This document outlines key IT policy statements.
Provision of accounts and service
The department provides a wide range of IT services (e.g. managed desktops, file space, email, web space, remote access, access to course materials, wifi etc). To access such services a maths IT account is typically required. Such an account is only issued following the relevant approval. In the majority of cases the Maths IT facilities application form is completed and returned as part of larger processes such as personnel (for employees/staff), academic administration (for graduate students or teaching staff external to the department) or visitor process rather than by direct application and hence the account is preopened ready for your arrival. Accounts cannot be provided without the necessary checks and authorisation.
Some services not managed by the departmental IT team are also available within the building, most notably some wifi services such as eduroam (account provision is from your home institution central IT Service) and The Cloud (self service sign up subject to The Cloud terms and conditions).
Regulations for use of IT facilities
These are displayed on the IT notices web page and may be updated from time to time. All users are bound by the current version of the rules being displayed.
In particular users should note they are personally responsible for any illegal activity they undertake or that occurs from their account or device, e.g. should the department receive a cease and desist notice as a result of someone downloading software illegally then the individual will be traced and any fines, charges or other penalties passed on to the individual.
A breach of the regulations, for use or IT policy in general, is a serious matter and should be reported so any formal disciplinary action or review may take place.
Individuals may be held personally responsible for any breach of the law.
Web page regulations
These are displayed on the IT notices web page and may be updated from time to time. All users are bound by the current version of the rules being displayed.
IT service agreement
The conditions of service are displayed on the IT notices web page.
See the green IT page for specific information on departmental practices and policy.
All critical equipment is kept in locked and alarmed rooms.
Default desktop/user account configuration is for screens to lock after a given period of inactivity. Users should in general lock the screen if they leave their computer (particularly if the office itself is shared or unlocked).
All traffic in and out of the Oxford network passes through the university firewall.
The department has its own firewall as well which broadly implements the following:
- No restrictions on outgoing TCP traffic except that the source address must be from our subnet range.
- Disallow almost all UDP (this is vital to protect essential internal services that use udp).
- Disallow all incoming TCP except AUTH to all machines and SMTP, IMAP(S), NTP, DNS, SSH, HTTP(S) to the specific machines that host these services.
Anti virus policy
All Institute maintained Windows machines run the latest version of Sophos and automatically update as new virus ide files become available.
All email to department addresses is relayed through the central IT Services virus scanner.
For departmentally owned but personally held items (e.g. laptops) the department will typically provide the machine with an initial installation after which the machine is the keepers responsibility to maintain and support and this includes ensuring the anti-virus software is up to date. If such machines do develop problems the department will do its best to help but cannot guarantee to resolve the problem or reinstall the machine quickly.
In general Institute maintained machines are security patched/updated at the earliest reasonable opportunity after a security patch/update is released/a vulnerability is announced. However, dependant on the particular system and vulnerability, patches/updates may not always be available or the application of those patch may itself introduce problems or not be possible for other reasons and hence security announcements may be individually reviewed before appropriate action is taken. IT staff subscribe to recognised security mailing lists to ensure they are aware of new vulnerabilities as they are announced. University policy requires that critical security updates are applied to machines within one week, and ideally sooner. This university requirement also applies to personally managed equipment that may connect to university systems and services.
The maths account password changer uses a strength algorithm to ensure passwords are sufficiently strong. Once you have changed your initial randomly generated cryptic password, the department does not in general require you to change it again. You should change it when it suits you or if you are concerned you may have used it in an insecure setting. Please report any password concerns immediately to the IT Team. It is often easier (for humans to remember) to use a longer sequence of words (a passphrase) as a secure password than a shorter more cryptic format.
Keyloggers and other possible password breaches
If the department receives a report that an individual has been using a machine which is infected with a keylogger or some other risk to password security then the user's account will be immediately locked. The user will then need to confirm they are either no longer using the compromised system or that that system has been cleaned before they can be issued with a new password by visiting a member of the departmental IT Team with proof of ID (typically a university card).
Information on departmental computer systems is held in compliance with the University policy on Information Security and Departmenal policy on Information Security. See also the departmental pages on data protection and research using data involving humans.
Also note all material on the departmental web pages (whether publicly accessible or not) is covered by copyright unless otherwise stated. The main exception are the course materials published under the open courseware principles.
Individuals should reported any observed or suspected security weaknesses.
At Risk Period / System Reboots
Servers and Services
The University/central IT Services at risk period is 7am-9am on Tuesdays. Unless updates to central university facilities are urgent, e.g. system failure, major security update, central IT Services will in general schedule reboots and outages for this period. Outages or reboots of central IT Services servers may have an impact on facilities within the department, e.g. affect the department's connections between buildings or connections out of the university etc.
The organisation that runs the academic network JANET linking higher educational sites to each other and the Internet, UKERNA, designates 8am-10am on Tuesdays to be an at risk time when they can shutdown or reconfigure systems at little or no notice for emergencies.
Within the department, changes to critical systems (e.g. file and mail servers) that require significant down time are, as far as reasonably possible, scheduled with at least a weeks notice and where necessary conducted out of core hours.
The department has an at risk period of 12 noon - 2pm on Tuesdays for changes that need to be made within core hours. Other changes that may affect service provision may be made out of core hours when possible to minimise disruption. If these changes are to critical systems then they will typically be announced with several days to a weeks notice. For changes that may only briefly affect a system or service it may be less likely to be announced to minimise the amount of notification emails for things that most users will not even notice.
For urgent changes that require quick action an announcement will typically be sent out notifying people of the scheduled time. That time will be dependent on the urgency of the issue but whenever possible will be out of hours for long outages. Brief outages may occur within the day if appropriate but out of hours where necessary / more acceptable.
Updates to Linux desktop systems are common. The vast majority require no reboot etc and will happen automatically. Those that require a reboot will trigger a warning to the users on the system asking them to log out. If all users log out of the system it will reboot within 5 minutes. If the users do not log out they will receive regular warnings on screen for 3 days at which point they will then receive an email warning. If the users still have not logged out after 6 days from the update being scheduled they will receive a further email which will indicate the machine will reboot automatically in 24 hours. In some cases the security update will be to eliminate a major risk and in those cases may need to be forced through more quickly.
MS Windows is configured to automatically apply Microsoft security updates on the desktop machines. Microsoft typically trigger major updates on the second Tuesday of every month and these updates can force the machine to reboot. Occasionally for more serious issues they will push an update sooner. Other updates will be typically be reviewed on a case by case basis and applied as appropriate.
Any machine purchased by the Institute remains the property of the Institute even if the machine is located outside of the buildings (e.g. in college, laptops etc).
Most research grants state that the ownership of a machine purchased from the grant falls to the Institute once the period of the research grant ends.
Note mobile and personally held items must be signed for so the department has a record of the keeper. When you come to leave the department, or if you no longer need an item, you must contact the Director of IT (email@example.com), so that appropriate arrangements can be made. Depending on the age of the equipment, or if it was purchased on a specific grant where the equipment moves with the person, it can be possible to keep equipment when leaving the department. However, this needs to be confirmed for every item and the department is required to update the departmental asset register appropriately.
If the department is audited the auditors may ask to see any item on the departmental asset register. If the item is a personal item they will ask for it to be brought in for them to confirm the records are correct.
- All desktop PCs are purchased with 4 year warranties.
- All server are typically purchased with extended warranties for up to 5 years cover.
IT budget, purchasing and provision
The annual IT budget is intended to support the general work of the Department in teaching, research and administration. It is used to provide standard facilities within the department for the academic and administrative staff, and for the students in the Department, to carry out their normal duties in the University. It is not intended to provide more advanced facilities for specific research projects, although, if funds are available, it may be appropriate in some cases to make a contribution from the equipment budget to seed an application to a grant-giving body. In general, applicants for research grants should always seek to obtain the funds needed to cover the equipment requirements and computer support costs of their projects. The equipment needs of staff employed on grants should wherever possible be met from those grants.
The annual IT budget request is produced by the Director of IT based on the equipment needed for the general rolling replacement scheme and specific requirements for that year combined with information and feedback provided by key committees (e.g. teaching, research and department) and department members. The budget is presented to the Department Committee, along with the other budget requests for the year. The Department Committee then agree the overall department budget request which is submitted to the division. Based on the funds ultimately agreed by division the Director of IT then makes minor revision to the budget if required.
Purchases are then typically made throughout the financial year by the Director of IT. In order to obtain the best prices rolling replacement purchases are typically batched into three orders per year (e.g. for desktop PCs).
The current policy for academic users is to provide one machine per person (where desired) with a dedicated desk space within the department.
Current policy is to buy standard PCs for desktop use. Based on consultation with users and experience built up from operating a rolling replacement scheme for the many years this currently (January 2020) equates to approximately a micro desktop PC with Intel i5 processor, 16GB RAM, solid state disk that is almost a silent system. Should an academic faculty member prefer a laptop instead of a desktop in their office then they may be allocated equivalent funds towards the purchase. Similarly should an academic faculty member prefer an Apple Mac instead of a standard desktop in their office then they may be allocated equivalent funds towards the purchase. Desktops and laptops are typically purchased from Lenovo although prices and providers are reviewed periodically (e.g. considering Dell, HP and smaller companies like PC Specialists etc).
The desktops are typically of a level suitable for most users for 4-5 years. Most machines run a multi-user OS (e.g. Linux) so any variation in usage or small under utilisation may be made use of by remote users running suitably niced/scheduled jobs. Ultimately at about 4-5 years the machine is retired from use and either donated to students, staff and charities etc or scrapped as appropriate.
IT facilitate the purchase of laptops for faculty, research fellows and postdocs. For those with access to eligible research funding, the cost of the laptop will be charged to their research project/grant. Where no or insufficient eligible research funding is available the departmental laptop policies for faculty and postdoctoral researchers apply, by which the individual can request a standard specification laptop (currently a Lenovo X1 carbon or Macbook Pro: i5 processor, 16GB RAM, 256GB SSD disk space per operating system; costing £1.3-1.5k) at most every 4 years with the shortfall in any cost being covered from the faculty laptop budget.
Given most research fellows and postdoc positions are 2-3 years in duration the department will have some returned laptops with several years of useful life remaining. These laptops will be freshly reinstalled and issued to new postdocs rather than supplying brand new machines to every person.
Faculty may also utilise other departmental sources of funding available to them (e.g. Research incentive funds) to top up the funds if a higher specification machine is desired.
All laptops purchased remain the property of the Mathematical Institute and must be returned to the department at the end of the employment or upon request. This includes items funded by the majority of research grants where ownership of a machine purchased from the grant falls to the Institute once the period of the research grant ends. If an individual wishes to retain an item at the point they leave then they must contact the Director of IT & Physical Resources or Head of IT to agree the 'fair price' for the item that can be paid in order to take ownership of the device. The fair price is typically the second hand value of an item as seen or such online trading sites.
Current policy is to buy higher spec rack mount systems as servers or computational machines (typically from Lenovo, Inspur or Rackservers). These machines typically have redundant disks and power supplies as well as multiple processors.
Workgroup network black and white and colour printers are provided in public areas around the department as required.
Small/personal printers are discouraged as far as possible as they require unnecessary additional time to configure, manage, troubleshoot etc. Locally attached printers typically require even more time to manage and so are not supported.
Unless there is a clearly defined need for a printer within a specific office personal/individual room printers are not provided. Any need will be reviewed against existing comparable use elsewhere within the department to ensure consistency of policy and provision.
Whenever a printer needs replacing or reviewing or a room is rearranged or retasked the printing provision will be reviewed against the above policy and with an aim to reduce the number of printer locations and total number of printers.
A number of the print alcoves contain larger print/copy/scan devices from which scans can be made to email or USB storage. These should meet the needs of almost all individuals. If a request for a scanner in an individual office is made it will be reviewed to determine if there is a clearly defined need that is not met by the general provision.
The larger print copy/scan/devices also support document release and so can be used for reasonable levels of confidential printing.
Process for IT equipment purchases from research grant funds
IT equipment purchases against research grant funds should be discussed with and raised through the Director of IT & Physical Resources or Head of IT. The Research Grants Manager and Finance Team confirm funds are available and approve the progression of purchase orders. Equipment orders will not be raised for items where there is a concern they may arrive after the grant ends, unless the individual also specifies an alternate source of funds, that lasts sufficiently longer, that they will use to cover the expense if required. In particular orders for higher cost or custom specification items are unlikely to be progressed, without fallback funding in place, if not agreed and raised before the final 3 months of the grant; lower cost standard specification items are unlikely to be progressed, without fallback funding in place, if not raised before the final 6 weeks of the grant.
Network provision and connection
The entire network is twisted pair of at least CAT5 standard (and primarily CAT6a) with switched hubs. The internal network backbone runs at 1Gbps. Central IT Services currently provides the department with a 10Gbps link to the university backbone.
Network connection within the department is in accordance with the university policy on connection. In particular connection to the main departmental trusted/managed network is restricted to departmentally managed machines and access to those systems with administrator privileges is restricted to departmental IT staff only.
An individual may connect a self managed machine to a separate network via wifi (eduroam is recommended for most uses although laptops can also be connected to a maths specific wifi network). Only dynamically allocated (not fixed) IP address are allocated. Such a private/separate subnet sits behind a suitable firewall and/or captive portal.
It is the machine owners responsibility to maintain the security of their machine by applying appropriate patches and running suitable virus software etc. Any user not properly maintaining their own machine runs the risk of their connection being withdrawn/blocked. In such a situation the user is required to have the machine scanned, addressed and confirmed as clean and no longer vulnerable to a return of the original issue.
The IT Team provide a standard install for the Linux, Mac and Windows systems (similar, but not identical, for desktops and laptops) purchased by the department from departmental or research grant funds.
Users may make additional software requests by emailing IT help. If there are no cost implications the IT Team will endeavour to install the software for you (particularly if it is likely to be of general use to others).
As indicated in the computer use regulations user may not installed unlicensed software. A user may, however, install suitably licensed software (e.g. open source) within their account or on the local machines hard disk under the partition provided.
The cost of licensed software that is not free or under a university site license is covered from the main IT budget provided that it is seen to be of use to a range of department users and hence a core package (e.g. mathematica, matlab). If software is for a specialist project, limited number of users or research groups then the funds to purchases it are typically required from individual or research group grants. Those license costs covered by the core IT budget are reviewed each year to ensure we continue to centrally fund the most widely used applications.
Software installed as part of the departmental standard desktop install done by the IT team is supported to some level (although this may be very limited). The IT team cannot, however, be expected to be experts in the use of all software so for some applications the support is limited to trying to ensuring it runs, is kept up to date and secure. As noted above where possible we will make available software requested by individuals but this does not guarantee any specific level of support for that software. Support of a given application, as with any other IT system, is based on the availability of support resources and the appropriate priority of the problem. This is particularly of relevance to applications that are not generally required for research, teaching or administrative functions of the department but have nevertheless been requested and provided (an historical example might be an MSN client - the use of MSN for personal communication is permitted but there is no guarantee of support or service). The software installed may need to be reviewed as the system is updated and upgraded etc and as such applications may be withdrawn if they cannot reasonably be supported at that time (e.g. when a package is no longer provided as part of the standard distribution used or when a package built in house no longer builds/runs on updated/upgraded systems etc).
Users may install software themselves, subject to the limitations of the system setup, provided they do not breach any rules, licensing agreeement etc. Any such software install by an individual has no guaranteed support from the department for that user or anyone else who may try to access that installation. If the departmental standard install changes and such an application no longer functions then the department cannot guarantee any support for the issue.
In the case of laptops the machine is installed dual boot if required using the departments standard Windows and Linux laptop installations. The machine is configured to operate without dependence on the department's IT services running in a standalone manner but able to make use of standard network services wherever they are provided. After the initial installation the machine is handed over to the keeper to maintain and support in general thereafter. See the information above in the anti-virus section about making sure such personally managed machines have up to date anti virus software.
The IT team can provide users with advice on installation and configuration of personally purchased machines but does not provide an install and managed personal system service.
The machines currently bought for offices are of a small form factor in order to take up the minimum space possible. Departmentally provided desktops and other network equipment must not be disconnected (from the mains or network) or removed. If you will be occupying a desk for more than a year, have no need for the departmentally provided machine, and would like it all removed (i.e. desktop, monitor, keyboard and mouse) then contact firstname.lastname@example.org. Machines disconnected without prior consultation with the IT team will trigger alarms suggesting machine problems or possible theft - needless false alarms due to user interference will thus lead to wasted IT staff time.
Office machines should in general remain placed on the desk (and not be placed on the floor or in very inaccessible locations). Inaccessible placement typically result in the machine sucking in more dust (and hence failing more often or more quickly). Inaccessible placement also has implications for health and safety. It is not good for the user to have to bend in awkward directions simply to plug in a pen disk, similarly it is not good for support staff to have to crawl under desks etc to investigate problems or to replace machines etc.
Some individuals may obtain grants for larger desktops/small compute machines. Such machine typically produce more heat and noise (compared to the very low noise and heat small form factor desktops). In order to avoid problems it is always sensible to take this into consideration before considering ordering such a machine/applying for a grant. If the machine is for someone in a shared office then the other occupants need to be taken into consideration. If they are not happy with the noise/heat they may ask for the machine to be removed. Placing small compute machines in the server room is not generally possible due to space constraints and as such we would generally recommend careful consideration of the options as it may be better to put the funds towards a higher spec shared compute machine that makes more efficient use of space and thus may be appropriate for the server room.
- Each user is given an initial quota of ~25GB for their home directory (only ~3% of users currently exceed the ~25GB limit, and no user exceeds 60GB).
- Each user has an initial mail quota of 20GB (many users will typically only ever use up to 5GB of mail storage, only ~2% of user current exceed the 20GB default limit, and no user exceeds 60GB).
- All users can request additional home directory and/or mail quota by emailing email@example.com stating how much they need and why.
- Personal web space usage is monitored and each user is limited to up to 10GB of usage. This provides the flexibility to occasionally place larger files on the web server but in general a user will use less than 1GB of web space.
All user files stored on the main servers are backed nightly up to the departments internal backup system. The internal backup system typically holds 28 daily backups and a further 9 weekly backups and may also hold a further 9 monthly backups to give an overall backup period of 1 year. The servers are also backed up nightly to the university's central backup system for additional redundancy and disaster recovery.
All Linux desktops have a 50GB+ local partition which users may use to store additional files (e.g. large data sets, PDFs of downloaded papers etc). This partition is backed up weekly to the university's central backup system.
Although the IT Officers will try to ensure that the system is operational at all times and that files are regularly backed-up, the Institute will not accept responsibility for any failure of the system or any loss of data.
Examining Users' Data
Policy on the examination of a users data is covered in the University's regulations relating to the use of IT.
Under normal circumstances an individual is the only person with access to data in their home directory/mail store. Data held in various shares is only accessible by the specific group of individuals with shared ownership of that data.
Should a request to examine/provide one users data to another be made then IT staff will make significant efforts to ensure that this is done with the users permissions. If an individual cannot be contacted to give permission the need to access the data should also be considered. Only if it is absolutely necessary to access the data immediately and it cannot wait until the owners permission can be obtained will the IT staff escalate the procedure. Typically this means obtaining permission from the Director of IT who may in turn consult others/investigate further to determine the access is essential. Permission may also be given by the Head of Department. In the absence of the Director of IT in the first instance the Head of Administration should be approached to obtain access permission.
No general access to another users data/files/email would be given under the above terms, only access to (a copy of) the specific piece of data requested and approved.
Where user support requests are raised in relation to files, emails, webpage, application settings or configuration etc, then where appropriate IT staff may inspect the individual piece of data, or in some cases use tools that allow them to view the problem from the users perspective, to provide suitable assistance. The support request referencing the particular data, setting etc is taken as permission to inspect the content as appropriate. The vast majority of support requests do not require inspection of such data in these ways. Where such elevated access is used, the minimal amount of access and investigation needed will be undertaken, and IT staff must take suitable care when performing such operations.
Taking/transferring data off departmental systems
The department offers a range of remote access options which can facilitate remote working without the need to transfer/copy files off the departmental systems. If remote working is not practical one should consider the risks when transferring files off the system (e.g. loss of work if other system has no robust backup mechanism, access to the files being compromised if the other system is not secure and well managed etc). If one transfers files over the network a secure transfer mechanism should be used, e.g. sftp. If one transfers files using physical media one should carefully consider the importance of that data and take appropriate precautions to keep it secure (e.g. one might encrypt the files on the physical media). Having transferred files to a remote system or removable media there is then a responsibility to manage those files appropriately and in particular remove them from the media/remote system when no longer required to ensure they do not later mistakenly become accessible by unauthorised individuals.
As stated above in the security section, information on departmental computer systems is held in compliance of the University policy on University policy on Information Security and the departmental information security policy. See also the departmental pages on data protection and research using data involving humans.
All usernames are generated using an algorithm to ensure there are no clashes. The broad algorithm is to take the first 12 letters of a person's surname. If this is not unique and less than 12 characters then the initials are added one by one until a unique username is produced provided it is still at most 12 characters. If the 12 character username is not unique then it is reduced to 11 characters and a number added, starting at one and increasing until a unique username is produced.
Different username formats are generally not allowed (e.g. firstnames) as this hinders the fairness of the process and ability to make unique usernames.
Once an account expires the username remains reserved for 800 days after which the old account record is permanently expired and the username released for reuse. Files associated with the expired account are wiped automatically at certain time points during this reserved period.
Associated with each account is also a long format email address which is of the form firstname.lastname@example.org so even if the short format email@example.com is not the most desired address each user also has a very human readable address format too.
- Accounts will be set to automatically expire usually one month after the end of a users course/ contract/ project.
- At 28/7/1 days to go to closure the user will be emailed a warning message explaining how they can ask for an extension.
- Account extension will only be granted for academic reasons.
- Accounts will not be extend indefinitely, it is the users responsibility on leaving the Institute to arrange suitable new computing facilities.
After an account expires an automatic email forwarding service is offered for one year.
All email to departmental addresses passes through the central IT services mail scanner. This blocks any emails containing a virus. Depending on the type of virus the sender is notified if appropriate.
All email is also tagged as to whether it looks like spam so that users may filter out messages as they choose.
The department does not hold a TV license nor provide facilities intended for the viewing of live TV.
Review of new technologies and IT staff training
The IT team may budget for books and documentation in order to stay abreast of changing technologies although most research of IT systems can be done on the web. Any large training fees occasionally required for courses IT staff need to attend are typically requested from departmental funds.
All IT team members are generally expected to attend the annual University IT conference and also encouraged to occasionally attend national/international conferences of relevance.
Should an individuals be found to have breached the departmental or university IT rules and policies then in the first instance the matter would be reported to the Director of IT and IT would conduct a preliminary investigation. Dependant on the findings of any preliminary investigation it may simply be necessary to make the individual aware of the rule/policy they are breaching and obtain confirmation it will not happen again. For more serious matters the incident would be reported to the Executive Committee and Head of Department and appropriate disciplinary action agreed.
Cease and Desist Notices / Copyright Infringement
The university regularly receives cease and desist notices for matters such as copyright infringement. In such a case the individual responsible for the infringement will be identified. The individual will be charged a fine (£100) for the infringement and the copyright material must be removed from the machine. Where possible this fine will be deducted from the individual's payslip. It is often the case that the machine involved will be running a bit torrent client. Running such a client is no longer banned by university wide policy but the use of such clients must not be for illegal purposes and must not make excessive use of network bandwidth or impact on others use of the network in other ways. Failure to pay the fine and remove the illegally obtained material may result in the closure or suspension of the individual's access to departmental IT facilities (including network connection of a personal machine).
Some examples of service and support that are not in general provided/possible include guaranteed network bandwidth, dedicated leased broadband lines, wired network connection for self managed machines, additional wifi SSIDs, custom or dedicated servers, custom firewall holes/security changes, guaranteed continuity of service, out of hours on site support.