This document outlines key IT policy statements.
Regulations for use of IT facilities
These are displayed on the IT notices web page and may be updated from time to time. All users are bound by the current version of the rules being displayed.
In particular users should note they are personally responsible for any illegal activity they undertake, e.g. should the department receive a cease and desist notice as a result of someone downloading software illegally then the individual will be traced and any fines, charges or other penalties passed on to the individual.
A breach of the regulations, for use or IT policy in general, is a serious matter and should be reported so any formal disciplinary action or review may take place.
Individuals may be held personally responsible for any breach of the law.
Web page regulations
These are displayed on the IT notices web page and may be updated from time to time. All users are bound by the current version of the rules being displayed.
IT service agreement
The conditions of service are displayed on the IT notices web page.
See the green IT page for specific information on departmental practices and policy.
All critical equipment is kept in locked and alarmed rooms.
Default desktop/user account configuration is for screens to lock after a given period of inactivity. Users should in general lock the screen if they leave their computer (particularly if the office itself is shared or unlocked).
All traffic in and out of the Oxford network passes through the university firewall.
The department has its own firewall as well which broadly implements the following:
- No restrictions on outgoing TCP traffic except that the source address must be from our subnet range.
- Disallow almost all UDP (this is vital to protect essential internal services that use udp).
- Disallow all incoming TCP except AUTH to all machines and SMTP, IMAP(S), NTP, DNS, SSH, HTTP(S) to the specific machines that host these services.
Anti virus policy
All Institute maintained Windows machines run the latest version of Sophos and automatically update as new virus ide files become available.
All email to department addresses is relayed through the OUCS virus scanner.
For departmentally owned but personally held items (e.g. laptops) the department will typically provide the machine with an initial installation after which the machine is the keepers responsibility to maintain and support and this includes ensuring the anti-virus software is up to date. If such machines do develop problems the department will do its best to help but cannot guarantee to resolve the problem or reinstall the machine quickly.
In general Institute maintained machines are security patched/updated at the earliest reasonable opportunity after a security patch/update is released/a vulnerability is announced. However, dependant on the particular system and vulnerability, patches/updates may not always be available or the application of those patch may itself introduce problems or not be possible for other reasons and hence security announcements may be individually reviewed before appropriate action is taken. IT staff subscribe to recognised security mailing lists to ensure they are aware of new vulnerabilities as they are announced.
Keyloggers and other possible password breaches
If the department receives a report that an individual has been using a machine which is infected with a keylogger or some other risk to password security then the user's account will be immediately locked. The user will then need to confirm they are either no longer using the compromised system or that that system has been cleaned (the confirmation should be via a visit to the central IT help desk or a college computing officer who will independently confirm the machine is clean) before they can be issued with a new password by visiting a member of the departmental IT Team with proof of ID (typically a university card).
Information on departmental computer systems is held in compliance of the University policy on Information Security and Departmenal policy on Information Security. See also the departmental pages on data protection and research using data involving humans.
Also note all material on the departmental web pages (whether publicly accessible or not) is covered by copyright unless otherwise stated. The main exception are the course materials published under the open courseware principles.
Individuals should reported any observed or suspected security weaknesses.
At Risk Period / System Reboots
Servers and Services
The University/OUCS at risk period is 7am-9am on Tuesdays. Unless updates to central university facilities are urgent, e.g. system failure, major security update, OUCS will in general schedule reboots and outages for this period. Outages or reboots of OUCS servers may have an impact on facilities within the department, e.g. affect the department's connections between buildings or connections out of the university etc.
The organisation that runs the academic network JANET linking higher educational sites to each other and the Internet, UKERNA, designates 8am-10am on Tuesdays to be an at risk time when they can shutdown or reconfigure systems at little or no notice for emergencies.
Within the department, changes to critical systems (e.g. file and mail servers) that require significant down time are scheduled with at least a weeks notice and where necessary conducted out of core hours.
The department has an at risk period of 12 noon - 2pm on Tuesdays for changes that need to be made within core hours. Other changes that may affect service provision may be made out of core hours when possible to minimise disruption. If these changes are to critical systems then they will typically be announced with several days to a weeks notice. For changes that may only briefly affect a system or service it may be less likely to be announced to minimise the amount of notification emails for things that most users will not even notice.
For urgent changes that require quick action an announcement will typically be sent out notifying people of the scheduled time. That time will be dependent on the urgency of the issue but whenever possible will be out of hours for long outages. Brief outages may occur within the day if appropriate but out of hours where necessary / more acceptable.
Updates to Linux desktop systems are common. The vast majority require no reboot etc and will happen automatically. Those that require a reboot will trigger a warning to the users on the system asking them to log out. If all users log out of the system it will reboot within 5 minutes. If the users do not log out they will receive regular warnings on screen for 3 days at which point they will then receive an email warning. If the users still have not logged out after 6 days from the update being scheduled they will receive a further email which will indicate the machine will reboot automatically in 24 hours. In some cases the security update will be to eliminate a major risk and in those cases may need to be forced through more quickly.
MS Windows is configured to automatically apply Microsoft security updates on the desktop machines. Microsoft typically trigger major updates on the second Tuesday of every month and these updates can force the machine to reboot. Occasionally for more serious issues they will push an update sooner. Other updates will be typically be reviewed on a case by case basis and applied as appropriate.
Any machine purchased by the Institute remains the property of the Institute even if the machine is located outside of the buildings (e.g. in college, laptops etc).
Most research grants state that the ownership of a machine purchased from the grant falls to the Institute once the period of the research grant ends.
Note mobile and personally held items must be signed for so the department has a record of the keeper. When you come to leave the department, or if you no longer need an item, you must contact the Head of ICT (head-of-ict [-at-] maths [dot] ox [dot] ac [dot] uk), so that appropriate arrangements can be made. Depending on the age of the equipment, or if it was purchased on a specific grant where the equipment moves with the person, it can be possible to keep equipment when leaving the department. However, this needs to be confirmed for every item and the department is required to update the departmental asset register appropriately.
If the department is audited the auditors may ask to see any item on the departmental asset register. If the item is a personal item they will ask for it to be brought in for them to confirm the records are correct.
- All PCs and printer are purchased with 3 year warranties.
- All PC server are typically purchased with extended warranties for up to 5 years cover.
IT budget, purchasing and provision
The annual IT budget is intended to support the general work of the Department in teaching, research and administration. It is used to provide basic facilities within the department for the academic and administrative staff, and for the students in the Department, to carry out their normal duties in the University. It is not intended to provide more advanced facilities for specific research projects, although, if funds are available, it may be appropriate in some cases to make a contribution from the equipment grant to seed an application to a grant-giving body. In general, applicants for research grants should always seek to obtain the funds needed to cover the equipment requirements and computer support costs of their projects. The equipment needs of staff employed on grants should wherever possible be met from those grants.
The annual IT budget request is produced by the Head of ICT based on the equipment needed for the general rolling replacement scheme and specific requirements for that year combined with information and feedback provided by key committees (e.g. teaching, research and departmental) and department members. The budget is presented to the Departmental Committee, along with the other budget requests for the year. The Departmental Committee then agree the overall department budget request which is submitted to the division. Based on the funds ultimately agreed by division the Head of ICT then makes minor revision to the budget if required.
Purchases are then typically made throughout the financial year by the Head of ICT. In order to obtain the best prices rolling replacement purchases are typically batched into two orders per year (e.g. for desktop PCs).
The current policy for academic users is to provide one machine per person (where desired) with a dedicated desk space within the department.
Current policy is to buy standard PCs for desktop use. Based on consultation with users and experience built up from operating a rolling replacement scheme for the many years this currently (March 2012) equates to approximately an AMD quad core processor PC with 8GB RAM. Should a user prefer a laptop instead of a desktop in their office then they may be allocated equivalent funds towards the purchase. Similarly should a user prefer an Apple Mac instead of a standard desktop in their office then they may be allocated equivalent funds towards the purchase. Desktops are typically purchased from 3TH (company local to Oxford) and laptops from Lenovo although prices and providers are reviewed periodically (e.g. considering Dell, HP and smaller companies like DNUK etc).
Current policy is to buy higher spec PCs as servers or computational machines (typically from DNUK or IBM). These machines typically have redundant disks and power supplies as well as multiple processors.
The basic spec machines are typically of a level suitable for the initial user for 2 to 3 years. Most machines run a multi-user OS (e.g. Linux) so any variation in usage or small under utilisation is often made use of by remote users running suitably niced/scheduled jobs. After the first 2 or 3 year period the machine may be cascaded down to a location/user who does not require the latest spec machines. Ultimately at about 4-5 years the machine is retired from use and either donated to students and charities etc or scrapped as appropriate.
Workgroup network black and white and colour printers are provided in public areas around the department as required.
Small/personal printers are discouraged as far as possible as they require unnecessary additional time to configure, manage, troubleshoot etc. Locally attached printers typically require even more time to manage and so are being phased out.
Unless there is a clearly defined need for a printer within a specific office personal/individual room printers are not provided. Any need will be reviewed against existing comparable use elsewhere within the department to ensure consistency of policy and provision.
Whenever a printer needs replacing or reviewing or a room is rearranged or retasked the printing provision will be reviewed against the above policy and with an aim to reduce the number of printer locations and total number of printers.
Scanners with document feeders are provided in computer rooms around the department. These should meet the needs of almost all individuals. If a request for a scanner in an individual office is made it will be reviewed to determine if there is a clearly defined need that is not met by the general provision.
Network provision and connection
The entire network is twisted pair of either CAT5 or CAT5e standard (100Mbps and 1Gbps capable) with switched hubs. The internal network backbone and link between the buildings runs at 1Gbps. OUCS currently provides the department with a 1Gbps link to the university backbone.
Cabling is typically reviewed once a year to identify any additional work needed. Should needs arise within the year, depending on urgency, they are batched together and additional cabling work ordered.
An individual may self register a machine for a wired or wireless connection (using DHCP). A user must have a Mathematical Institute computer account first.
Network connection within the department is in accordance with the university policy on connection. In particular connection to the main departmental trusted/managed network is restricted to departmentally managed machines and access to those systems with administrator privileges is restricted to departmental ICT staff only. Any non Institute maintained machine will be given access to a private/separate subnet, with dynamically allocated (not fixed) IP address allocation, rather than the main Mathematical Institute subnet. Such a private/separate subnet sits behind a suitable firewall and/or captive portal.
It is the machine owners responsibility to maintain the security of their machine by applying appropriate patches and running suitable virus software etc. Any user not properly maintaining their own machine runs the risk of their connection being withdrawn.
The IT Team provide a standard install for the Windows and Linux systems (similar, but not identical, for desktops and laptops) purchased by the department from departmental or research grant funds.
Users may make additional software requests by emailing IT help or the Head of ICT. If there are no cost implications the IT Team will endeavour to install the software for you (particularly if it is likely to be of general use to others).
As indicated in the computer use regulations user may not installed unlicensed software. A user may, however, install suitably licensed software (e.g. open source) within their account or on the local machines hard disk under the partition provided.
The cost of licensed software that is not free or under a university site license is covered from the main IT budget provided that it is seen to be of use to a range of department users and hence a core package (e.g. maple, mathematica, matlab). If software is for a specialist project, limited number of users or research groups then the funds to purchases it are typically required from individual or research group grants. Those license costs covered by the core IT budget are reviewed each year to ensure we continue to centrally fund the most widely used applications.
Software installed as part of the departmental standard desktop install done by the IT team is supported to some level (although this may be very limited). The IT team cannot, however, be expected to be experts in the use of all software so for some applications the support is limited to trying to ensuring it runs, is kept up to date and secure. As noted above where possible we will make available software requested by individuals but this does note guarantee any specific level of support for that software. Support of a given application, as with any other IT system, is based on the availability of support resources and the appropriate priority of the problem. This is particularly of relevance to applications that are not generally required for research, teaching or administrative functions of the department but have nevertheless been requested and provided (a common example might be an MSN client - the use of MSN for personal communication is permitted but there is no guarantee of support or service). The software installed may need to be reviewed as the system is updated and upgraded etc and as such applications may be withdrawn if they cannot reasonably be supported at that time (e.g. when a package is no longer provided as part of the standard distribution used or when a package built in house no longer builds/runs on updated/upgraded systems etc).
Users may install software themselves, subject to the limitations of the system setup, provided they do not breach any rules, licensing agreeement etc. Any such software install by an individual has no guaranteed support from the department for that user or anyone else who may try to access that installation. If the departmental standard install changes and such an application no longer functions then the department cannot guarantee any support for the issue.
In the case of laptops the machine is installed dual boot if required using the departments standard Windows and Linux laptop installations. The machine is configured to operate without dependence on the department's IT services running in a standalone manner but able to make use of standard network services wherever they are provided. After the initial installation the machine is handed over to the keeper to maintain and support in general thereafter. See the information above in the anti-virus section about making sure such personally managed machines have up to date anti virus software.
The IT team can provide users with advice on installation and configuration of personally purchased machines but does not provide an install and managed personal system service.
The machines currently bought for offices are of a small form factor in order to take up the minimum space possible. Office machines should in general by placed on the desk (and not be placed on the floor or in very inaccessible locations). Inaccessible placement typically result in the machine sucking in more dust (and hence failing more often or more quickly). Inaccessible placement also has implications for health and safety. It is not good for the user to have to bend in awkward directions simply to plug in a pen disk or access the CD drive, similarly it is not good for support staff to have to crawl under desks etc to investigate problems or to replace machines etc. If you are particularly short of space and would like the machine to be moved please contact the IT support staff to discuss possible changes that can be made without introducing problems.
Some individuals may obtain grants for larger desktops/small compute machines. Such machine typically produce more heat and noise (compared to the very low noise and heat small form factor desktops). In order to avoid problems it is always sensible to take this into consideration before ordering such a machine/applying for a grant. If the machine is for someone in a shared office then the other occupants need to be taken into consideration. If they are not happy with the noise/heat they may ask for the machine to be removed. Placing small compute machines in the server room is not generally possible due to space constraints and as such we would generally recommend careful consideration of the options as it may be better to put the funds towards a higher spec shared compute machine that makes more efficient use of space and thus may be appropriate for the server room.
- Each user is given an initial quota of 5GB for their home directory (some older accounts may still have a 2GB quota if the usage is well below that limit).
- All users can request additional quota by emailing help [-at-] maths [dot] ox [dot] ac [dot] uk stating how much they need and why.
- Whilst about 90% of all users will typically only ever use up to 1GB of mail storage the default mail quota on the main mail system is set to 5GB (primarily to guard against any one incident or individual problems without imposing awkward limits on normal usage)
- Web server usage is monitored but currently has no imposed quota limits
All user files stored on the main servers are backed nightly up to the departments internal backup system. The internal backup system typically holds 28 daily backups and a further 9 weekly backups and may also hold a further 9 monthly backups to give an overall backup period of 1 year. The servers are also backed up nightly to the university's central backup system for additional redundancy and disaster recovery.
All Linux desktops have a 50GB+ local partition which users may use to store additional files (e.g. large data sets, PDFs of downloaded papers etc). This partition is backed up weekly to the university's central backup system.
Although the Computing Officers will try to ensure that the system is operational at all times and that files are regularly backed-up, the Institute will not accept responsibility for any failure of the system or any loss of data.
Examining Users' Data
Policy on the examination of a users data is covered in the University's regulations relating to the use of IT.
Under normal circumstances an individual is the only person with access to data in their home directory/mail store. Data held in various shares is only accessible by the specific group of individuals with shared ownership of that data.
Should a request to examine/provide one users data to another be made then IT staff will make significant efforts to ensure that this is done with the users permissions. If an individual cannot be contacted to give permission the need to access the data should also be considered. Only if it is absolutely necessary to access the data immediately and it cannot wait until the owners permission can be obtained will the IT staff escalate the procedure. Typically this means obtaining permission from the Head of ICT who may in turn consult others/investigate further to determine the access is essential. Permission may also be given by the Head of the Department. In the absence of the Head of ICT in the first instance the Head of Administration and Finance should be approached to obtain access permission.
No general access to another users data/files/email would be given under the above terms, only access to (a copy) of the specific piece of data requested and approved.
Taking/transferring data off departmental systems
The department offers a range of remote access options which can facilitate remote working without the need to transfer/copy files off the departmental systems. If remote working is not practical one should consider the risks when transferring files off the system (e.g. loss of work if other system has no robust backup mechanism, access to the files being compromised if the other system is not secure and well managed etc). If one transfers files over the network a secure transfer mechanism should be used, e.g. sftp. If one transfers files using physical media one should carefully consider the importance of that data and take appropriate precautions to keep it secure (e.g. one might encrypt the files on the physical media). Having transferred files to a remote system or removable media there is then a responsibility to manage those files appropriately and in particular remove them from the media/remote system when no longer required to ensure they do not later mistakenly become accessible by unauthorised individuals.
As stated above in the security section, information on departmental computer systems is held in compliance of the University policy on University policy on Information Security and the departmental information security policy. See also the departmental pages on data protection and research using data involving humans.
All usernames are generated using an algorithm to ensure there are no clashes. The broad algorithm is to take the first 12 letters of a persons surname. If this is not unique and less than 12 characters then the initials are added one by one until a unique username is produced provided it is still at most 12 characters. If the 12 character username is not unique then it is reduced to 11 characters and a number added, starting at one and increasing until a unique username is produced.
Different username formats are generally not allowed (e.g. firstnames) as this hinders the fairness of the process and ability to make unique usernames.
Once an account expires the username remains reserved for 800 days after which the old account record is permanently expired and the username released for reuse. Files associated with the expired account are wiped automatically at the end of the reserved period.
Associated with each account is also a long format email address which is of the form firstname [dot] lastname [-at-] maths [dot] ox [dot] ac [dot] uk so even if the short format username [-at-] maths [dot] ox [dot] ac [dot] uk is not the most desired address each user also has a very human readable address format too.
- Accounts will be set to automatically expire usually one month after the end of a users course/ contract/ project. The actually expiry date will be displayed when the user first logs in.
- At 28/7/1 days to go to closure the user will be emailed a warning message explaining how they can ask for an extension.
- Account extension will only be granted for academic reasons.
- Accounts will not be extend indefinitely, it is the users responsibility on leaving the Institute to arrange suitable new computing facilities.
After an account expires an automatic email forwarding service is offered for one year.
All email to departmental addresses passes through the OUCS mail scanner. This blocks any emails containing a virus. Depending on the type of virus the sender is notified if appropriate.
All email is also tagged as to whether it looks like spam so that users mail filter out messages as they choose.
Review of new technologies and IT staff training
The IT team specifically budget for books and documentation in order to stay abreast of changing technologies although much research of IT systems can be done on the web. Any large training fees occasionally required for courses IT staff need to attend are typically requested from departmental funds.
All IT team members are generally expected to attend the annual University IT conference and also encouraged to occasionally attend national/international conferences of relevance.
Should an individuals be found to have breached the departmental or university IT rules and policies then in the first instance the matter would be reported to the Head of ICT and IT would conduct a preliminary investigation. Dependant on the findings of any preliminary investigation it may simply be necessary to make the individual aware of the rule/policy they are breaching and obtain confirmation it will not happen again. For more serious matters the incident would be reported to the Executive Committee and Chairman of the Department and appropriate disciplinary action agreed.
Cease and Desist Notices / Copyright Infringement
The university regularly receives cease and desist notices for matters such as copyright infringement. In such a case the individual responsible for the infringement will be identified. The individual will be charged a fine (£100) for the infringement and the copyright material must be removed from the machine. Where possible this fine will be deducted from the individual's payslip. It is often the case that the machine involved will be running a bit torrent client. Running such a client is no longer banned by university wide policy but the use of such clients must not be for illegal purposes and must not make excessive use of network bandwidth or impact on others use of the network in other ways. Failure to pay the fine and remove the illegally obtained material may result in the closure or suspension of the individual's access to departmental IT facilities (including network connection of a personal machine).