S. N. Bose National Centre for Basic Sciences

Under Department of Science and Technology, Govt. of India

Azadi Ka Amrit Mahotsav

Usage Policy

Please CAREFULLY Read the following S. N Bose National Centre for Basic Sciences IT Usage, Email & Password Policies and GUIDELINES.

S. N Bose National Centre for Basic Sciences.

Computer Services Cell.

Undertaking with respect to S. N Bose National Centre for Basic Sciences.

IT Usage, EMAIL & Password Policies and Guidelines.

Whom this Document Concerns

All Users of IT infrastructure (Computers and the Network) at S. N Bose National Centre for Basic Sciences (SNBNCBS).

Reason for Policy

This policy outlines the responsible use of the Information Technology Infrastructure at S. N Bose National Centre for Basic Sciences.

Statement of Policy

All users of S. N Bose National Centre for Basic Sciences will be subject to the following Acceptable Use Policy.

1. [Content] I shall be responsible for all use of this network. In case I own a computer and decide to connect it to SNBNCBS network, I will be responsible for all the content on it, especially that which I make available to other users. (This provision will also apply to any computer or device for which I am responsible, and is included in the meaning of "my computer".) In case I do not own a computer but am provided some IT resources by SNBNCBS, I will be held responsible for the content stored in the designated workspace allotted to me (examples: file storage area, web pages, stored/archived emails, on Computer Centre or Department machines).

2. [Network] I will be held responsible for all the network traffic generated by "my computer". I understand that network capacity is a limited, shared resource. I agree that physically tampering with network connections/equipmen's, sending disruptive signals or making EXCESSIVE USE of network resources is strictly prohibited. Repeated offenses of this type could result in permanent disconnection of network services. I shall not share the network connection beyond my own use and will not act as a forwarder/ masquerader for anyone else.

3. [Academic Use] I understand that the IT infrastructure at SNBNCBS is for academic use and I shall not use it for any commercial purpose or to host data services for other people or groups. Also, I shall not host or broadcast information that might harm others or may be otherwise considered objectionable or illegal as per Indian law.

4. [Identity] I shall not attempt to deceive others about my identity in electronic communications or network traffic. I will also not use SNBNCBS IT resources to threaten, intimidate, or harass others.

5. [Privacy] I will not intrude on privacy of anyone. In particular I will not try to access computers (hacking), accounts, files, or information belonging to others without their knowledge and explicit consent.

6. [Monitoring] I understand that the IT resources provided to me are subject to monitoring, with cause, as determined through consultation with the SNBNCBS administration, when applicable. The monitoring may include aggregate bandwidth usage to effectively manage limited IT resources as well as monitoring traffic content in response to a legal or law enforcement request to do so. I authorize SNBNCBS administration to perform network vulnerability and port scans on my systems, as needed, for protecting the overall integrity and efficiency of SNBNCBS network.

7. [Viruses] I shall maintain my computer on this network with current virus detection software and current updates of my operating system, and I shall attempt to keep my computer free from viruses, worms, trojans, and other similar programs.

8. [File Sharing] I shall not use the IT infrastructure to engage in any form of illegal file sharing (examples: copyrighted material, obscene material). In particular, I have noted the following:


Electronic resources such as e-journals, e-books, databases, etc. made available by the Central Library, SNBNCBS are for academic use. These resources can be searched, browsed, and material may be downloaded and printed as single copies of articles as is done in the case of printed library material. Downloading or printing of a complete book or an entire issue or a volume of one or more journals (called systematic downloading) is strictly prohibited. Use of robots, spiders or intelligent agents to access, search and/or systematically download from the e-resources is also prohibited. Any violation of this policy will result in penal action as per the rules and regulations of the Institute. I am aware that Systematic downloading will result in the publisher blocking the entire community of users at SNBNCBS from accessing these resources.

9. [Security] I understand that I will not take any steps that endanger the security of the SNBNCBS network. Specifically, I will not attempt to bypass firewalls and access rules in place. This includes not setting up servers of any kind (examples: web, mail, proxy) that are visible to the world outside the SNBNCBS campus. In critical situations, SNBNCBS authorities reserve the right to disconnect any device or disable any account if it believed that either is involved in compromising the information security of SNBNCBS.

10. [Penalties] I understand that any use of IT infrastructure at SNBNCBS that constitutes a violation of SNBNCBS Regulations could result in administrative or disciplinary procedures.

Email & Password Policies and Guidelines

1. E-mail usage policy:

Policy

1. Only the E-mail account provided by the Centre should be used for official communication.

2. Users shall be responsible for all activity performed with their personal user IDs. Users shall not permit others to perform any activity with their user IDs or perform any activity with IDs belonging to other users.

3. E-mail password shall not be shared even for official purpose.

4. User shall not attempt any unauthorized use of E-mail services, such as:

  • Distribution of messages anonymously
  • Misusing other user's E-mail address
  • Using a false identity
  • Sending messages to harass or intimidate others
  • Propagate viruse, worms, etc
  • 5. Password used for online forms / services / registrations / subscriptions shall not be the same as the password of official E-mail account.

    2. Security policy for E-mail use:

    Policy

    1. Sending an e-mail with an infected attachment is the most common means adopted by a hacker to send malicious content. Hence, it is mandatory to install and maintain latest operating system, anti-virus and application patches in the computers used for accessing email to prevent infection.

    2. It is strongly recommended that the users use the latest version of their Internet browser for safe browsing.

    3. The "save password" and auto complete features of the browser should be disabled.

    4. Users should not open e-mails and attachments from dubious sources. Users should not click on any link, which has come through e-mail from an unknown source. It may contain malicious code or could be a 'Phishing attack'.

    5. User should exercise caution in opening mails where links are embedded in the mail. The authenticity and the safe nature of the link should be ascertained before clicking the link.

    6. All attachments must be scanned with an anti virus program before they are downloaded/executed, even if such e-mails are received from a familiar source.

    7. The files downloaded from the Internet or accessed from the portable storage media should be scanned for malicious contents before use.

    8. User should exercise caution while forwarding mails as they may contain malware. User should ensure authenticity of the source and safe nature of the attachments before forwarding any mail.

    9. Attachments should be opened only when the user is sure of the nature of the e-mail. If any doubt exists, the user should contact the sender to verify the authenticity of the e-mail and/or the attachment.

    10. To ensure integrity of the downloaded files, digital signatures/hash values should be verified wherever possible.

    11. Before typing your User ID and Password please ensure that the URL of the login page starts with the text 'https://' and is not 'http://'. The ' s' stands for ' secured' and indicates that the Web page uses encryption.

    12. Before accepting an SSL certificate, the user should verify the authenticity of the certificate. User should type the complete URL for accessing the e-mails rather than click on a mail link for access. This is recommended to avoid phishing attacks.

    13. Other than Government websites, the e-mail ids and e-mail address provided by the Centre should not be used to subscribe to any service on any website. Mails received from sites outside the Government may contain viruses, Trojans, worms or other unsafe contents.

    14. It is recommended that the users should logout from their mail accounts whenever they leave their computer unattended for a considerable period of time.

    15. It is recommended that public computers like that in Cyber Cafe, should not be used for accessing Centres email services.

    16. Users are advised not use free public WiFi hotspots for accessing email and other services provided by the Centre.

    17. The user should change passwords at regular intervals as per the Password Management Policy given below.

    18. The System Administrator does not ask for details like login id and password over e-mail. Users should disregard any e-mail that requests for the same, and should refrain from sharing such details over e-mail with anyone.

    19. If a password is suspected to have been disclosed / compromised, it should be changed immediately and the security incident should be reported to the System Administrator.

    3. Password Management Policy:

    Policy

    I. Guidelines for users having email accounts provided by the Centre:

    1. Passwords should be changed periodically (at least once every three months) by the user by logging in to the webmail and clicking on "Options" > "Change Password". Users should not reuse previous passwords while creating new password.

    2. Password should have a minimum length of 12 characters and should comprise of mix of alphabets, numbers and special characters.

    3. Passwords should never be stored in readable form in Internet browsers, batch files, automatic logon scripts or related data communication software, in computers without access control, or in any other location where unauthorized persons might discover or use them.

    4. The "Remember Password" feature of web browsers should be disabled to prevent passwords being saved by the browser.

    5. User ID, passwords, PINs etc. should not be shared with anyone. These shall be treated as sensitive, confidential information.

    6. Passwords should not be communicated though email messages or other forms of electronic communication to anyone.

    7. Passwords should not be revealed on questionnaires or security forms even if the form seems to be sent from authorised email accounts. System administrators will never ask you for your password nor do they have any copy of your password.

    8. Passwords of email accounts should not be revealed to the controlling officer or any co-worker even while on vacation unless permitted to do so by designated authority.

    9. The same password should not be used for each of the systems/applications to which a user has been granted access. Separate passwords has to be used for email, computer login account and any other account provided.

    10. Users should refuse offers by websites to place cookie on their computer for automatic logon to their website site.

    11. First time administrator created passwords, should be changed by the user as soon as they log in to their email account for the first time.

    12. If the password is shared with system administrator (only in person) for resolving any problems, it should be changed immediately after the problem is resolved.

    13. The password shall be changed immediately if the password is suspected of being disclosed or known to have been disclosed to an unauthorized people and the incident should be reported to the System Administrator.

    II. Guidelines for designers/developers of applications/sites:

    1. No password should be trasmitted in clear text. Hashed form of the password should be used. To get around the possibility of replay of the hashed password, it shall be used along with a randomization parameter.

    2. The backend database shall store hash of the individual passwords and never store passwords in readable form.

    3. Password shall be enforced to be of a minimum length and comprising of mix of alphabets, numbers and characters.

    4. Users shall be required to change their passwords periodically and not be able to reuse previous passwords.

    5. For Password Change Control, both the old and new passwords are required to be given whenever a password change is required.

    4. Policy for constructing a password:

    Policy

    I. Email passwords must conform to the following general guidelines described below:

    1. The password should preferably contain more than 12 characters.

    2. The password should not be a word found in a dictionary (English or foreign).

    3. The password should not be a derivative of the user ID, e.g. <username>123.

    4. The password should not be a slang, dialect, jargon etc.

    5. The password should not be a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.

    6. The password should not be based on computer terms and names, commands, sites, companies, hardware, software.

    7. The password should not be based on birthdays and other personal information such as addresses and phone numbers.

    8. The password should not be a word or number pattern like aaabbb, qwerty, zyxwvuts, 123321, etc. or any of the above spelled backwards.

    9. The password should not be any of the above preceded or followed by a digit (e.g., secret1, 1secret).

    10. The password should be a combination of upper and lower case characters (e.g. a-z, A-Z), digits (e.g. 0-9) and punctuation characters as well and other characters (e.g.,!@# $%^&*()_+|~-=\`{}[]:";'<>?,./).

    12. Passwords should not be such that they combine a set of characters that do not change with a set of characters that predictably change.

    II. Suggestions for choosing passwords:

    1. Passwords may be chosen such that they are difficult-to-guess yet easy-to-remember.

    2. Methods such as the following may be employed:

    (a) String together several words to form a pass-phrase as a password.

    (b) Transform a regular word according to a specific method e.g. making every other letter a number reflecting its position in the word.

    (c) Combine punctuation and/or numbers with a regular word.

    (d) Create acronyms from words in a song, a poem, or any other known sequence of words.

    (e) Bump characters in a word a certain number of letters up or down the alphabet.

    (f) Shift a word up, down, left or right one row on the keyboard.

    5. Responsibilities:

    All individual users having accounts for accessing systems/services of the Centre, should ensure the compliance of this policy.

    All designers/developers responsible for site/application development shall ensure the incorporation of this policy in the authentication modules, registration modules, password change modules or any other similar modules in their applications.

    NEW