Difference between revisions of "Acceptable Use Policy"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 20: Line 20:
 
== Monitoring and logging of network traffic and e-mail ==
 
== Monitoring and logging of network traffic and e-mail ==
  
Systems and network are monitored in order to detect trouble in an early stage and rapidly mitigate potential damage, for administrative, operational, accounting, monitoring and security purposes only. In order to trace problems on the network to the source, logs of all network traffic flows (but not their content) may be kept for a period of up to 14 days. E-mail transactions (its source and destinations, but again not its content) are also logged, in a secured system, and retained for a maximum of 90 days. Access, authentication and authorization (collectively "security") logs are kept for a period of up to 400 days.
+
Systems and networks are constantly monitored to detect problems in time and be
 +
able to intervene to prevent damage. This is done only for administrative,
 +
operational, security, and systems analysis purposes, and to attribute usage to
 +
users and groups. In order to trace problems on the network to the source, logs
 +
of all network traffic flows (but not their content) may be kept.
  
Because most systems are periodically backed up, the above log data is effectively kept for for an additional period of 100 days.
+
Network traffic may also be analysed and stored, in order to trace the source of
 +
network issues, and to be able to detect, resolve, and prevent cyber-security
 +
incidents. The retention period depends on the type of traffic, and this data is
 +
searchable for no longer than 31 days. The data is destroyed after 45 days,
 +
unless it is part of an ongoing forensic investigation. Except during occurances
 +
of active cybersecurity incidents, the data is only and exclusively analyzed for
 +
known indicators of cybercrime ("indicators of compromise") through automated
 +
means. The data will not be searched manually unless there are due reasons to do
 +
so. Such manual searches by the Nikhef computer security team are recorded and
 +
made available upon request.
  
This data is only accessible by Nikhef system administrators and CSIRT members, as authenticated per the usual Nikhef login/password access control.
+
Email transactions (sender and recipient, but again not content) are also stored
 +
for a period of up to 90 days. Finally, security events related to service
 +
access (regarding identity and access rights) are retained for a period of up to
 +
400 days.
  
Obviously, user data, including stored e-mail, will only be inspected if there is a strong and substantiated suspicion of misuse of services or illegal activities. If you want to know what kind of logs are kept about your use of ICT services, you can always contact the [mailto:helpdesk@nikhef.nl CT department]. We follow [https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/av/av21.pdf AP guidance on working in networks].
+
Because many systems are backed up automatically, the above-mentioned log and
 +
transaction data are subject to a supplementary back-up period of a maximum of
 +
100 days.
 +
 
 +
This data is only accessible to system administrators and CSIRT members, whose
 +
access is controlled based on the usual Nikhef login and password controls.
 +
 
 +
These data will of course be handled with due care: data that can be traced back
 +
to individual users (including email) will only be reviewed if there is a
 +
well-founded suspicion of substantial misuse or of illegal activity. We follow
 +
the guidelines of the Dutch Data Protection Authorities (Autoriteit
 +
Persoonsgegevens) with regard to working in networks.
 +
 
 +
Would you like to know what (kind of) information is known about you in the
 +
logs? Then [mailto:helpdesk@nikhef.nl ask the CT, via helpdesk@nikhef.nl].
  
 
== Enforcement ==
 
== Enforcement ==

Revision as of 07:05, 29 March 2022

Nederlandse versie: Gebruiksvoorwaarden


Acceptable Use

This Acceptable Use Policy governs the use of the Nikhef networking and computer services; all users of these services are expected to understand and comply to these rules.

Other terms

Monitoring and logging of network traffic and e-mail

Systems and networks are constantly monitored to detect problems in time and be able to intervene to prevent damage. This is done only for administrative, operational, security, and systems analysis purposes, and to attribute usage to users and groups. In order to trace problems on the network to the source, logs of all network traffic flows (but not their content) may be kept.

Network traffic may also be analysed and stored, in order to trace the source of network issues, and to be able to detect, resolve, and prevent cyber-security incidents. The retention period depends on the type of traffic, and this data is searchable for no longer than 31 days. The data is destroyed after 45 days, unless it is part of an ongoing forensic investigation. Except during occurances of active cybersecurity incidents, the data is only and exclusively analyzed for known indicators of cybercrime ("indicators of compromise") through automated means. The data will not be searched manually unless there are due reasons to do so. Such manual searches by the Nikhef computer security team are recorded and made available upon request.

Email transactions (sender and recipient, but again not content) are also stored for a period of up to 90 days. Finally, security events related to service access (regarding identity and access rights) are retained for a period of up to 400 days.

Because many systems are backed up automatically, the above-mentioned log and transaction data are subject to a supplementary back-up period of a maximum of 100 days.

This data is only accessible to system administrators and CSIRT members, whose access is controlled based on the usual Nikhef login and password controls.

These data will of course be handled with due care: data that can be traced back to individual users (including email) will only be reviewed if there is a well-founded suspicion of substantial misuse or of illegal activity. We follow the guidelines of the Dutch Data Protection Authorities (Autoriteit Persoonsgegevens) with regard to working in networks.

Would you like to know what (kind of) information is known about you in the logs? Then ask the CT, via helpdesk@nikhef.nl.

Enforcement

Access to services may at any times be suspended or terminated discretionarily for administrative, operational or security purposes. It is common for access to be suspended as part of an incident investigation, even when a violation is merely suspected. As a general matter prior to terminating service, Nikhef will attempt to work with the User to cure violations and to ensure that there is no re-occurrence of the violation.

Liability

In no event will Nikhef be liable to any user or third party for any direct, indirect, special or other consequential damages for actions taken pursuant to this AUP, including, but not limited to, any lost profits, business interruption, loss of programs or other data, or otherwise, even if Nikhef was advised of the possibility of such damages.

Reporting abuse

Complaints regarding violations of this AUP, as well as concerns regarding objectionable material sent from or distributed via Nikhef, will be accepted via e-mail at abuse@nikhef.nl, so long as a valid return address is included. Nikhef must be able to independently verify each instance of abuse: for objectionable email each complaint must include the COMPLETE TEXT OF THE OBJECTIONAL MESSAGE, INCLUDING ALL HEADERS. Please do NOT send excerpted parts of a message; sending a copy of the entire message, including headers, helps to prevent misunderstandings based on incomplete information, or information used out of context. Full headers demonstrate which path the message has taken, and enable us to determine whether any part of the message has been forged. This information is vital to our investigation. If you consider material located on Nikhef resources (e.g. published via its web site) to infringe on your rights, provide the complete URL, the time you visited this URL, and complete and sufficient evidence as to why you consider such a publication to infringe on your rights under Dutch Law.

Responsibility

Nikhef is not responsible for the content of email communications sent by its users, not for information published on user personal home pages. This responsibility rests with the user. At its sole discretion, Nikhef reserves the right to remove materials from its servers and to terminate access to services for the user that Nikhef determines has violated this AUP.

Modifications

Nikhef retains the right to modify the AUP at any time. Such modifications shall become effective at the moment they are adopted by Nikhef and will apply to all users, current and future.

CSIRT

The above text mentions several times the Computer Security Incident Response Team (CSIRT). For more information about the role of this team, see the contact page at http://www.nikhef.nl/security/.

Complaints

Employees who disagree with the application of this policy, should at first contact the head of the CT department, and otherwise consult the FOM algemeen klachtrecht (UR-17) (in dutch).