OXFORD UNIVERSITY IT USERS' GROUP

The next meeting of Oxford University IT Users' Group representatives will be held on Tuesday 13th January 1998 at 14.00 hours in the Lecture Room, in the Computing Laboratory, Wolfson Building, Parks Road. Entry is via the door from the car park on the north side of the building.

A G E N D A

1. Apologies for absence

2. Minutes of the meetings held on 3rd October 1997.

3. Matters arising:

4. Chairman's report *CIG-B

5. Computing Services report ­ report available

6. Libraries report ­ report available

7. Administrative Information Services report ­ nothing to report

8. Reports from other committees and groups

9. Draft preliminary IT security and privacy statement ­ report available

10. Items raised by representatives

11. Any Other Business

12. Dates of next meetings:

Carol Bateman

carol.bateman@oucs.ox.ac.uk

7th January 1998

OXFORD UNIVERSITY IT USERS' GROUP

IT Users' Group 13-Jan-98 Item 5 T Alex Reid

Computing Services Report 24 December 1997


  1. UNIX SERVICE STATUS

    2. We regret that both Ermine and Sable have continued to give problems during MT97. We have been in close and constant touch with Digital's technical support team, both in the UK and in the USA. We have followed their advice regarding updates to the kernel and run-time routines in the Operating System, but apparently with little effect. Sometimes, as with the Ermine upgrade just before Christmas, the changes advised by Digital have produced disastrous results, which have taken considerable effort to recover from. Whenever Digital finally find fixes, something new seems to appear. We can only conclude that we are pushing the system to the brink of its design limits.

    Nevertheless, we continue to press hard to find solutions to the instability in both systems. In the meantime, we are conscious of the serious disruption that these problems create for those using these computers directly, but also for email users. Consequently, we are seriously investigating the option for acquiring a separate system (from another supplier!) to act as the email server.

  2. HIERARCHICAL FILE SERVER

    3. The HFS continues to perform satisfactorily, with the workload continuing its seemingly inexorable growth. Details of the workload can be seen at http://www.oucs.ox.ac.uk/internal/annrep/. A new version of the ADSM software is due to be mounted on 2-Jan-98, which it is hoped will increase performance significantly.

  3. JANET CONNECTION

    4. UKERNA completed negotiations for SuperJanetIII in November, and signed a contract with Cable & Wireless. Details of the new national arrangements can be seen at http://www.ja.net/press_release/SJ-Brief.html. It is expected that installation of the new connections will commence in January 1998, and be fully operational by March 1998.

    For Oxford, UKERNA has agreed to continue the present SMDS connection (10Mbps out, 25Mbps in) for the time being. In the meantime, they are considering a proposal that we connect to Oxford Brookes University in a MAN, with one connection to Janet, which would be at 16Mbps using an ATM connection (which would therefore be upgradable). This proposal has been accepted in principle by UKERNA, but we have no further information at the time of writing. The original proposal to create a MAN encompassing Rutherford Appleton Laboratory has been rejected on the grounds of the magnitude of the traffic generated by each of Oxford and RAL, and the cost of a direct link between us.

    Further details as they become available will be posted at http://www.oucs.ox.ac.uk/internal/janet.html (along with the latest traffic data).

    Traffic loads increased dramatically in November, and investigations led, just before Christmas, to the discovery of a single system which was accounting for a very substantial portion of Oxford's total Janet traffic. Action was taken to bring this under control.

  4. CHARGING FOR TRANS-ATLANTIC TRAFFIC

    5. The University has received notification from JISC (along with all other HEI's in the UK) that it may be necessary to commence charging for trans-Atlantic traffic from September 1998. A copy of the letter received can be seen at http://www.admin.ox.ac.uk/oxonly/it/9736.htm.

    This has been discussed by the TRG and the IT Committee, and in response the Vice-Chancellor has written to the appropriate authorities to urge that this charging be deferred for 12 months, principally to allow time to develop proper traffic measuring, monitoring, controlling and charging systems. His response was based on a draft which can be seen at http://www.admin.ox.ac.uk/oxonly/it/9740.htm

    In the meantime, the JISC's Advisory Committee on Networking (ACN) is proceeding to make arrangements for many of these measures to be implemented nationally.

    As a precautionary measure, the General Board will be asked to make a provisional allocation of £120,000 for 1998/9 to meet any such charges if levied, and OUCS is developing its own measuring devices to enable us to identify the most significant usages and users. OUCS will also give consideration to means of ensuring that as much use as possible is made of the Web caches installed in the University.

  5. HELPDESK SOFTWARE

    6. After a prolonged and thorough analysis, involving staff from various departments and colleges as well as OUCS staff, and which included a formal tendering process, the Help Desk software from Computer Associates (CA) has been acquired. This provides a very powerful base from which to develop a system that will serve University-wide needs. It is hoped to mount the base software within OUCS early this Term (covering call tracking), and gradually develop further features and roll it out for general use by the end of Trinity Term. We are very grateful for all the help received in analysing the tender bids.

    This software will provide helpdesk call-tracking and the creation and use of a "knowledge base" (with a suitable package to be acquired shortly). It will allow multiple helpdesks to operate in harmony, utilising GUI interfaces, and will allow browsing of the knowledge base by IT support staff or individual enquirers using a Web interface. A site licence for the clients has been obtained.

  6. EMAIL SIG

    7. Peter Higginbotham has been asked to "reconvene" the Email SIG, to review the current status regarding recommended protocol and packages. He is expected to produce a discussion paper, which will be circulated (via the Web) in due course. You will then be asked to comment upon the draft. His Terms of Reference were reviewed by the IT Committee and can be seen at http://www.oucs.ox.ac.uk/internal/email-WP-ToR.html.

  7. LOCAL MAIL SERVERS

    8. Roger Treweek has been asked, in consultation with a few others, to prepare a report on the desirability and implications of trying to limit the proliferation of email servers around the University. As with the Email working party, a draft report will be prepared and made available on the Web for comment. His Terms of Reference can be seen at http://www.oucs.ox.ac.uk/internal/email-WP-ToR.html.

  8. GANDALF CLOSURE

    9. The Gandalf system for connecting asynchronous terminals to central computers was terminated on 31-Dec-97, in keeping with the timetable adopted by the IT Committee 2 years ago. We trust that all users of this (and there were still quite a number right up until the end) will have made satisfactory alternative arrangements. This system served the University well for many years. We trust that the Ethernet environment which has replaced it will serve as reliably and as well.

  9. OUCS REVIEW REPORT

    10. Various aspects of this are being considered by the IT Committee, and should develop during this Term (eg Humanities Steering Group, Training Advisory Group).

  10. NEW ASSISTANT DIRECTOR (DISTRIBUTED COMPUTING)

    11. This new post has been created, following the Review of OUCS, and was advertised in December. It is hoped that an appointment can be made late in January 1998. Details of the post can be found at http://www.oucs.ox.ac.uk/internal/distrib-job-desc.html.

    OXFORD UNIVERSITY IT USERS' GROUP

    IT User's Group 13-Jan-1998 Item 6 Everard Robinson and David Price

    Libraries Report 8-Jan-1998

    1. OLIS

      2. The system remains stable and continues to perform well. Up to 520 simultaneous users have been observed at peak times with an additional 120 Z39.50 client sessions.

      Some downtime has been necessary to allow for installation of additional disk storage and subsequent file expansion and "resizing". The most recent resizing exercise took place on 29th and 30th December. During this period, steps were taken to ensure that access to the OPAC was maintained.

      The catalogue now contains 2.9 million titles referring to 4.1 million items.

    2. GUI Interfaces

      3. An open demonstration of around a dozen Z39.50-based OPAC clients, including Web servers and one Java application, was held on 17th December. None of the clients viewed were felt to be immediately acceptable for widespread distribution, although many contained features which are particularly attractive; cross database searching, sorting of results, linking to related databases, and downloading records to packages such as Papyrus and Pro-Cite. I would like to offer the demonstration again specifically to this group, as the event on 17th December was attended solely by library staff.

    3. Gandalf

      4. The demise of the Gandalf service revealed a handful of OPAC connections still in active use in a few libraries. Advance publicity had ensured that all other connections had been replaced by ethernet connections, and no service disruption was reported.

    4. Dialog@CARL

      5. The University is subscribing to this important, long term, trial service providing access to several hundred bibliographic and full-text databases for 8 simultaneous users. Subject coverage includes news, business, reference, arts, humanities, social sciences, government, science, technology, medicine, and intellectual property. The system can be accessed from workstations attached to the University network (though it may be necessary to switch off your Web browser's use of proxies). The URL for this service is http://dialog-carl.thames.rlg.org:23015 and for the backup service, http://dialog.carl.org:3015.

    5. Electronic Newspapers, Newswires and other News Sources

      6. Complementing her listing of electronic journals (http://www.bodley.ox.ac.uk/ejournals/ ), Gill Cooper of the Radcliffe Science Library is maintaining a list of electronic newspapers, newswires and other news sources available to Oxford University. This new system is located at http://www.bodley.ox.ac.uk/enews/.

    6. OxLIP

      7. The user interfaces provided by OLWEN and BRIAN are to be merged as from 18th January and will be known as OxLIP (Oxford Libraries Information Platform).

    7. Access to the Bodleian Database Network from NT workstations

      8. A number of technical obstacles have held back the development of NT access to the CD-ROM databases mounted on the NT server, bodley20.bodley, which it had been hoped to introduce last term. It should be possible to introduce it this term, though access is unlikely to be as elegant as access from Windows 95. As NTrigue is effectively accessing the system from NT, wider deployment of NTrigue technology for Macs and UNIX workstations, running as a trial since April 1997, has also been delayed.

    OXFORD UNIVERSITY IT USERS' GROUP

    IT User's Group 13-Jan-1998 Item 8 Bob Wells

    South-East Region JANET Users' Group report

    The main item at the South-East Region JANET Users' Group meeting on 10th October was the news that JISC had written to HEFCE-funded sites informing them of proposals to charge for international network connections.

    Apparently JISC aims to recover some 2.5 million pounds/year from August 1998 by charging institutes in proportion to their total volume of international traffic. Oxford, with about 5% of all such traffic, is 4th in the current league table behind Imperial College London (10%) and this leads to an estimated annual charge to us of approximately 118K pounds. I suspect that this figure is considerably more than was anticipated when this subject was discussed at this Users' Group meeting last May.

    The high ranking of Imperial College is undoubtedly caused by the sunsite which provides a service much valued by the general JANET community and concerns were expressed about the future of this service.

    The much-heralded 45 Mbit/s link from JANET to the US reached maximum throughput in three (vacation) months indicating, once again, that demand expands to fill capacity. Improvements to cacheing and filtering are taking place on much longer timescales than necessary to have any effect on the introduction of charging.

    JANET User group web pages have moved to http://www.niss.ac.uk/jnug/ but unfortunately the availability of regional group information remains patchy.

    OXFORD UNIVERSITY IT USERS' GROUP

    IT Users' Group 13-Jan-1998 Item 8

    South East Region Computer Users' Committee Meeting - 26th November 1997

    Peter Grout - 5th January 1998

    This meeting was held at ULCC.

    1. MC

      2. MC are now in a position to offer a Class 3 service this will run until November 30, 1999. One third of a Silicon Graphics Origin 2000 with 40 processors and 10 Gbytes physical memory will be used for the service. Prospective users may ask for up to 400 CPU hours per year per project. Application forms can be found at http://www.epsrc.ac.uk/hpc/resources/resour.html.

      MIDAS is to run the JSTOR mirror service on behalf of JISC. JSTOR is a non-profit making organisation based in the U.S. that provides web access to an archive of digitised back issues of journals. For more information see http://www.jstor.org/.

      The Beilstein Crossfire Service ( a chemical information data base of interest to chemists, material scientists and pharmacologists) has been officially launched and details can be found at http://midas.ac.uk/crossfire/. Oxford have signed a licence to use this service.

      The following new data sets have been mounted, OECD Main Economic Indicators, Quarterly Labour Force Survey Local Area Database, British Household Panel Survey Waves 1-5 and the 1991 SAS have been re-aggregated for the new parliamentary constituencies.

    2. CCL

      3. The procument for a new high performance computer continues. Bids closed at the end of October and the evaluation and bench marking phase has begun. A decision as to whether or not PFI (private finance inititive) is appropropriate for this service will be taken before the end of February, 1998. It is hoped that the final decision will be reached in April with the new machine installed by the summer.

      NERC has a new supercomputing facility, a Fujitsu VPP300 with three processors each of 2.2 GFLOPS peak performance and each with 2GByte of distributed memory. Any NERC grant holder can apply for time on this machine.

      As a result of the Computational Chemistry Working Party having passed an EPSRC review Columbus has been enhanced. The memory has been doubled to 4GBytes and an additional 140GBytes of temporary disk space has been added. A second DEC 8400 has also been purchased. This has four 622MHz EV5/6 chips and the performance of the new machine roughly matches that of the older one but with better performance for individual jobs. It is currently being decided if the new machine will be dedicated to parallel processing only. Prospective Chemistry Users should contact Dr J.A. Altmann, Dept. of Chemistry, Kings College, London. (J.Altmann@mailbox.ulcc.ac.uk).

    OXFORD UNIVERSITY IT USERS' GROUP

    IT Users' Group 13-Jan-1998 Item 9 Catherine Quinn

    Draft preliminary IT security and privacy statement

    This document takes the approach of defining rules and identifying relevant supporting material rather than defining a code of practice. It is intended to promote the orderly use and provision of IT facilities within the University by helping to define the conditions under which such facilities are provided and the reasonable expectations that users of such facilities should expect to have satisfied.

    Terms which appear in italics are deemed, within this document, to have the meaning defined in Appendix 1. Throughout, references to `departments' should be taken to refer also to faculties and other administrative units of the University.

    1 Rules

    These rules are not meant to be an impediment to legitimate academic use. Activities which appear to fall outside these rules must first be referred to an appropriate authority for consideration. For this purpose, the `appropriate authority' will be the head of the unit responsible for the service, or the head of the unit of which the user is a member (depending upon the nature of the issue in doubt). Matters which cannot be resolved through these routes will be referred to the IT Committee, which will be the final arbiter, except in cases that raise issues outside its remit.

    1.1 Use of all IT facilities is permitted for bona fide purposes subject to authorisation. Uses of such facilities without explicit or implicit authorisation may lead to proceedings under the University's disciplinary procedures. The University reserves the right to withdraw any permission to use IT facilities pending and during investigation of allegations of unauthorised use. Use of computing equipment without authorisation may also give rise to legal proceedings.

    1.2 In addition to these rules, users must comply with the laws, codes of practice and guidelines for acceptable use relating to the use of IT facilities. Currently these include:

    Data Protection Laws,

    Computer Misuse Laws,

    Copyright Laws,

    Licence Conditions and, in particular, the Combined Higher Education Software Team (CHEST) licence conditions [1],

    Federation Against Software Theft (FAST) guidelines [2],

    United Kingdom Education and Research Network Agency (UKERNA) rules, codes of practice and guidelines [3].

    1.3 Users must not indulge in unacceptable activities, including:

    attempting to access IT facilities without authorisation;

    misuse of information or IT facilities;

    masquerading;

    writing programs with malicious intent;

    introducing programs with malicious intent;

    software theft or abuse of software licences [2];

    using IT facilities (e.g. electronic mail) to harass other users;

    trying to interfere with someone else's use of IT facilities;

    disregard for `computer etiquette';

    sending chain e-mail;

    physically damaging or otherwise interfering with IT facilities;

    disclosure of passwords.

    1.4 No material (e.g. electronic mail, text, images) that may be expected to cause undue offence may knowingly be transmitted, received, or handled on or through University controlled IT facilities.

    1.5 System administrators have the right to access users' files and examine network traffic, but only if necessary in pursuit of their role as System administrators, and they must conform to the advice given in `Advice to IT Facility Providers' (section 4). System administrators must endeavour to avoid explicitly examining the contents of users' files without proper authorization from higher authority (as defined in 4.12) or the Proctors.

    1.6 All users of IT facilities, including staff involved in running IT facilities, must respect the privacy of any information they might encounter.

    1.7 The University's Standard Disclaimer of Liability applies [4].

    1.8 Contracts between the University and third parties involving University IT facilities must include a clause requiring the third party to agree to abide by the IT Security and Privacy Policy of the University.

    1.9 These rules apply no matter what additional rules constrain the use of a particular IT facility. No addition to the rules imposed by others shall be construed in a manner which limits this policy.

    1.10 Users of IT facilities are responsible for understanding and respecting the IT Security and Privacy Policy of the University and any other rules that apply to the IT facility they are using. ([5] 2.3-5)

    1.11 Users must always give due consideration to the need to maintain the good reputation of the University and its members.

    1.12 There is an implicit agreement to comply with the University's IT Security and Privacy Policy when a person connects a computer not owned by the University to a University IT facility.

    2 Background to Rules

    This section is provided to assist in the understanding of the rules in Section 1.

    2.1 All IT facility providers must define a registration procedure by which authorisation is achieved; this will necessarily include agreement to abide by the rules of Section 1 of this document. System administrators for each system should be identified; these rules should be brought to their attention and also to the attention of their heads of department (or equivalent).

    2.2 System administrators at the University have the right to monitor IT facilities or revoke access authorisation to IT facilities pending the investigation of a security or privacy incident. Following this revocation, the investigation must be resolved in a timely manner.

    2.3 System administrators must take steps to protect users from violations of their privacy. In turn, System administrators must be protected, in what they legitimately do in the course of their work, from threats or harassment from IT facility users.

    2.4 Users of IT facilities should not have their authorisation to access the facilities withdrawn unless deemed necessary. If a user has authorisation withdrawn, then there is an appeals mechanism by which the affected user can object and request reinstatement of authorisation to access the facilities. Details can be obtained from the authorising person or the University Proctors, who act under Title XIV of the University's Statutes.

    The IT facility provider must immediately take all reasonable steps to notify a user, in writing, about the suspension of access to an IT facility, how to appeal against the suspension of access, and the time scale within which the appeal procedure must take place.

    For penalties imposed by the Proctors, the normal appeals process will apply. For penalties imposed on staff by heads of department, the standard disciplinary appeals process will apply. Where a service provider has unilaterally imposed a penalty, for example temporary suspension of access, the following appeal process will apply: appeals can be lodged with the Proctors who will consider them, calling for expert opinion as required, under their powers to investigate complaints from members of the University.

    Information about procedures for reporting incidents to OxCERT and guidance on reporting requirements are available at:

    http://www.ox.ac.uk/it/compsecurityoxcert.

    3 General advice to all IT Facility users

    3.1 Assume all data is insecure and potentially accessible by others. Use backup facilities to secure data and if the privacy of information held on IT facilities is important appropriate mechanisms, including encryption, should be used.

    3.2 It is the responsibility of users to ensure that the service provided by an IT facility is adequate for their needs. They should examine any Service Level Agreement provided for an IT facility and make adequate provision for alternative facilities in case of emergencies. They also need to ensure that the IT facility provides adequate measures to ensure the desired level of availability of their datasets. They must protect themselves against corruption of their datasets either by themselves, by the system, or by other agencies.

    3.3 Users are expected to conform to common conventions relating to the use of networked facilities (commonly referred to as Netiquette [6]).

    4 Advice to IT Facility providers

    This section contains information describing the responsibilities of IT facility providers so that they can support this statement.

    4.1 All authorising persons must ensure that their users agree to abide by the University's Policy on IT Security and Privacy.

    4.2 A definition must be produced of who is allowed to use particular IT facilities including to what extent and for what purposes; for example, who is entitled to site licensed software? Entitlement to use an IT facility will, in general, be dependent on the status within the University of the individual wishing to use it and the purpose for which it is to be used. Examples of definitions have been made by OUCS and the Bodleian Admissions Office. However, there will always be a discretionary element.

    4.3 System administrators should ensure that a user's entitlements are kept up to date as and when jobs and roles change, and that accounts of former users are disabled or deleted.

    4.4 System administrators should log usage and retain logs of usage for an appropriate length of time. Advice on the maintenance of logs can be obtained from OxCERT.

    4.5 System administrators must report any serious attempted and actual breaches of security to OxCERT promptly. Logs of incidents must be maintained by the system administrator and a summary included in their reports to OxCERT.

    4.6 A clear specification must be made of a reporting procedure to be followed when security or privacy violations are discovered. For example, if an IT facility is withdrawn pending investigation, then it must be reported. IT facility providers must be aware of their responsibility to users of any IT facilities they have withdrawn. A management procedure must be defined to ensure that investigations are completed and conclusions acted upon in a timely manner.

    4.7 If a user is suspended after being suspected of a breach of the rules, the suspension must be justified, investigated and resolved in a timely manner.

    4.8 IT facility providers must define `timely', as used above in paragraphs 4.6 & 4.7, for example, in a Service Level Definition or agreement; they must take account of the urgency of usage and natural justice.

    4.9 An appeals procedure for grievances concerning an IT facility must be defined in consultation with the University's Policy Group on IT Security and Privacy. The procedures must be published and available to all users, and a copy must be lodged with the University Proctors. (See section 2.4 above).

    4.10 System administrators must accept the responsibility for determining what their responsibilities are with respect to this policy and to police and enforce the policy where applicable to their environment; i.e. they cannot claim ignorance of the policy.

    4.11 All staff of an IT facility who are in privileged positions must accept responsibility for the privacy and confidentiality of information that may come their way in the legitimate course of their work ([5] 2.3.6).

    4.12 In certain circumstances it may be necessary for a system administrator to inspect the contents of a user's files. Before doing so, the system administrator should normally seek the user's permission. Should such access be necessary without seeking the user's permission, it must, if possible, be brought to the attention of a higher authority prior to inspection. In this context the `higher authority' should be the head of the unit responsible for the system in question, or his or her delegated representative. `Unit' should be interpreted as including departments and other administrative entities and colleges.

    4.13 Levels of security and privacy may vary from one IT facility to another. It is therefore important that a description of the level of security and privacy of an IT facility is provided to all its users. For example, if the default access to files created by users of a Unix system is world read access, then this must be clearly communicated to all new users.

    4.14 A specification for backup strategies, anti-virus precautions, and physical security, including access control and anti-theft precautions, should be provided to users of an IT facility. It is proposed to ask OUCS to assemble information packs about this for PC users and also to make the information available on-line.

    4.15 Access to IT facilities should not normally be withdrawn without due warning if possible.

    4.16 An IT facility should be withdrawn in an orderly manner allowing users to save their data. In planning the termination of a service, due consideration should be given to both the security and privacy of the users' data. In particular, continued access to users' data should be arranged. All copies of users' data should be expunged from an IT facility after its withdrawal.

    4.17 System administrators are responsible for obtaining and applying security fixes relevant to their systems. One source of such information is OxCERT, which maintains and disseminates security and privacy information of importance to system administrators. In future OUCS will be maintaining a register of IT facilities, including contact names; departments and colleges will be required to co-operate in keeping this information up to date.

    System administrators from each main type of operating system (eg. Solaris/SunOS, HPUX, Digital Unix, AIX, Linux, Novell, IRIX, OS/2, Windows NT, Windows 95/3.1, MacOS) should be invited (collaboratively, in groups) to prepare checklists for the configuring of new systems (or for checking existing systems). This information should be assembled into packages the availability of which should be advertised to IT support staff, and only supplied through duly authorised IT support staff, whether in departments or in OUCS. The principal responsibility for assembling this material should rest with the system administrators themselves, with the guidance of OxCERT.

    4.18 System administrators are responsible for informing their users of security issues where appropriate.

    4.19 System administrators would normally be expected to register with OxCERT the platforms used to provide the IT facilities for which they are responsible.

    5 Advice to Personal Computer users

    The needs of personal computer users are sufficiently different from centrally managed IT facilities (including centrally managed personal computers) to warrant the separate advice given in this section. If other users can access your personal computer then items in Section 4 may be relevant to you.

    5.1 Backup and restore facilities and strategies.

    Users will normally be responsible both for deciding the strategies and for implementing them. Do not get your fingers burnt: the world is full of people who wish that they had attended to this before the system crashed. The Proctors will not normally consider loss of data that was not backed up a sufficient reason for refraining from penalizing candidates for late submission of work.

    The strategies should take account of situations that might endanger both the system and the backup, such as fire or multiple failures. Consideration must also be given to the security of the backup copies and the need to keep backups until it is verified that the live copy is still uncorrupted (many copies of an already corrupted file will not help you). OUCS has produced documentation to inform and guide personal computer users at the University. This is available on-line at

    http://www.oucs.ox.ac.uk/services/backup.html.

    5.2 Computer viruses and Trojans.

    These continue to provide a serious problem as new methods of transfer and even nastier effects are developed. You should both protect yourself and ensure that you are not a threat to others by being aware of the protection procedures you should take. OUCS provides University users with up to date software, advice, documentation [7] and regular courses on data security and computer viruses.

    5.3 Physical security of equipment and data.

    If the physical security of the equipment is not sufficient to ensure the privacy of the data contained on it, then the user will have to resort to data encryption techniques to provide a higher level of data privacy. This will be at the expense of data security since, if an encryption key is lost, it may be impossible to decrypt the data.

    The physical security of passwords and encryption keys must not be overlooked.

    5.4 Sharing your PC.

    While this may be desirable or necessary, you should realise that it introduces problems and additional responsibilities. If the system you are using has a facility for multiple usernames, it is best to use it and find out how you are intended to share files etc. If not, you need to agree procedures to ensure that each user does not pose an unacceptable threat to the security of any other. Two sets of practices, both secure in their own right, can be a minefield when combined. It should be noted that the problem is not only that data may be lost or made public, but commands may be changed, with unexpected or incorrect effects.

    5.5 The Network: your friend and foe.

    The network offers a source of information and tools that may be invaluable both to your work and to providing yourself with a secure working environment, but you should be aware that it also brings dangers. The mechanisms that you have set up to allow you to read and fetch files may be available to others to access your PC. This can either be via unintentional usage of a feature of your network software or by someone exploiting a bug in your communication systems. For example, careless use of the TCP/IP utility, ftp, may leave your computer vulnerable to access, which could be malicious, by other users on the network. You should make sure your system is correctly configured and matches your needs. Advice is available from OUCS. You should be aware that you can get Trojans and Viruses from software sources on the network as well as from disks. You should only get software or similar items from reliable network sources and check digital signatures where available.

    5.6 Your responsibilities to the network community

    Traditionally, academic and research networks have tended to be developed upon a permissive model. While this model has served us well in the past, it does have certain consequences, particularly with increased usage. It is the responsibility of users to ensure that their use neither disrupts the network nor is improper.

    It is your duty as a user to:

    ensure that your system is correctly configured. If you suspect that your system is causing disruptions, take action to stop the problem and seek advice;

    ensure that others do not misuse your system, e.g. to launder calls;

    cooperate with those who promote network security (i.e. report break-in attempts to OxCERT and observe proper reporting requirements etc.) (see section 2.4 above);

    ensure that you address messages appropriately, thus avoiding wasting resources (this is part of netiquette referred to before[6]);

    use mirrors, caches and proxy servers to relieve the load of primary sources and overstrained communication links where feasible.

    5.7 Provision of services to others

    Great care should be taken before making a commitment to providing a service to others as there is a danger that you may fall into the role of system administrator without having properly considered the responsibilities (see Section 4). For example, peer to peer networking with Windows or AppleShare is very convenient to use, but will lead to this situation.

    Appendix 1 Definition of Terms

    authorisation

    There can be explicit authorisation and implicit authorisation.

    authorising person

    shall mean a person who has been authorised in writing by the Registrar or the head of any division, department, unit or centre of the University to authorise persons to use an IT facility.

    explicit authorisation

    is the process of an authorising person allowing another person to use an IT facility. It will normally involve the assignment of a username and password for the purpose in question. For smaller-scale IT facilities, such as a departmental microcomputer system open to general use, less formal authorisation procedures will often be appropriate.

    implicit authorisation

    Examples of implicit authorisation include IT facilities that are advertised by the University as being freely available, e.g. currently the library OPAC or usernames on password-protected systems for which the password is openly published. Implicit authorisation to use IT facilities not controlled by the University should not be assumed, as responsibility for regulating the use of such facilities lies with the organisation concerned.

    IT facility(1)

    shall mean and be a reference to every item and kind of computer equipment, computer software, network and related facility provided by the University, whether or not owned by the University, and includes any facility to which access is given by or through the University.

    OxCERT

    Oxford University Computer Emergency Response Team.

    system administrator

    shall mean any person who has privileged access to an IT facility for the purposes of maintaining and managing services provided by that IT facility for the use of others.

    University

    shall mean the University of Oxford.

    user

    shall mean a person using a set of IT facilities, whether or not they have authorisation.



    Appendix 2 Membership of the Policy Group on IT Security and Privacy

    Mr M. Harper (chairman)

    Mr C. Curran

    Mr B. Dansey

    Dr P. Leyland

    Dr N.J. Long

    Mr A. Newman

    Mr A.M.W. Price

    Dr D.J. Price

    Mr T.A. Reid

    Mr D. Rischmiller

    Professor C. Tapper



    Appendix 3 References

    [1] CHEST code of conduct for the Use of Software or Datasets.

    http://www.chest.ac.uk/conduct.html

    [2] FAST Corporate Membership Policy Manual.

    [3] UKERNA's Statement of JANET acceptable use policy.

    http://www.ja.net/documents/use.html

    [4] Oxford University Disclaimer of Liabilities.

    http://www.ox.ac.uk/it/rules/disclaim.html

    [5] IETF RFC 1244: Site Security Handbook (new version is in preparation).

    http://www.ox.ac.uk/it/compsecurityrfc1244/

    [6] http://www.ox.ac.uk/it/rules/netiquette

    [7] OUCS User Guide b3.4: Data Security and Computer Viruses.



    Bibliography

    A Code of Practice for Information Security Management, BS 7799.

    University of Oxford Proctors' and Assessor's Memorandum.

    http://www.ox.ac.uk/it/rules/proctors.html

    Computer Misuse Act 1990, ISBN 0-10-541890-0.

    Data Protection Act 1984.

    Introduction to Oxford University Computing Services, Appendix 1, Aug 1993.

    Model Regulations for Use of Institutional IT Facilities and Systems, UCISA Directory, 1993/1994.

    Email etiquette

    http://www.ox.ac.uk/it/rules/etiq_email.html

    Back-up strategies

    http://www.oucs.ox.ac.uk/services/backup.html



    CMG/SES

    1. 1 Without limiting the generality of the definition, the term IT facility shall include: freestanding computers, networked computers, time-shared computers and terminals; any network connecting a computer or terminal to any other computer or terminal wherever that other computer or terminal shall be located; computer peripherals; media; all forms of software; components and parts of components; operating manuals.