved – Mass electronic mailings to certain large population segments must have executive-level approval in advance of issuance. 4. Specifically, The President or his designees must approve electronic mailings to the entire Birzeit University community, i.e., all email account holders (faculty, staff, students and others assigned University email accounts). Such mailings generally should be reserved for truly emergency notices, such as safety or security alerts.


Birzeit University Information Technology Policy

April 2008

Page 24 of 25

5. The Vice President for Academic Affairs and the Vice President for Administrative Affairs or their designees must approve electronic mailings to all staff or all faculty members and staff. 6. The Vice President for Academic Affairs or designee must approve electronic mailings to all faculty members. 7. The Vice President for Academic Affairs and the Dean of Student Affairs or designee(s) must approve electronic mailings to all students, all graduate students, all undergraduate students or parents of all enrolled students. 8. Deans or their designees must approve electronic mailings to all faculty or students within a faculty.

Appendix F: Procedure for Updating BZU Web 1. Requests to add, delete, or update information or links to the BZU Web official site map should be submitted using an online request form for review and approval, as needed, by the Web Editor. 2. The Web Editor reserves the right to refuse or remove links from the official site map that do not comply with the mission of the university or the BZU Web policies and procedures. The Web Editor shall communicate to all concerned parties his/her decisions and the reason behind them. 3. The requesters can petition the Web editor decisions. The petition should be directed to the Chair of the Web Review Committee. 4. The Web Editor is responsible for the execution of the Editorial Board decisions being additions, deletions and/or updates. The Web Editor monitors the reference integrity of the BZU Web official site map and all linked pages and coordinates the corrective actions according to clearly established procedures and reporting hierarchies.

Appendix G: Network File System 1. Each individual is provided with a personal directory to store data that can be accessed by that individual and nobody else. System manager shall have access to all data; therefore, private or high risk data should be encrypted or stored elsewhere. 2. Each university unit is provided with a shared directory to place records common to all unit members for data accessible. Shared directories shall reflect the hierarchal system within the university. 3. Each unit is provided with a working directory accessible to the chair or director, his/her immediate supervisor and the unit secretary 4. Special purpose directories shall be set up by the Computer Center within two working days upon request. Requests must specify directory name and access rights must bear the prior approval of the chair or director of the unit. 5. Data stored on the network file system shall be recoverable from a certain time point (the daily backup time). It is the responsibility of the individual to safeguard his/her data between backups. 6. Official records shall be saved on the network file system to maintain work continuity and security. Users are encouraged to maintain updated copies of their data on their local drives and to move data from their local disks to the servers


Birzeit University Information Technology Policy

April 2008

Page 25 of 25

when they want to queue for backup. 7. Directories shall be sufficiently protected against unauthorized access in a manner that reflects the data classification by the university. 8. Computer Center shall provide the technical support to help users with data encryption but shall not be responsible for data decryption in cases of key loss. 9. Computer Center staff shall abide by work ethics and refrain under all circumstances from using their privileges to inspect user’s data unless specifically required to do so, in writing, by the user himself/herself or his/her immediate supervisor after clearly notifying the user of this action.

Appendix H: Standard Convention for Naming Documents 1. File names must be short but meaningful. 2. Unnecessary repetition/redundancy in file names and paths must be avoided. 3. Capital letters, rather than spaces or underscores, should be used to delineate words. 4. Numbers in a file name must be two-digit number, i.e. 01-99, unless it is a year or another number with more than two digits. 5. Dates in the file name are stated ‘back to front’ using four digit years, two digit months and two digit days: YYYYMMDD 6. Personal names in a file name must have the family name first followed by the initials. 7. Common words such as ‘draft’ or ‘letter’ must be avoided in file names unless doing so will make it easier to retrieve the record. 8. Elements of file name must be ordered to facilitate retrieval of the record. 9. File names of records of recurring events should include the date and a description of the event, except where their inclusion would be incompatible with rule 2. 10. File names of correspondence should include the name of the correspondent, an indication of the subject, the date of the correspondence and whether it is incoming or outgoing correspondence, except where the inclusion of any of these elements would be incompatible with rule 2. 11. File name of an email attachment should include the name of the correspondent, an indication of the subject, the date of the correspondence, and an indication of the number of attachments sent with the covering email, except where the inclusion of any of these elements would be incompatible with rule 2. 12. The version number of a record should be indicated in its file name by the inclusion of ‘V’ followed by the version number and, where applicable, ‘Draft’. 13. Non-alphanumeric characters in file names should be avoided

Appendix I: Birzeit University IT Policy Committee Membership: • • • • • •

Dr Adnan Yahya, Dean, Faculty of Information Technology, Chair. Dr Adel Zagha, Director, Office of Planning and Development, Member. Dr Mirvat Bulbul, Assistant to the Vice President for Academic Affairs, Member. Dr Yousef Hassouneh, Director, Scientific Computing Masters Program, Member. Mr Marwan Tarazi, Director, Center for Continuing Education, Member. Mr Yahia Yaish, Director, University Computer Center, Member.


IT Policy