Skip to main content
KTH Intranet
Denna sida på svenska

Policy for Self-Administered Computer Systems

Aim

This Policy concerns entire computer systems or parts thereof, such as software, available at KTH Royal Institute of Technology, and that are administered and maintained by others than Computer Systems staff. The Policy is addressed to you who will be carrying out this work as well as to you as manager or equivalent of such a person. The aim of the Policy is to ensure a high level of accessibility and security in relation to the systems and to avoid data loss, data theft, intrusion, sabotage and the like. The purpose being to protect not only the system in question but also other KTH system resources as well as the outside world, as it should not be possible to use KTH computers in attacking other parties. The aim is further to make clear the level of responsibility and work required to do this, so as to assist managers in ensuring that time is set aside for those that are to carry out the work.

Background

In certain contexts it can be appropriate for the computer system to be administered and maintained by the researchers or others themselves, for instance, when the use of it requires great control over the entire computer environment or a high level of expertise held by the administrators. However, this solution often involves additional work and costs for the organization. First, the administrators are required to spend time on continuous learning and administrative work in order to maintain the computer, including software, in good condition. Second, there may be additional work for the organization as a whole due to complex support issues, investigations of computer intrusions, intrusions also affecting other systems, users who are unsure as to the level of support and security in relation to the different computer systems, loss of data due to failure to backup etc.

This Policy describes the way in which it should be possible for self-administered computer systems to be run as smoothly as possible for all parties concerned.

Computer systems covered by the Policy

The term computer system here refers to a complete computer system or parts thereof, such as software, for example.

The Policy applies to the following types of systems:

  • Computer systems that are of importance to the organization
  • Computer systems that can potentially be exposed to or used for intrusion attempts

Examples of computer systems covered by the Policy:

  • A computer that is connected to the computer network
  • A booking system for lab reportsA web application that is accessible to others

Examples of computer systems not covered by the Policy:

  • Software intended for private use that is not available to others
  • A static web page that does not use code

Computer systems used at KTH must fulfil the following requirements

For each computer system there shall be at least one administrator responsible, who should also be the contact person. The administrators are responsible for the system being maintained in accordance with this Policy at all times. In case the administrators are unable to monitor and maintain the system, for instance during holiday periods, trips, etc., the responsibility should be handed over to someone else or the system should be shut down. It is the responsibility of the manager or equivalent to ensure that all systems are administered at all times. It is not allowed to let systems deteriorate or become forgotten.

The computer systems should always be updated on a regular basis in order to avoid security holes and similar issues. Unnecessary delay should be avoided. Even if automatic updates are used, continuous monitoring is necessary in order to ensure that they work. If it is no longer possible to update a computer system, for example due to the age of the product, it should no longer be used or it should be isolated from the computer network and other computer systems.

Prior to introducing a system, an assessment should be made of its needs and risks, to ensure that the necessary measures can be taken both initially and continuously in order to operate the system with the required level of stability and security. For example, an analysis must be made of the need for backup of the system, access restriction, user risks, intrusion risks, etc.

The system administrators must continuously keep themselves informed about security problems, product expiry, etc. This applies also to other systems that the system is based on. Such information may be obtained via relevant mailing lists or other quick information channels.

It is necessary that the system administrators set aside working time to maintain the computer system in good condition and to keep themselves duly informed. Additionally, sudden efforts may be required, for instance upon the discovery of security holes or intrusions. The manager or equivalent should be well aware of this, to ensure that the required working time is available to the administrators.

Information regarding the system contact persons, aim, software in use, dependencies, target group/user group and other relevant information, such as network addresses, should be reported to the system group or equivalent operational unit responsible for technical and security aspects of the local network. If the responsibility for the system is handed over to someone else, even if briefly, this must also be reported. Exemptions from the notification requirement can be decided on locally by the system group or equivalent in cases where the notification would serve no clear purpose, for instance, software that is not in use within the organization and that can clearly be linked to a user, such as a private web application within a user’s web application directory.

There should be no doubt as to who is responsible for and runs the different computer services. Nobody should accidentally have to expose a password for a system different to the one intended. Therefore, it should be clearly stated who is responsible for the system and its purpose, preferably prior to login or equivalent.

If the system uses passwords or another form of authentication, this information should be transmitted with a high level of security, for instance encrypted as appropriate, or otherwise secured against interception and intrusion. The administrator shall, in consultation with the system group or equivalent, consider whether users should be advised not to use the same password in this system as in others. If an adequate level of password protection cannot be achieved, all users should be informed about this so as to ensure that they understand the importance of not using the same password as in other systems.

If the system is integrated with another system in terms of security, for example by using the user authentication or login mechanisms of another system, consent must first be given by the owner of the other system. The owner in question should be given the opportunity to make a security assessment in order to determine whether the security level is satisfactory or if the integration will increase the risk of, for instance, passwords or other security-related information becoming compromised.

If the computer system contains valuable data, regular backups should be carried out. In case the data is not backed up, all concerned parties should be well aware of this.

The administrators are responsible for ensuring that any potential required hardware and software licence exists and that their conditions are met.

The administrators are responsible for ensuring that any applicable policies, laws, regulations and conditions are met. For instance, copyrighted materials must not be distributed. It is the responsibility of the administrator to keep informed as to what rules apply.

If the system has multiple users, the KTH contingent liability for the use of computers shall apply and be signed by all users. The administrators are further to follow the KTH guidelines “Responsibility, authority and liability of the system administrator – Guidelines no 7/97” or a later version of these. Information regarding user groups, account management, and where the contingent liability forms are kept, should be submitted to the system group or equivalent. Fully open services, such as public web information, are exempt from the requirement for contingent liability for users. Certain other simple services, for example a discussion forum, may possibly be exempt in a similar way but shall be assessed on a case-by-case basis.

If an intrusion is discovered it shall be reported to the system group or equivalent and/or the KTH Incident Response Team (IRT), in order to jointly assess the level of damage and whether other users and/or systems have been affected.

A computer system may be completely or partially isolated, shut down or detained for investigation should this be assessed as necessary by the network administrator, systems staff or IRT. Some examples of when this may be appropriate:

  • The computer system has been subject to an intrusion
  • The security of the computer system is assessed as vulnerable
  • The computer system interferes with other processes
  • The computer system has been used in a manner inconsistent with the laws and regulations established by SUNET, KTH, the network administrator or systems staff

It is not uncommon that an intrusion is part of a larger context where multiple intrusions and other violations may have been committed. For this reason, investigations can take time, wherefore the system may remain completely or partially inaccessible for a long period of time.

A computer system that has been exposed to an intrusion must not be connected to the computer network or be put in use until the intrusion has been investigated and the system has been secured against intrusions. It can be very difficult to find all hidden backdoors, why it is often easiest and safest to carry out a complete reinstallation and only restore the minimum amount of data from backup.

Did you find this page useful?
Thank you for helping us!
Page responsible:it-support@kth.se
Belongs to: KTH Intranet
Last changed: Dec 08, 2017