Policy Statement

All the IT assets and services provided by MAHE are for carrying out institution related operations. Users must ensure that information resources are used safely and its usage does not disrupt operations and bring disrepute to the institution(s).

Acceptable usage applies to proper care and maintenance of assets and following the security requirement as laid down in this policy. Users must ensure that appropriate controls that are enforced by MAHE for preventing infections through malicious codes are followed diligently.?

Access to removable media such as flash drives, storage cards etc., are provided to support educational and operational activities. Users are responsible for ensuring that removable media are used responsibly.?

User account and passwords for systems or services must not be shared with anyone under any condition. All systems must be kept secure by installing the latest security patches.?

?

Clear Desk and Clear Screen Policy

?

? Users must "log off" or “lock” their computers when their workspace is unattended;

? Users must "shut down" their computers at the end of the workday;

? All “Highly Restricted”, and/or “Confidential” information in printed form/ hard copy must be removed from the desk and locked in a drawer or file cabinet when the workstation is unattended and at the end of the workday;

? File cabinets containing “Highly Restricted”, and/ or “Confidential” information must be locked when not in use or when not attended;

? Keys used to access “Highly Restricted”, and/ or “Confidential” information must not be left unattended;

? Laptops must be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday;

? All Users should ensure that unattended equipment is appropriately protected.

? Passwords must not be posted on or under a computer or in any other accessible location;

? Keep passwords confidential and refrain from sharing them with others

? Change passwords on a periodic basis or as per system settings or if there is an indication of a possible compromise of the systems or passwords. Passwords for privileged accounts such as system administrator shall be changed every 90 days, whereas normal user passwords shall also be changed every 90 days;

? Notify MAHE IT team in case any security breach is observed

? Documents containing confidential information must be immediately removed from printers, photocopiers or facsimile machines;

? Users must take adequate precaution to ensure that sensitive information is not displayed when sharing the screen or when the screen is visible to others. In addition, users must ensure that the screen is not visible to others when working in public areas or from home.

?

Guidelines for Workstation Usage

?

The guidelines are applicable to desktops, laptops, net books given by the institute to Users.

? Any changes in hardware or software must be done by the MAHE IT Team. The end user must request for changes to the MAHE IT Team through the Helpdesk.?

? Users must terminate active sessions when they have finished their purpose of connectivity e.g. Logging out from the account after operations. Users must adopt formal log-off procedures instead of just switching off the PC screen or terminal.? The importance of these good user practices must be spread through systematic awareness programs.

? Users must keep their equipment clean and free from dust.?

? Users of laptop must prevent damages to the laptop due to inappropriate handling of laptop.?

? During travel, care must be taken that laptops are not to be packed in checked in baggage. The user must ensure that the laptop is always under his supervision and never left unattended.?

? Laptops that are not regularly connected to the network must be checked for any changes and to keep the OS, applications, anti-virus up to date.

? If user believes that some data has been modified or deleted from his system then it means that his system has been compromised. The end user must immediately inform the MAHE IT Team about the same.?

? If any user finds that his desktop has changed and any files are missing in his system, he must immediately contact IT and report it as an incident.

? All workstations must have the latest patches applied to software and application as and when released from the vendors.

?

Printer Usage

?

? Printers are recommended to be used for printing documents for institutional requirements only.?

? Users printing documents must ensure that they collect it personally from the printers and not designate others to collect it from the printers.?

? Printed documents must not be left to accumulate in the machine. Stringent care must be taken to ensure that any document that was printed by mistake, or has an error is destroyed. It must not be used for any other purpose.?

? Paper shredders must be used for shredding restricted and confidential documents.

?

Usage of Internet

?

Internet access is provided to Users to assist them in carrying out functions that are required as part of the operations. Non-institutional related activities must not be carried out over the internet. Occasionally, internet can be used for personal reasons. However, the usage must not interfere with work performance.?

Users’ access to internet must be through the internet service provided by MAHE.?

Access to the Internet is restricted through a gateway proxy. Depending on the content of the website and the risks associated the institute has the right to filter and prohibit access to websites deemed inappropriate.?

The MAHE IT team has the right to monitor the internet usage of the end users and collect logs which may represent the website visited etc., for the purpose of monitoring and not for any other activity.

Following guidelines must be followed by the users accessing internet.

? Users must not use the internet facility to carry out malicious activity such as hacking, eavesdropping, cracking, unauthorized scanning, Denial of Service (DOS), Distributed Denial of Service (DDOS)etc., against internal and/or external network or users connected to such networks.

? Users must not violate copyrights by downloading and distributing copyrighted material.?

? Uploading institutional data to any internet site, file sharing site etc., is? subject to/limited to official purpose.?

? Usage of internet for carrying illegal activities such as gambling, accessing obscene material, identity theft etc is strictly prohibited and may lead to disciplinary action leading to termination and / or legal action.

? Users must not involve in executing any form of network monitoring which will intercept data not intended for the Users’, unless this activity is a part of the Users’ normal job/duty.

? Users must not involve in interfering with or denying service to any user other than the Users host (for example, denial of service attack).?

? Opinion about the institution posted on any websites needs proper authorisation from the appropriate authorities.?

? Users must not use the internet facility to download entertainment software, music, videos and games or play games over the internet. Apart from unnecessary wastage of bandwidth, these files may contain malicious codes.?

? All devices connected to the Internet must be equipped with the latest version of anti-virus software. The MAHE IT Team must prohibit internet access to systems that do not meet any security requirements.? ?

? All forms of data transmitted from the institute over the Internet must be checked for virus in advance. Any suspicious activity must be reported to the infosec.admin@manipal.edu for further action.

? Users must not download any virus creating tools or software nor must otherwise create malware codes.? Users must not distribute or infect any internal systems or external network interfaces with any malware.?

? If the users come across any abnormal situation while using the internet, they are requested to contact the infosec.admin@manipal.edu immediately and not take any action on their own.

?

Usage of E-mail

?

Users must use their institute e-mail account to communicate with external parties / MAHE team members and not through their personal e-mail accounts. Similarly, where possible e-mails must be sent to the receiver’s official e-mail and not to their personal e-mail.?

Once a User resigns or if his/her services are terminated, it is important to revoke their e-mail account immediately after confirmation from HR, the responsibility lies with the MAHE IT team.

E-Mail access is available only for MAHE team members and outside party must not have access to the institutional e-mail account. Partner team/service providers have to take approval from MAHE IT team to get email access to work as per service agreement and should not be used for any other purpose. Users are responsible for the data that is originated, replied, forwarded from their account to others (third parties as well as to other users within the institution) as in line with the institutional data privacy policy.

Following guidelines must be followed by Users having access to MAHE’ s E-mail.

? Users sending any e-mail must ensure that the address in the ‘to’, ‘cc’ is the intended recipient.?

? Users must not send any email containing any defamatory, offensive, racist or obscene remarks. E-Mail messages sent must not be used to harass or intimidate people.??

? All e-mail sent by Users within the institution will be scanned for virus and malicious code. When sending e-mails using internet connectivity other than the institutional internet, it is the User responsibility to ensure that there is adequate protection and the e-mails or attachments does not contain any malicious code.?

? Institutional e-mail account must not be used to send chain mails, for political reasons, personal amusement and entertainment.?

? Institutional e-mail account must not be used as a medium to transmit any document, software, or any other information protected by copyright or any other law.

? Email accounts or devices logged into email accounts must not be shared and maintained securely.

? Users may report spam or objectionable messages to MAHE - IT as an incident.?

? All e-mails sent must have a disclaimer. The disclaimer is approved by the Director – Digital & IT/Registrar, MAHE and the sender must not modify the content of the disclaimer.

?

Use of mobile devices

?

? Users must not allow others/ family to use MAHE devices?

? Users must not access MAHE network with unauthorized devices?

? Users must log out of all MAHE n/w and apps if non-official devices are used for access?

? Users must ensure anti-virus or equivalent software is updated in mobile devices used to access MAHE network.

?

Physical document protection

?

? Users must sign off – asset movement in register or equivalent

? Highly restricted and/ or confidential documents should not be moved/shared out of MAHE premises or systems without appropriate approval/ exemption.?

? Internal physical documents can only be taken out temporarily and should be returned with the allotted time.?
?

Office 365

?

? MAHE users should use O365 tools and its respective apps only for official purpose

? Users are responsible for the documents while using one-drive, SharePoint and information should be disclosed only on a need-to-know basis

? Users must not send any messages containing any defamatory, offensive, racist or obscene remarks. Messages must not be used to harass or intimidate people.??

? Usage of Microsoft teams should be internal by the MAHE team members and for official purpose only.

? Please go through “MAHE Information Classification and Handling Policy” for data classification before using O365 tools and its respective apps

? Access to teams folder with any non-public classification must be restricted on a need to know basis. The folder owner shall be responsible for controlling and monitoring access to the information.

?