Computing, Network & Wireless

Preamble

TIFR's Computing Facilities are all facilities related to numerical and symbolic computations and communications and network access such as, but not limited to, e-mail and Internet access. TIFR provides these to facilitate the research, education and administrative efforts of its members and staff. To this end the Computer Centre (CC) provides support in networking and information resources for its computing community. The Computer Centre undertakes security and monitoring measures to preserve the integrity and performance of its networking and computing resources.

Use of any TIFR technology resource can be made by authorised persons as long as this usage is in compliance with Institute policies and all local, state and central government laws governing telecommunication. Failure to comply may result in the closure of an account, with further discretionary action taken by the Director of the Institute, if necessary.

In order to protect the integrity of the TIFR computer and communications network and its systems, any proof of unauthorised or illegal use of any TIFR network device and/or computer and/or its accounts can warrant an investigation. Users may voluntarily cooperate with the CC staff in such investigations. If necessary, User's files, accounts and/or systems will be investigated only by a person, persons or a committee designated for each case separately by the director of TIFR.

This policy mandates the use of genuine and licensed software and programmes for academic research and related purposes. It is imperative that due regard be given to copyright and other rights of third-parties and the use of unlicensed and pirated software for academic research and related purposes by using TIFR networks, computer systems and IPs be prohibited.

Policy Guidelines

The following items describe general policies for usage and administration of TIFR's computing facilities.

Purpose:

computing facilities are to be provided by TIFR and its centres, departments and schools in support of the research, teaching, administration and public services according to the mission of the institute.

Users:

users of TIFR computing facilities are to be limited primarily to TIFR's academic and other staff, students and visitors for purposes that conform to the requirements of the item above.

Misuse

Any usage which contravenes local, state and central government laws, third-party rights or violates norms of TIFR usage will be treated as misuse. Two specific categories of misuse are listed below. All listed actions and others which effectively amount to the same are considered to be misuse of TIFR's computing, communications and network facility.

Misuse involving or amounting to attack on any devices, systems and/or networks

1. Using the network to gain unauthorised access to any computer system.
2. Tapping phone or network transmissions (e.g. running network sniffers without authorisation).
3. Knowingly performing an act which will interfere with the normal operation of computers, terminals, peripherals or networks.
4. Knowingly running, installing and/or giving to another user a program intended to damage or place excessive load on a computer system,
network device or network. This includes, but is not limited to, programs known as computer viruses, Trojan horses and worms.
5. Attempting to circumvent data protection schemes or uncover security loopholes.
6. Masking the identity of an account or machine.
7. Releasing a virus, worm or other program that damages or otherwise harms a device, system or network
8. Using TIFR's resources for unauthorised purposes (e.g. using personal computers connected to the campus network to set up web servers forcommercial or illegal purposes).
9. Unauthorised access to data or files even if they are not securely protected (e.g. breaking into a system by taking advantage of security holes, or defacing someone else's web page)

Other categories of misuse

1. Using an account that the user is not authorised to use, or obtaining a password for a computer account without the consent of the account owner.
2. Providing any assistance to any person to facilitate unauthorised access to one or more files, accounts, computers, network devices or network segments.
3. Download of copyrighted content, illegal content is disallowed. Deliberate wasting of computer resources, including, but not limited to the running of jobs not connected with work/projects related to TIFR staff/students/researchers on computation servers, printing physical copies of portions of books etc are activities that are discouraged and can be considered as misuse at the discretion of the CCCF Chairperson judged after due examination of the circumstances.
4. Attempting to monitor or tamper with another user's electronic communications, or reading, copying, changing or deleting another user's files orsoftware without explicit agreement of the owner.
5. Preventing others from accessing services.
6. Sending forged messages under someone else's name.
7. Employing a false identity for e-mail or other purposes.
8. Using email to harass others.
9. Charging the services availed of by a person to the account of another.
10. Using TIFR’s networks, computer systems, IPs or any other TIFR resource for the purpose of downloading, storing and/or using any unlicensed, pirated software/programmes for any purpose, including for academic research and related purposes.

Wireless Security Policy

It is MANDATORY for departments deploying wireless network in TIFR to implement secured access using one of the methods. Access to network/internet via wireless routers must be using one of the methods.
Wi-Fi Protected Access 2 (WPA2) with Advanced Encryption Standards (AES)
AND
Media Access Control (MAC) Filtering enabled access
General guidelines to be followed are as below:
1. Provide the computer centre network group of your plan on wireless network deployment.
2. purchase only wireless access points and routers which comply to 802.1X standard.
3. Any user can reset the router to factory defaults and get access to router and network. Hence install the wireless router/access point in a secured place where physical access is not possible for general user.
4. Change the factory default administrator password of the wireless router/access point to a complex alphanumeric password.
5. Change the default Service Set Identifier (SSID) on all wireless routers/Access points to broadcast your department SSID s. This enables users to easily identify the access point to which they are connecting.
6. Deploy personal firewalls on all the remote access devices, such as laptops and enforce their continuous use. Ensure that user devices have up-to-date antivirus software security patches. Don't allow machines without protection on the network.
7. Enable DHCP server service on the wireless router using the IP range allotted to your department and disable the NAT ing feature on the wireless router. This will help in tracing the misbehaving laptop connected to the wireless router.
8. Upgrade the firmware of wireless router and access point as and when new security patches or new versions are released.
9. When disposing access points that will no longer be used, clear access point configuration to prevent disclosure of network configuration, keys, passwords, etc.

Infractions

The following actions will be taken in case of infractions of the TIFR policies:
1. All cases of infractions of this policy and misuse of TIFR computing, communications and network resources will be logged and a written record will be kept with the Computer Centre. Such reports can be used to take further action if necessary.
2. Minor infractions of this policy or those that appear accidental in nature will be typically handled informally by email or in-person discussions. If an infraction has been judged to be accidental, a note to this effect must be made in the log with the Computer Centre.
3. Major infractions, such as those pertaining to engaging in any illegal activity or use of unlicensed and pirated software/programmes, by using TIFR’s networks, computer systems or resources, will be dealt with seriously and via formal procedures.
4. In case of misuse involving or amounting to attack on any devices, systems and/or networks, if there is any need for immediate response, then offending accounts, computers, network devices or network segments will be isolated or shut down according to reasonable technical criteria. Such decisions must be taken by the chairman of the Computer and Communications Committee in consultation with the head of the Computer Centre. Justification for these steps must be recorded after the fact in the log kept by the Computer Centre.

Server Account

Accounts on CC servers are broadly classified as personal and official. The policy is defined for each category of users coming under the broad classification.
Nomenclature used for categorizing the accounts on servers is given below
a) Account given on Mailhost server for an individual, is called personal e-mail account
b) Account given for hosting an event is called official account.
c) Account given in the name of position, like Registrar, Dean-NSF etc. is called position account.
The policy is subject to modifications from time to time after necessary approval from Computer Centre and Communication (CCC) committee

A. Defined policy for Computer Centre (CC) servers

1. Members of TIFR may request a personal account on a CC server based on academic or administrative needs. Requests by persons not in TIFR for accounts on CC servers will be entertained only under the following circumstances:

1. If they are representatives or employees of vendors who are helping to set up a utility for which a purchase order has been issued.

2. Members of other academic institutes in India, if they are collaborating with permanent faculty of TIFR.

2. Personal accounts on Mailhost and Webserver will be given only to members of TIFR with a valid computer code issued by the TIFR administration and which exists on the People Finder, when the academic or administrative need is documented. The CC will create and abide by a written standard operating procedure for creation and closure of these accounts. Persons who are not members of TIFR cannot have personal accounts on Mailhost or the webserver.
3. Members of TIFR may be given a personal account on a CC server other than the mailhost only if they have a valid personal account on the mailhost. Persons who are not members of TIFR may be given a personal account on other CC servers only if the request is countersigned by a member of TIFR who has a valid personal account on mailhost. For non-members in category 1.1, the countersigning member of TIFR will be the person in charge of CC operations. For non-members in category 1.2, the countersigning member of TIFR must be a faculty collaborator with a valid personal mailhost account. All requests for accounts by persons in category 1.2 will be forwarded to the CCC for a decision.
4. All personal accounts are meant for a single person. For every personal account on the mailhost, mail should be deliverable to [accountName]@tifr.res.in as well as [accountName]@mailhost.tifr.res.in.
5. Official accounts may be created on the mailhost, the webserver and the FTP server for

1. Events organized by TIFR,

2. Positions within TIFR.

In both cases, a complete list of people who will handle the accounts must be given as part of the account opening process. Each such person must have a valid personal account on mailhost. The CC will create and abide by a written standard operating procedure for creation and closure of these accounts.
6. Each account will have an expiry date on creation. The expiry and closure of an account will be automatic.

1. The expiry dates for personal accounts given to all TIFR employees will be 6 months after the date of superannuation or termination of contract as computed from the data presented in People Finder. Closure of a personal account will be accompanied by removal of all data on the webserver. The sole exception for automatic closure of an account will be for faculty accounts on the mailhost and webserver; these will be extended according to the policy mentioned in the section ‘B’ of this document.

2. During the 6 month period between the retirement of a member of TIFR and the closing of his/her mailhost account, an automated message should be sent to the sender of every mail received for the account stating the date on which the account will be closed, and the new address for the recipient, if it is available.

3. For non-member accounts created for the category 1.1, the account will be deleted as part of the acceptance process for the purchase.

4. For non-member accounts created for the category 1.2, the account duration will be mentioned at the time of creation and must not exceed 6 months.

5. Accounts for events will expire 6 months after the end of the event. Organizers may request extension by a further period of 6 months. The data on the webserver associated with the account will not be removed unless requested by the organizers.

6. Accounts for positions within TIFR will be locked on the earliest date of retirement or end of employment of the persons handling the account unless it is demonstrated and documented that passwords have been changed so that no non-employee can use the account.

7. The chair of the CCC may authorize the immediate closure of an account if there is a security-based need for such an action. This action will be automatically reversed within two days unless the CCC retrospectively authorizes such action.

7. Data associated with accounts will remain on long-term backups. Such data can be copied and released to old account holders with the approval of the CCC.

8. Personal accounts held by any person, and official accounts handled by him/her will be automatically locked on detection of a violation of TIFR usage policy. Further disposition of these accounts will be decided on according to the procedure laid out in the TIFR usage policy.

B. Policy for superannuated TIFR faculty members

Superannuated faculty members can hold their mailhost and webserver accounts as long as the user is active and wishes to continue it. Account holder will be requested to confirm by mail, every year on continuing the account. On receipt of confirmation from account holder for the e-mail sent from CC administrator, acknowledgement will be sent confirming the account validity for one more year. The account will be closed if there is no response from the account holder for the e-mail sent from CC administrator.

C. Exception to the above policy

Account on mailhost, webserver, and FTP server can be given to following non-TIFR members to carry out their work.

1. BARC officers deputed to Pelletron section

2. Atomic Energy Regulatory Board (AERB) officers deputed to Pelletron section

3. Officer on Special Duty (OSD) on deputation

4. Financial Advisor (FA) on deputation

5. Any other DAE officials working in TIFR Colaba campus

To process the request, the requester has to submit department attached to, TIFR telephone extension number, TIFR office room number details to CC. The account will be provided only after authorization of Director or Pelletron Chairperson or HOD of the section. The closure of account will be as per policy mentioned above.

Data integrity and confidentiality policy for System/Network Administrators in TIFR Account

The nature of their work gives System/Network administrators complete access to almost all data preserved in, or passing through, systems and networks. The following guidelines should be strictly adhered to within TIFR:
1. System/Network administrators must not examine or modify user data of any kind except as authorized by the Director of TIFR, or on the specific request of the user.
2. System/Network administrators must not allow anyone else, including other system/network administrators, to examine or modify user data of any kind, except when the others are authorized by the Director of TIFR, or on the specific request of the user.
3. System/Network administrators will track user metadata statistically only for the purposes of efficient service delivery, except as authorized by the Director of TIFR, or on the specific request of the user.
4. Direct requests for access to user data, metadata, or other information, by external agencies, including law enforcement agencies, must be promptly redirected by recipient system/network administrators to the Registrar of TIFR. Guidelines 1, 2, and 3, above, remain in force even in such cases.
5. System/Network administrators must insist that all users abide by the TIFR Usage Policy (maintained on the Computer Center's website).
6. In addition to the above guidelines, all system/network administrators must abide by the TIFR Usage Policy

7. Request for access to specific server or network log data has to be routed through the Chairperson, CCCF with proper explanation.