FAU - IRM

In the Information Age in which we live, management of network resources and the security of the University network are fundamental to the pursuit of the University’s goals of academic excellence, increasing research activities and serving the needs of the surrounding communities. Network resources, accepted network behavior and their associated policies are defined as follows.

IRM does not manage personally owned IT resources which include computers and other network-connected devices. Examples include, but are not limited to, personally owned laptops, computers and other devices used in classrooms and student housing.

IRM is responsible for all network access points used by unmanaged hosts, but is not responsible for the hosts themselves. IRM is responsible for identifying users responsible for a given port at any given time and must be able to initiate disruption of service to the user’s FAUNetID and/or network address. IRM is responsible for coordinating the notification to the user and ensuring that the incident is resolved.

IRM security measures comply with all state and federal laws and university policies.

A. Bandwidth

Bandwidth, or the transmission capacity, of our network hardware is a finite resource all electronic information on our network must share. This information can be referred to as network traffic and organized into different traffic queues. Each network switch and router is configured with a priority associated with each traffic queue. These rules are maintained on a central server within IRM and distributed to all switches and routers on the FAU network. IRM staff reserves the right to develop the rules governing these priorities based on the relative importance of different applications, users, and groups in conjunction with available resources.

B. Hacking For Malicious Purposes

Hacking is the interference with or unauthorized access to any computer or computer network. This may or may not reflect malicious intent. Specific examples of ‘malicious hacking’ include:

Any attempt to gain root or system administrator privileges on any FAU network machine or equipment, without permission
Any attempt to gain unauthorized access to files, equipment or accounts
Any attempt to do anything that results in interruption of any service to FAU customers
Any use of chat robots
Any attempted use of password cracking software
Circumventing IRM approved firewalls
Specific software attacks, including 'Smurf attacks' and 'Ping of Death'
Any attempt to access or change system files, without permission
Any unauthorized attempt to store user files outside their predefined areas
Installation or attempted use of SUID programs of any type, without permission
Any attempt to do these things through the FAU network, even if the attempt is aimed outside our network
Use of the Napster or other shared-multimedia application software such as Scour

Malicious hacking may compromise system availability, data integrity or both. IRM will, to the fullest extent allowed by law, seek legal action against any individual(s), organization(s) and or company(s) that directly or indirectly utilizes our network (or causes it to be used) for any practice that we consider to be hacking with malicious intent.

C. Port Scanning and Sniffing

Port scanning and sniffing are legitimate, diagnostic activities that IRM engages in to maintain the availability and performance of the FAU network at acceptable levels. Both, however, can be misused for malicious purposes to gain access to sensitive information traveling on our network or to find weaknesses in computer systems that will allow access to unauthorized individuals.

Port scanning is only permitted by IRM and/or appropriate law enforcement agencies for detecting security holes on university workstations and servers. If a system connected to our network is found to have a security hole, the owner will be notified. If the security issue is not addressed within an agreed upon period of time, the system will be removed from the network without further notice.

Sniffing is only permitted by IRM to identify the source of bad data on the network. This data can cause unacceptable performance degradations and inaccessibility of network resources. Once a source is identified, IRM staff will take any necessary action to prevent further transmission of such data.

D. Network Infrastructure and Communications Closets

The network infrastructure or hardware includes but is not limited to switches, hubs, routers, patch panels and network cable. Most of this equipment is housed within communications closets in university buildings on each campus. Only IRM authorized personnel will be allowed access to these communications closets and only IRM authorized personnel will be allowed access to the network equipment housed within these closets or elsewhere, where no closet is available.

In addition, IRM must authorize in writing all networking equipment in use and connected to the FAU network prior to being physically attached to that network. IRM staff will manage all authorized networking equipment. Any unauthorized equipment of any kind found attached to the network will be disconnected immediately and without notification to the owner.

E. Network Address Assignment and Dynamic Host Configuration Protocol (DHCP)

Each device attached to a network must have a unique address associated with it. The assignment and accurate maintenance of these addresses is essential to a healthy, functioning network. Management of these functions is solely the responsibility of IRM. DHCP is a readily available method by which address assignment can be automated. No unauthorized use of DHCP will be permitted. Any unauthorized device acting as a DHCP server will be disconnected immediately without prior notification to the owner. Network addresses for university computing equipment are categorized as static; DHCP with registration and reservation; and DHCP open access.

Static IP addresses are most commonly assigned to desktop systems, servers, printers and networking equipment. Access from these devices to remote resources on the FAU network or Internet do not require user authentication. User authentication is handled at the application level as is the case for local system access, email or network file services.

DHCP with registration and reservation applies to mobile computers such as laptops in their preferred location. These addresses are reserved for a single system and require no authentication from a designated site. Individuals requiring the use of DHCP from a primary location must go to the Online Support Center at http://www.fau.edu/helpdesk to request this service.

DHCP open access address assignment refers to all devices, configured for DHCP, connecting to the network from a network port that is not a preferred location. These systems will be assigned a network address dynamically. Anyone connecting to the Internet using this address configuration will be required to authenticate user ID and password initially and every four hours once connected.

F. Domain Name Registration

IRM staff is the only agent at FAU who can register a network address and domain name/host name to any network device before its installation on the FAU network. As with network addresses, domain names and host names must also be unique within subnets, the FAU network being composed of multiple subnets. All requests for server and workstation domain names/host names and network addresses must go through IRM systems and networking staff. When submitting a domain name registration request for a server a Dean, Director or his/her designee must approve the request. The request will then come before the IRM Network Advisory Committee. This committee in consultation with IRM systems and networking staff will review requests making certain requested domain names are appropriate, consistent with the mission of the University and in compliance with standard naming conventions. If the requested name is already in use, the requestor must choose another following the approval process once again. On occasion it is appropriate to request more than one domain name/host name per server. The number of host names is limited to eight per physical server or network address and each server may have no more than one network adaptor. If a network device is moved to a different subnet, its domain name must be re-registered with IRM and a new network address assigned. IRM naming conventions must be followed wherever possible and appropriate. If any particular domain name/host name or network address creates a problem on the network, as is the case when duplicate names and/or addresses attempt to coexist on the same subnet, IRM will notify the owner and issue a new name.

G. Wireless Network

IRM is solely responsible for the design, operation and management of the FAU wireless network. The FAU wireless network operates within the unlicensed 2.4 GHz radio frequency range. Wireless equipment includes but is not limited to wireless transceivers, or Access Points, directly connected to the wired network and wireless antennas which amplify radio frequency signals. Antennas are in compliance with FCC 15.203 and university safety regulations. Any tampering with any of these devices will result in appropriate disciplinary action. Any unauthorized wireless device found connected to the FAU wired network will be disconnected immediately without notification to the owner. If other wireless devices in use cause interference with the FAU network, IRM will work with the college, department or administrative unit owning the device to find an alternative solution.

Wireless network traffic will be confined to its own VLAN where network authentication is mandatory. Users will be required to have an FAU account for authentication prior to accessing the wireless network. Wireless transmissions are not secure. All users should exercise caution in accessing sensitive or personal information while using the wireless network. For information on IRM supported hardware and software refer to http://www.fau.edu/irm/wireless/ .

H. Anonymous FTP Sites

All users intending to implement anonymous FTP on any workstation or server must notify IRM of this intention. Users must not offer licensed or illegal software on their site. Users must not allow anonymous users connecting to their site write access. Any FTP site on the FAU network found in non-compliance with these restrictions will be disconnected immediately.

I. Peer to Peer (P2P) File Sharing and Software Piracy

Florida Atlantic University does not permit the illegal downloading and/or sharing of copyrighted materials in any form or manner. If a member of the University community violates this policy the following penalties will be enforced:

Enforcement Process -- Resident and Non-Resident Students

First Violation: The student’s internet access from their computer will be shut down briefly (24 hours) after a pop-up warning appears on the violator’s computer screen. The pop-up warning will inform the student that he/she will have access to university applications in any Open IRM Computer Lab. The Housing office will be notified.
Second Violation: The student’s Internet access from their computer will be shut down for 72 hours and/or the student completes a tutorial through the Division of Information Resource Management (IRM) regarding appropriate computer use. The Dean of Student Affairs office will be notified.
Third and Subsequent Violations: This matter will be referred to the Dean of Student Affairs office for further action pursuant to the Florida Administrative Code for Student Conduct. The student’s internet access from their computer will be suspended until this matter is resolved.

Students who violate the policy and have their room access shut off could still go to university labs to do school work and check their email. IRM could also block the student’s account from going outside of the University, in other words, suspend external access only.

Enforcement Process -- Faculty, Staff and Administrative Personnel

First Violation

Internet access from their computer will be shut down briefly (30 minutes) after a pop-up warning appears on the employee’s computer screen.

Second Violation

The employee’s supervisor will be notified. The supervisor must meet with the employee to counsel him/her. Any further action will be at the supervisor’s discretion.

Third and Subsequent Violations

Notice will escalate to the next level supervisor for action. A record of the action may be placed in the employee’s personnel file.

J. Firewalls

Firewalls are software barriers to unsolicited or malicious network activity as well as being a barrier to unauthorized users of a network. IRM maintains its own firewall as an added protection against malicious use of our network. Personal firewalls must be approved by IRM in writing for individual servers and/or workstations. It must be shown that they will not interfere with overall network function and performance as determined by IRM.

K. Electronic Mail (Email) and Spam

All email sent and received in the pursuit of official University business will be considered public record and it is the responsibility of each user to become familiar with all aspects of Florida’s Public Records Law, Chapter 119 of the Florida Statutes. If your email falls within the definition of a public record, you may not delete it except as provided for in the university’s retention schedules. Non-compliance with this law will result in disciplinary action. For detailed information regarding retention of public records refer to the Florida General Records Schedule GS5 for Universities and Community Colleges found at http://dlis.dos.state.fl.us/barm/genschedules/gs05.pdf . In compliance with this law, IRM makes nightly backups of all email on our mail server and will keep a copy of these email messages for three years.

The following actions are expressly forbidden.

Forgery (or attempted forgery) of electronic mail messages
Attempts to read, delete, copy, or modify the electronic mail of others
Attempts at sending harassing, obscene, and/or other threatening e-mail to another user
Attempts at sending spam
Attempts at sending viruses

Spam is any unsolicited email message sent to a large number of people. Typically this includes cases where:

The recipient did not request the message
The recipient does not know the sender
Political messages
In newsgroups, a message is posted that is not appropriate to the topic of the newsgroup. Newsgroup postings that offer services or products are considered spam, unless they can be documented as a response to a legitimate inquiry in that same newsgroup, and if they are appropriate to the topic of that newsgroup
Bulk mailing lists are used to send unsolicited marketing or sales information

IRM does not condone the practice of spamming, i.e. sending spam as identified above. To reduce the risk of receiving spam or email messages used to deliver computer viruses, IRM is considering a system, for university mail servers that requires other mail servers sending mail to FAU users have reverse DNS lookup enabled. If the communicating server does not have this featured enabled mail messages will not be accepted from that server. IRM will, to the fullest extent allowed by law, seek legal action against any individual(s), organization(s) and or company(s) that knowingly or otherwise directly or indirectly utilizes the FAU network (or causes it to be used) for any practice that sends out mass unsolicited e-mail.

It is the responsibility of each user to respect the finite capacity of the computing resources made available by IRM and to limit use so as not to consume an unreasonable amount of those resources or to interfere unreasonably with the activity of other users. (Refer to Policy VI, Acceptable Use and Ownership of Technology Resources.) Each user account is assigned specific resources for use by email messages. It is the user’s responsibility to stay within these resource boundaries. Authorized users are responsible for ensuring that their email is downloaded to their desktop computers and systematically deleted from the FAU server on a timely basis. IRM reserves the right to delete email when it exceeds the limits of said resources. Furthermore the size of email messages and attachments is limited to 10 MB. Messages exceeding these limits rapidly consume system and user resources interfering with the delivery of all email. As a result messages and/or attachments greater than the allocated size will be refused by the mail system.

IRM encourages the use of electronic mail; however, users shall have no expectations of privacy. IRM may access any and all electronic mail at any time in accordance with Section V.D. of this Information Resource Management Policy. IRM does not wish to inspect or monitor electronic mail routinely or be the arbiter of its contents. Nonetheless, IRM may access electronic mail and data stored on the University’s network of computers for various purposes, including but not limited to:

troubleshooting hardware and software problems
preventing unauthorized access and system misuse
rerouting or disposing of undeliverable mail
approved monitoring situations, as defined in Section V.D. of this Information Resource Management Policy

IRM will need the approval of the Associate Provost of IRM or his/her appointee to access specific mail and data for the above specified purposes. The extent of the access will be limited to what is reasonably necessary to acquire the necessary information.

L. Email Accounts

Faculty and Staff

IRM provides email accounts to all university administrators, faculty, adjunct faculty and staff during active employment. Effective January 2005, biweekly pay stubs are emailed to the FAU email address of all FAU employees who have direct deposit. Additionally, it is requested by the FAU administration that all work related electronic communication use a valid FAU email address. After employment is terminated, the account will be disabled immediately and physically removed from the system after 60 days. The sole exception to this rule is retired faculty accounts. All existing accounts for employed personnel are verified annually. Adjunct faculty accounts are disabled annually at the end of the Summer semester. Renewal of adjunct faculty accounts must be initiated by the sponsoring department prior to the Fall term. Attachments are limited to 5 MB.

Students

Email accounts are provided for all students from the point of application to the University. All official FAU communication to students will use the student’s FAU email account. One year after graduation or after three successive semesters during which a student has not been registered for a course, the account will be disabled. All student e-mail accounts will be verified each semester. Students may forward e-mail from their FAU account to another e-mail address of their choice but it is not recommended. Email attachments are limited to 8 MB.

Special Request Email Accounts

Other types of accounts issued by IRM include general departmental email accounts, courtesy accounts for specially authorized friends of the University and temporary accounts. Departmental and courtesy accounts are verified annually. Temporary accounts are intended for visitors who require network access for a short period of time. They have built-in expiration dates and are evaluated weekly. All expired temporary accounts are deleted without backup.

Departmental, courtesy and temporary e-mail account requests must come from the department head or designated representative and include the name of the account sponsor, the start and end date for the account and an account justification. The conventions for account names are:

Faculty, staff, and student accounts are created with the first initial of the first name and up to seven letters of the last name. Faculty and staff may choose to have an alias of firstname.lastname@fau.edu .

Temporary accounts are created using the identifier assigned to the request, for the account, by the IRM Help Desk. For multiple accounts requested concurrently the identifier will be followed by a letter of the alphabet.

M. Distribution Lists

Groups within MyFAU will be created in the place of distribution lists. MyFAU groups provide email service to all group members. Complete and submit group requests through the Groups application within MyFAU.

N. World Wide Web

IRM supports the FAU.EDU web domain to provide web access to FAU services and information. IRM makes available the use of FAU.EDU to colleges, departments, campuses and other FAU organizations to further support the mission of the University. Users of FAU web servers are responsible for the content and information they store on these systems and are expected to abide by IRM technology policies as defined here. Any person wishing to become a web developer on the FAU.EDU domain must already have an FAU email account. The Web developer account will allow access to the Web server for the creation of new departmental pages and the maintenance of existing pages. All FAU web developers are given 10MB of disk space initially. IRM will increase disk space for legitimate reasons only.

Web pages created by university-related organizations must be consistent with policies set by University Communications and Marketing. Personal web pages should clearly indicate that the pages reflect the owner’s opinions and not those of the University.

O. Commercial Web Use

Using the FAU Wise Web server system for commercial purposes is not permitted.

P. WISE Privacy Policy

IRM collects no personal information about visitors to the FAU website unless it is the desire of the visitor to make such information available. IRM gathers information regarding the volume of access to the website at any given time by collecting information on the date, time and web pages accessed. IRM’s intent is to improve the content of our website. Visitors to the FAU website are encouraged to read the privacy policy posted there, http://www.fau.edu/notices/privacy_policy.html .