Regulations on the Use of IT Resources at the University of Zurich

This document is an unofficial translation of the following official document: Reglement über den Einsatz von Informatikmitteln (REIM) available on the Rechtsdienst website.

Part 1: Basics

§ 1. Purpose

The purpose of these Regulations is to guarantee security when using IT resources by

1. stipulating responsibilities
2. regulating conditions of use, and
3. specifying measures against and in case of abuse.

The use of IT resources at the University of Zurich is subject to the provisions of these Regulations.

§ 2. Scope of application

These Regulations are applicable to the use of the University's IT resources by its members and by third parties. Third parties are, for example, deemed to be persons attending courses, congress participants, postgraduate students, library users and tenants of the University's rooms or rooms supplied by the University's network.

The University Hospital (USZ) is itself responsible for issuing corresponding regulations for its area. From the viewpoint of the IT Security Office, however, the USZ is treated as a user unit within the meaning of these Regulations.

§ 3. Definitions

Use

is every utilization of IT resources.

IT resources

are all devices, items of equipment and services that are used for the electronic processing of data, such as hardware, software, networks and network devices, the addressing elements used for the University of Zurich (such as IP addresses) and the stored data themselves.

Members of the University

include the teaching staff, mid-level faculty, students and administrative-technical staff as per the University's statutes and regulations.

End users

are those users who utilize a computer but do not undertake any set-up or maintenance work on the computer system.

System administrators

are those users of a computer system who undertake set-up and maintenance work on the said system.

User units

are offices of the deans, institutes, clinics, seminars, departments of Central Services, libraries, centers of competence, University clubs and in some cases, spin-off companies on the University's premises, who are registered with IT Services as service recipients.

Decentral IT supervisors

are the IT supervisors for the user units.

Isolation from the network

in this document denotes disconnection of a computer from the network (e.g. by unplugging the data cable).

Strong passwords

are at least 8 characters long, contain at least one element from each of the four character categories (uppercase letters, lowercase letters, numerals and special characters (such as punctuation marks and similar characters) and must not show any identifiable construction rule.

Personal passwords

Group passwords

are passwords which must be known to a group for organizational reasons.

Peer-to-Peer programs

are programs that perform both server and client functions.

Part 2: Organization and Responsibility

§ 4. End users and system administrators

The end users are responsible for deployment and system maintenance of their IT resources. The user units may transfer the responsibility for system maintenance in whole or in part from their end users to the IT supervisors.

External experts or companies called in as system administrators are also subject to these Regulations.

In case of serious faults on the computer, the end users must take the computer out of operation or isolate it and call in the system administrators.

End users who do not belong to user units may not install servers and Peer-to- Peer programs, or arrange for them to be installed, or operate them. They may only operate systems without special security requirements as defined in §12. IT Services may publish exceptions in respect of Peer-to-Peer programs and regulations for their operation.

§ 5. User units

The user units utilize IT resources for the activities of their end users, for operational processes (e.g. printers, file servers, research computers) and for general IT services (e.g. web presence). Each user unit is responsible for these IT resources, for technical and operational matters related to IT resources and for compliance with these Regulations. In order to accomplish these tasks, the unit shall designate a qualified IT supervisor and shall register this person with IT Services.

The manual published by IT Services for the decentral IT supervisors regulates the rights and duties of IT supervisors and their cooperation with IT Services. On behalf of the user units, the IT supervisors may:

1. monitor the assigned network areas and their own computers in order to guarantee the correct functioning and security of these IT resources;
2. install or arrange for the installation of servers and Peer-to-Peer programs.

The IT supervisors for the user units shall ensure that an IP address in their network area can be used to trace the person by whom the relevant computer was used or, e.g. in the case of training rooms, at least to track down the specific computer that was used. It must be ensured that tracebacks of this sort can be implemented for a period of half a year. This also applies to IP addresses that are assigned temporarily and automatically.

Each user unit keeps an inventory of the IT devices operated in its area.

§ 6. IT Services

Either alone or by agreement with the Legal Services, IT Services are responsible in particular for:

1. the development and operation of central IT resources, the network and the central range of IT services to students and user units;
2. the range of advisory and support services on IT security matters;
3. issuing the University's IT security regulations;
4. issuing the regulations for logging system operations (Logfile Policy);
5. issuing the technical implementation regulations.

IT Services may order restrictive measures for the use of the network. In particular, IT Services are entitled to prevent inadmissible activities in the network by technical means.

IT Services may deploy appropriate measures to check abuses and malicious programs at strategic points in the network, such as firewalls, spam filters, anti-spoofing filters or antivirus protection.

§ 7. IT Security Office

The University's IT Security Office is a staff unit of IT Services.

The IT Security Office represents the University's interests in relation to Internet operators. The user units and end users are obliged to assist the IT Security Office with processing complaints from the Internet Community.

The unit is responsible for general monitoring of the university network, especially as regards searching for security deficiencies. It proposes security measures and issues security recommendations.

The IT Security Office lodges complaints about security deficiencies and minor instances of abuse directly with the responsible end users or IT supervisors. If such a complaint does not result in discontinuation of the incorrect conduct, the management of the user unit may be informed. The IT Security Office may call in the supervisors and external help to clarify security deficiencies.

The IT Security Office may order (or if necessary force) the isolation of computers from the network.

The IT Security Office reports cases of serious abuse to the security service and initiates the necessary measures, calling in the Legal Services for this purpose.

Part 3: Use of IT resources

§ 8. Conditions

The University's IT resources, including the network in particular, are to be used to carry out University-related tasks. IT services which make heavy use of the University's infrastructure services (network bandwidth, power, cooling, etc.) must be planned in cooperation with the responsible units at Central Services. IT Services must also be informed in every case. Commercial use in order to carry out tasks not related to the University by tenants of the University's rooms is only permitted after written approval has been obtained from the Executive Board of the University.

The use of IT resources for private non-commercial purposes is basically permitted, provided that it takes place on a small scale and that performance of the intended tasks is not impaired. These Regulations are also applicable to this type of use.

The use of IT resources for private commercial purposes is prohibited. Loan, rental and sale of IT resources require mandatory approval. This approval is issued by the head of the user unit.

§ 9. Applications subject to mandatory approval

Mandatory approval applies in connection with the public web presence of the University of Zurich. The unicommunication Department is responsible for this matter.

The following are also subject to mandatory approval:

1. Connections with networks external to the University such as modem lines or tunnel connections from outside the University into the University's network which do not terminate at a relevant service belonging to IT Services; these include modem dial-in and VPN servers. The IT Security Office is responsible.
2. Bulk e-mails sent to members of the University. Mailings approved by the Legal Service (surveys, University events, etc.) are undertaken by IT Services without the applicants obtaining the e-mail addresses of the target group. Mailings by University staff regarding matters directly related to maintaining the operation of teaching, research and Central Services are exempt from this mandatory approval.
3. Setting up a computer with a static IP address. The user unit responsible for the locally valid network number range is responsible in this case.

§ 10. Prohibited applications

The following are prohibited:

1. Operating mail servers which can be directly addressed from outside the University or which directly contact mail servers outside the University network. Continued operation of mail servers of individual user units which have been operated in the past and are registered with IT Services is exempted from the foregoing.
2. Operation of lines of communication or tunnel connections which perform a switching function into the local Internet at end points both within and outside the University, so they represent a further data connection into the Internet.
3. Continued operation of network services on which serious abuse is known to be perpetrated, and the continued unprotected operation of computers to which unauthorized third partieshave obtained administrator's rights or which such parties have been able to abuse otherwise in a disruptive or hazardous manner.

§ 11. Data protection

Any use of IT resources which violates the privacy of other persons is prohibited.

Personal data may only be recorded, processed and forwarded insofar as is necessary in order to perform the task assigned within the University. The relevant data protection and archiving provisions must be respected.

Users of IT resources are responsible for ensuring that data are not put to abusive use by unauthorized third parties.

§ 12. Security regulations

Systems must be maintained so that they are protected as well as possible against abuse by third parties. In particular, care must be taken to ensure that attacks on other computers in the network and the dissemination of malicious program codes are prevented as effectively as possible.

In cases where passwords are used, strong personal passwords or strong group passwords must be used. Personal passwords must not be communicated or made accessible to any other person. For group passwords, a password supervisor is designated who knows all the group members personally and who can change the password at any time, especially if instructed to do so by the IT Security Office.

Security requirements for each computer must be stipulated regarding

1. confidentiality and access protection,
2. data security, and
3. availability,

and these must be ensured by appropriate measures.

The standards for the operation of systems at the University of Zurich must be respected. For systems with higher security requirements or which cannot conform to all points of the standards due to special circumstances, acceptable alternativesecurity concepts must be recorded in writing and implemented. The obligation to provide documentation in this regard may be met by summarized or tabular listings in the case of jointly maintained computers.

§ 13. Monitoring

The University network and the individual IT services are monitored. This monitoring focuses on identifying the abuse of IT resources by third parties and the requirements for the planning of resources.

There is no possibility of designating e-mail as private and having it treated specially in terms of logging; however, e-mails can be encrypted. Further provisions are included in the regulations issued by the IT Services for logging system operations (Logfile Policy).

Part 4: Abuse and its consequences

§ 14. Abuse

The violation of provisions of these Regulations or other University Regulations by deploying or using the University's IT resources constitute an abuse, and measures may be taken against the perpetrators of such violations.

The following actions in particular are abusive:

1. Using, processing, saving, transmitting or disseminating data, in particular e-mails or Internet pages, with content which is unlawful, pornographic, racist or sexist or which extols violence.
2. The use of e-mail or web pages for the purpose of harassing, denigrating or damaging other persons.
3. Unlawfully downloading, copying or installing data or software of any sort.
4. Using IT resources in a matter which leads to the violation of immaterial property rights of third parties.
5. Failure to comply with the legislation on the protection of personal data.
6. Creating or distributing malicious program codes (such as viruses, Trojan horses or worms).
7. Unauthorized searching (scanning) of the network inside and outside of the University; IT supervisors of user units are solely authorized to do so for the network areas assigned to them, and the IT Security Office is authorized to do so for the University's entire network.
8. Attempting to access a computer system without authorization or to obtain authorizations higher than those assigned.
9. Using faked IP addresses or e-mail sender addresses.
10. Sending mass e-mails except for the applications allowed as per 9, clause 2.
11. Operating servers in a manner that favors abuse by anonymous third parties, anonymous sending of spam mails, attacks by hackers or illegal data exchange.
12. Operation of hacked or infected systems on the network.

§ 15. Measures in case of abuse or suspected abuse

The Executive Board of the University points out to employees that Internet access or e-mail traffic is logged. Evaluation on a personal basis is possible if:

1. abuses on a substantial scale exist in connection with Internet accesses, or
2. there is a specific suspicion of abuse in connection with e-mail traffic.

After a warning has been issued by the superior, the security service may apply to IT Services for reports related to individuals regarding Internet accesses or e-mail traffic.

Reports related to individuals may be compiled for a maximum of three months.

IT Services shall send the reports to the Security Services.

In case of justified suspicion of abuse, the Security Services shall decide whether to apply for administrative or disciplinary proceedings to be initiated against the person in question, or whether that person should merely be warned. If no investigation is initiated, the personal data must be destroyed.

In order to eliminate an abuse, IT Services and the IT Security Office in particular may take any measures required to maintain or restore the lawful status, such as:

1. reporting the infringement to the Security Services;
2. determining the cause of the fault in cooperation with the IT supervisor or the management of the user unit;
3. requesting the responsible users to rectify the disruptive status;
4. setting periods for restoration of the lawful status;
5. blocking an account until it is securely returned to the lawful user;
6. blocking an account in order to obtain a written assurance of compliance with these Regulations.

If, and as long as, an abuse puts IT security at risk, the IT Security Office is obliged on behalf of the Security Services to arrange for the implementation of suitable measures to protect the network such as:

1. blocking access to the IT resources or restricting the use of IT resources to specified procedures;
2. deleting malicious data (especially malicious programs), interrupting malicious programs or switching off computers causing damage, regardless of the data loss entailed.

In case of justified suspicion of abuse, the IT Services may block or arrange for the blocking of connections or services as a precautionary measure. They shall ensure that the data in question are found and kept.

Unlawful and abusive data may be blocked by the University and kept for evidential purposes. If no proceedings on account of abuse are initiated or if such proceedings are concluded, these data shall be deleted.

Part 5: Closing provision

§ 16. Effective date

These Regulations enter into effect on December 1, 2006.

If the interpretation of the Regulations on the Use of IT Resources at the University of Zurich results in a difference due to the versions in various languages, the German version shall be authoritative.