|
This Acceptable Use policy (AUP) is applicable to NP Students, vendors, industrial partners as well as members of the public.
For NP Staff, please refer to this link (login required).
| |
|
| |
|
| |
|
TOPICS | |
|
|
1 GENERAL REQUIREMENTS
2 DATA HANDLING
3 ACCOUNT IDs & PASSWORDS
4 PERSONAL COMPUTERS (PCs, NOTEBOOKS or SMART DEVICES) AND ELECTRONIC STORAGE MEDIA
5 USE OF AUTHORISED SOFTWARE AND HARDWARE
6 EMAIL USAGE
7 INTERNET ACCESS, USAGE AND SOCIAL NETWORKING
8 NETWORK AND REMOTE ACCESS
9 INCIDENT REPORTING
10 RIGHTS OF THE POLYTECHNIC
11 FAILURE TO COMPLY
GLOSSARY | |
|
| |
|
| |
|
1 GENERAL REQUIREMENTS |
|
|
|
|
| |
| |
|
1.1 |
Users1 shall use the campus IT Resources3 according to the purpose for which they are provided, which is for the administrative, teaching and learning activities of NP.
|
| |
| |
| |
|
|
| |
| |
|
1.2 | Users shall familiarise themselves with the Polytechnic's IT Security Policies and Guidelines posted in the Staff Intranet.
| |
|
|
| |
| |
|
|
| |
| |
|
1.3 |
Users shall use the campus IT Resources according to the laws and regulations of the Singapore Government.
| |
| |
| |
|
|
| |
| |
|
1.4 | Staff and associates shall comply with Government Instructions Manual (IM) and other regulations and guidelines when handling Government classified data or Personal data.
| |
| |
| |
|
|
| |
| |
|
1.5 | Users shall not abuse or misuse the IT Resources and shall take all reasonable measures to safeguard against any potential abuse, misuse, malicious attacks or theft. Abuse or misuse of the IT Resources includes, but not limited to, the doing of any act that would contravene the provisions of:
a. Copyright Act;
b. Computer Misuse Act;
c. Spam Control Act;
d. Films Act;
e. Penal Code;
f. Undesirable Publications Act;
g. Broadcasting & Television Act;
h. Indecent Advertisements Act;
i. Common Gaming Houses Act;
j. Maintenance of Religious Harmony Act;
k. Singapore Broadcasting Authority Act (in particular, Internet Code of Practice);
l. Official Secrets Act; and
m. Personal Data Protection Act. | |
| |
|
|
| |
| |
|
|
| | | |
|
1.6 | Users shall not, under any circumstances and in any manner, transfer or copy any software, computer program, personal data, classified information or trade secret that is the subject of any copyright, special licence or other intellectual property right from NP or IT Resources without NP’s prior written consent.
| |
| |
| |
|
|
| |
| |
|
1.7 | Users shall not use, modify or adapt corporate IT resources for any commercial purpose or personal financial gains, unless duly authorised by NP in writing.
| |
| |
| |
|
|
| |
| |
|
1.8 | Users shall not attempt to monitor another user’s data communications nor access, read, copy, change or delete another person’s files or software without authorisation.
| |
|
|
| |
| |
|
|
| |
| |
|
1.9 |
Users shall not harass or intentionally deny or degrade another person’s legitimate access to IT resources.
| |
| |
| |
|
|
| |
| |
|
1.10 |
User shall not circumvent any technological access control or protection measures which have been applied to a work or audio-visual item or a performance. Examples of circumvention are cracking of passwords, unscrambling of encrypted information or removal of digital watermarks.
|
| |
| |
| |
|
|
| |
| |
|
1.11 | Users shall not install and use diagnostic and/or vulnerability scanning tools on NP production systems and network under any circumstances, as such tools may be used to compromise the security of the systems.
| |
| |
|
|
| |
| |
|
|
| |
| |
|
1.12 | Users shall not cause damage or otherwise attack or degrade the performance of NP network or systems.
| |
| | | |
|
|
| |
| |
|
1.13 | Upon termination of employment (for staff), termination of contract (for associates) or cessation of study (for students), users shall promptly declare and return to NP all NP assets, software, files, manuals and material of whatever description and copies thereof, and any or all material relating to the Polytechnic's business or affairs which are in his possession or under his control.
|
|
|
|
| |
| |
|
|
|
|
2 DATA HANDLING | |
|
|
|
|
2.1 |
Users1 shall not obtain data or IT services without authorisation or through fraudulent means. | |
|
|
|
|
|
2.2 | Users shall use all data obtained, including personal data, for the purpose which they were collected from individuals or obtained from other organisations. Personal data collected may not be reused for a different purpose without first seeking consent from the individuals. Users shall not pass on the data to another organisation without explicit approval from the data owner. | |
|
|
|
|
|
2.3 | Staff shall abide by the IM8 Policy on Data Management and NP’s Data Administration Policy when releasing NP data to individuals or other organisations. The Data Administration Policy is available in the
IT Service Portal. | |
|
|
|
|
|
2.4 | Staff shall exercise due diligence to ensure the confidentiality, integrity, availability and consistency of NP’s data, as well as data obtained from other organisations. | |
|
|
|
|
|
2.5 | Staff shall safeguard data in their possession in accordance to the data security classification and sensitivity level of the data. Staff shall exercise due diligence and apply the relevant methods of protection such as:
a. Secure physical objects such as documents or equipment;
b. Classify all email, data files and documents created based on the Right Classification Guide in the PMO (SNDGO) Circular Minute 12/2018.
c. Except for “Official Open” classification, label all email and documents created using MS Word, Excel and Powerpoint according to the security and sensitivity classification.
d. Encrypt classified data or personal data residing on Personal Computers and before sharing via email or other means; and
e. Adherence to relevant policies and procedures. | |
|
| |
|
|
|
|
|
|
2.6 | Staff shall not use public Internet services such as GoogleForms, SurveyMonkey etc to collect or store classified data, personal or business entity data as NP has no control over the security measures of these systems. | |
|
|
|
|
|
2.7 | Staff shall apply additional security when storing sensitive personal or business entity data on notebooks and authorised PSM. For example, set a strong password or restrict access through Rights Management Services (RMS). | |
|
|
|
|
|
2.8 | Staff shall apply additional security on the electronic file when transmitting sensitive personal or business entity data. For example, set a strong password or restrict access through Rights Management Services (RMS). | |
|
|
|
|
|
2.9 | Staff shall protect Personal Data from unintended disclosure by:
a. Verifying that the message is addressed to the correct recipient,
b. Maintaining a mailing list for regular broadcasting to specific groups, and
c. Using BCC field when mass emailing to a group, especially when personal emails are used. This is to maintain privacy of the recipients.
| |
|
|
|
|
|
Digitally Sign | |
|
2.10 | When assurance on the integrity of a sensitive document is required, staff shall digitally sign their the document before sharing the document via email or other file transfer tools.
| |
|
|
|
|
|
2.11 | When receiving a sensitive document that has been digitally signed via email or other file transfer tool, staff shall check the validity of the digital signature to confirm that the document has not been modified. In the case where digital signature is invalid, you should contact the sender. | |
|
|
|
|
|
Share Passwords Securely | |
|
2.12 | When sending a password-protected file over email, staff shall send the password via a different channel (i.e. Skype, WhatsApp). If it is not feasible to send the password via other channels, you can send a password
hint in a separate email. This requires a pre-arranged system with the recipient on how to derive the password from the hint.
| |
|
|
|
|
Email Data Protection | |
|
2.13 | When sending emails containing sensitive data, such as
NRIC number or
credit card number, you would need to acknowledge and confirm that you are intentionally sending out the email.
| |
|
|
|
3 ACCOUNT IDs & PASSWORDS | |
|
|
|
|
3.1 |
Users1 shall be responsible and accountable for all activities conducted via his/her accounts. | |
|
|
|
|
|
3.2 | Users shall keep their computer accounts and accompanying password confidential. Users shall not attempt to share or disclose their accounts to anyone. Users shall not email the information to a third party. | |
|
|
|
|
|
3.3 | Users shall not use a computer account that has been issued to another user. | |
|
|
|
|
|
3.4 | Users shall change their passwords at least once every 12 months to prevent break-in. | |
|
|
|
|
|
3.5 | Users shall change passwords whenever there is any indication of possible system or password compromise. | |
|
|
|
|
|
3.6 | Users shall not keep a record of password (e.g. on paper, soft copy file or handheld device) unless this can be stored securely.
| |
|
|
|
|
|
3.7 | Users shall avoid re-using or recycling old passwords. | |
|
|
|
|
|
3.8 | Users should change the temporary or issued passwords at first logon. | |
|
|
|
|
|
3.9 | Users shall not include passwords in any automated log-on process, e.g. stored in a macro or function key. | |
|
|
|
|
|
3.10 | Users shall not use the same password for business and non-business purposes. For example, your personal hotmail, yahoo or gmail account shall not have the same password as your NP accounts. | |
|
|
|
|
|
3.11 | Users shall select quality passwords which are:
a. Easy to remember;
b. At least 12 characters long;
c. A combination of Upper case (A-Z), Lower case (a-z), Digits (0-9) or Special characters (!@#$%^&*);
d. Use PassPhrase that you can remember;
e. Not based on anything that can be easily guessed or obtained using person related information, e.g. names, account/user ID, telephone numbers, and dates of birth, etc.; and
f. Not consist of words included in dictionaries, commonly used, expected or compromised passwords.
| |
|
|
|
4 PERSONAL COMPUTERS (PCs, NOTEBOOKS or SMART DEVICES) AND ELECTRONIC STORAGE MEDIA |
|
|
|
|
|
4.1 | Users shall ensure that their systems are adequately protected before connecting to NP’s Campus Network. The minimum protection includes:
a. An up-to-date anti-virus software installed and activated;
b. A Personal firewall installed and activated; and
c. Latest software security patches installed. |
|
|
| | |
|
|
|
|
4.2 | Users shall exercise due diligence to ensure all critical and security patches for their systems are applied within 1 week from the date of patch release.
| |
|
|
|
|
|
4.3 |
Staff shall use only NP-issued and centrally managed (NICE) equipment on the Staff network and to access staff eServices such as eMail, NPal, EasiShare and Sharepoint. Corporate mobile devices are centrally managed by Intune Mobile Device Management while NICE computers are managed by Group Policy. Staff will not have local administrative rights to NICE equipment. Staff may use their personal computers and devices only on the NP Wireless network. Personal devices are not allowed to access eServices in the staff intranet.
|
|
|
| |
|
|
|
4.4 |
Staff accounts will be locked for 30 minutes after the 10th consecutive failed login attempt. This is to prevent robots from hacking the system. The account would be automatically released after 30 minutes.
| |
|
|
|
4.5 |
Users shall turn off communication ports, such as WiFi or Bluetooth, when not required.
| |
|
|
|
4.6 |
Users shall be accountable for the confidentiality of data residing within their desktop systems. Users shall not share out directories on their personal computers and securely delete sensitive files when sending the computer for repair.
| |
|
|
|
4.7 |
When using Portable Storage Media to transfer classified data or personal data, staff shall use only authorised Portable Storage Media and only remove them from campus when authorised to do so. The use of authorized Portable Storage Media is restricted to staff authorized by Principal. Portable Storage Media refer to thumbdrives, flash memory cards, portable hard disks and optical storage media. Classified and sensitive data stored on authorised Portable Storage Media shall be encrypted.
| |
|
|
|
4.8 |
Staff shall store classified data or personal data, such as evaluations, appraisal forms, official papers and staff/student information on platforms such as NP-managed Sharepoint, EasiShare, NICE notebooks and authorised Portable Storage Media only. Teaching and learning materials that do not contain classified data or personal data may be stored on Teaching & Learning platforms such as MeL, Polymall, GAFE, OneDrive and personal portable storage media.
| |
|
|
|
4.9 |
Users shall not place their notebook, portable electronic storage media and authentication token near an exterior window or public access area where it could be subject to physical theft.
| |
|
|
|
4.10 |
Users shall not leave their notebook, portable electronic storage media and authentication token unattended. If it is not possible, these shall be securely locked away when not in use, or the notebook secured with a high quality cable lock by attaching it to something immovable.
| |
|
|
|
4.11
|
Users shall not store their portable storage media and authentication tokens together with the notebooks when bringing them out of NP.
| |
|
|
|
|
When Travelling | |
|
4.12 | When travelling overseas for non-official trips, staff should bring your personal computing equipment. Do not bring NICE computer as it is issued for work purposes and is likely to contain sensitive corporate or personal information.
| |
|
|
|
4.13 |
For official trips where your NICE computer is needed, staff shall carry onboard with them their notebook, portable electronic storage media and authentication token.
| |
|
|
|
4.14 |
Do not check-in your NICE notebook with your luggage unless the country you are visiting imposes carry-on restrictions where you are required to check-in your notebook.
| |
|
|
|
4.15 |
When clearing customs, users should hold onto their notebooks, portable storage media and authentication tokens until the person in front has gone through the metal detector.
| |
|
|
|
4.16 |
When travelling to countries with carry-on restrictions, the portable storage media with classified data or personal data, and authentication token shall be kept separate from the notebook. The portable storage media and authentication token shall be kept with the staff at all times. The checked-in notebook shall not have any classified or personal data stored on the local hard disk, and shall be re-formatted or re-imaged after the overseas trip.
| |
|
|
|
4.17
|
When travelling to countries with carry-on restrictions and staff needs to prepare a clean notebook for check-in. The clean notebook shall not have any classified or personal data stored on the local hard disk. If classified data or personal data is required during your trip, you may first store them on EasiShare, Sharepoint or an authorised portable storage media from your department.
| |
|
|
|
4.18
|
In the event where staff suspect their endpoint devices may have been tampered with, they shall not connect those devices to the staff or campus network upon return from overseas trip. They should report their suspicion to
ITSecurityManager@np.edu.sg as soon as possible.
| |
|
|
5 USE OF AUTHORISED SOFTWARE AND HARDWARE
| |
|
|
|
5.1 |
Users1 shall use only
authorised software5 on corporate personal computers. Authorised software is one which is licensed for use, legally acquired and approved by NP for use. These include Freeware, Shareware and Open Source Software.
| |
|
|
|
5.2 |
Users shall use only authorised software and/or hardware from their personal computers within our campus network. Users shall write in for explicit permission to install and use software and/or hardware that is not authorised by NP. Software and/or hardware that may compromise the security of NP systems are not authorised for use by NP. Examples of such software and/or hardware include those which may affect the performance of campus network infrastructure or those which may result in loss of confidentiality, integrity or availability of data.
| |
|
|
|
5.3 |
All software used on corporate personal computers and within our campus network shall meet legal requirements, such as having valid licenses. Staff shall participate in the annual Software License Audit.
| |
|
|
|
5.4 |
Users shall not expose the Polytechnic to infringement proceedings resulting from a breach of Singapore Law, including but not limited to the following areas:
a. Copyright;
b. Patent;
c. Trade mark;
d. Registered design; and
e. any other intellectual property laws.
| |
|
|
|
5.5 |
Under the Copyright Act, individuals, their supervisors, as well as the Polytechnic, are liable for any infringement to the Act. As such, the use or copying of purchased software so that it can be used on a computer other than the computer for which it is licensed is strictly prohibited.
| |
|
|
|
5.6 |
Unless approval has been granted, users shall not modify or remove software or hardware which NP provides as part of the campus
IT Resources3.
| |
|
|
|
5.7 |
Users shall not install, execute, or assist or abet another to install or execute a program that could result in the damage or excessive load to any component or part of the IT Resources or place excessive load on the Computer Resources. This includes, but is not limited to, computer viruses, worms, Trojan horses or any other malicious program.
| |
|
|
|
5.8 |
Users shall scan software for viruses or other malicious program before installing on corporate personal computers.
| |
|
|
6 EMAIL USAGE | |
|
|
|
6.1 |
Users1 shall not spam or send unsolicited commercial mail to others.
| |
|
|
|
6.2 |
Staff and
associates2 shall not indiscriminately forward corporate email to an Internet service provider email account.
| |
|
|
|
6.3 |
Users shall avoid sending out large email to a large mailing list of recipients. Whenever possible, large attachments should be hosted in a separate repository and only a link shall be provided in the email.
| |
|
|
|
6.4 |
Users shall housekeep their mailbox regularly. Email that needs to be kept for department records shall be moved out of the user mailbox and kept in the respective departmental repositories.
| |
|
|
|
6.5 |
Staff shall use the NP email address (@np.edu.sg) for official or student correspondences.
| |
|
|
|
6.6 |
Staff shall make use of the following Email delivery functions to maintain authenticity, integrity and security of their email:
a. SIGN function to digitally sign their email when authenticity is required;
b. To further ensure data integrity, staff shall use the PREVENT COPY function to avoid alterations; and
c. Staff shall use the ENCRYPT function to ensure that the readership is limited to only those in the circulation list.
| |
|
|
|
6.7 |
To further safeguard our email correspondence, it is highly recommended that staff add the following clause to their email footer: “This message may contain privileged/confidential information. If you are not the intended recipient of this email, please delete it and notify the sender immediately.” This helps us in assessing the extent of the damage as a result of incorrect recipients.
| |
|
|
|
6.8 |
For staff who are maintaining distribution lists, the following additional clauses shall apply:
a. Your messages shall state the channel(s) for the recipients to unsubscribe from the distribution list;
b. The recipient's name shall be removed within 10 working days from the day the unsubscribe request is submitted; and
c. The subject for advertising mail shall be prefixed with <ADV>.
| |
|
|
7 INTERNET ACCESS, USAGE AND SOCIAL NETWORKING | |
|
|
|
7.1 |
Users1 shall be discerning when accessing websites, especially links provided through spam or unsolicited email. Users shall avoid websites of unknown or disreputable origin.
| |
|
|
|
7.2
|
Staff should not allow automatic execution of codes or plug-ins on their personal computers. Staff should configure their systems to prompt for permission before executing trusted codes. Examples of codes are Active X, Java, Javascript, etc.
| |
|
|
|
7.3 |
Users shall be responsible for the content that they upload, post, email, transmit or otherwise make available via NP's
IT Resources3 and shall ensure that intellectual property rights are not infringed in any way.
| |
|
|
|
7.4 |
For social networking and publishing content associated with NP, users shall take responsibility for the content and shall include a disclaimer stating that they are conveying a personal view-point and not from a corporate NP position.
| |
|
|
|
7.5 |
Users shall not upload or download, send or post, enter or publish any content to the Internet that is objectionable or illegal under the Singapore Law.
| |
|
|
|
7.6 |
Users shall not upload or download, send or post, enter or publish any content to the Internet that is against the public interest, public order, national interest, racial and religious harmony, or which offends good taste or decency, or is otherwise indecent, obscene, pornographic or defamatory.
| |
|
|
|
7.7 |
Users shall not upload or download, send or post, enter or publish any content to the Internet that is confidential, distasteful or prejudicial to the good name of the Polytechnic.
| |
|
|
|
7.8 |
Users shall be mindful of the public nature of the Internet and shall not discuss or disclose classified or personal data, and proprietary information of NP or of any organisation without authorisation.
| |
|
|
|
7.9 |
The intellectual property rights to all NP teaching materials (eg. lecture notes, videos, courseware, tutorials, worksheets etc.) belong to the Polytechnic. Students shall not upload, send or post, enter or publish any NP teaching materials to the Internet. Staff shall not publish or otherwise make available any NP teaching materials on the Internet except in accordance with the policy of NP or its School/Division.
| |
|
|
|
7.10 |
Users shall be respectful of NP, staff/lecturers/tutors, students and their rights for privacy.
| |
|
|
|
7.11 |
Users shall be mindful of the need to safeguard personal and official information. Users shall not disclose, publish and/or host such information on external websites without proper authorisation from the owner(s). Personal and official information shall be used for its intended purpose and shall be securely discarded immediately after use.
| |
|
|
|
7.12 |
Users hosting forums, discussions and other sites supporting posting by visitors of the site shall ensure that the sites are moderated or actively monitored for acceptable contents.
| |
|
|
|
7.13 |
Users intending to use corporate branding and identity such as NP’s logo and the ‘.np.edu.sg’ domain name, in online or on printed materials shall seek advice and clearance from the Corporate Communications Office.
| |
|
|
8 NETWORK AND REMOTE ACCESS | |
|
|
|
8.1 |
Users1 shall not install and operate their own wireless Access Points emulating or interrupting the performance of campus network infrastructure wireless Access Points.
| |
|
|
|
8.2 |
All campus network infrastructure wireless Access Points shall be operated and managed by Computer Centre. Computer Centre reserves the right to remotely disconnect any unregistered devices that are interfering with the normal performance of campus network infrastructure.
| |
|
|
|
8.3 |
Users shall manage the access to rooms where staff wired outlets are available. Only NICE computers are authorised to be connected to a staff wired outlet.
| |
|
|
|
8.4 |
When connecting from home and campus wireless network, users shall enable the Virtual Private Network service to access sensitive corporate systems that are accessible by staff only. | |
|
|
| |
|
|
|
8.5 |
Staff shall access the Singapore Government Network (SGNet) from a WoG notebook.
| |
|
|
|
8.6 |
Staff shall not concurrently connect to wireless network (e.g. campus wireless network and mobile broadband) and staff wired connection to avoid becoming a bridge between the insecure wireless environment to our secured staff network.
| |
|
|
9 INCIDENT REPORTING | |
|
|
|
9.1 |
Users1 shall immediately report any security violations, weaknesses, suspected violations of laws or policies and any loopholes or potential loopholes in the security of the IT Resources to the Computer Centre. Security incidents include, but are not limited to, misuse of email, malware infection and unauthorised act by a person to obtain classified data or personal data.
| |
|
|
|
9.2 |
Users shall
immediately report any lost personal computers, portable storage media or loss/compromise of NP Classified data or personal to ITSecurityManager@np.edu.sg.
| |
|
|
|
9.3 |
Users shall cooperate fully in investigations of misuse or abuse of the IT Resources. User files may be examined under the direction of NP management should NP in its absolute discretion decide that the security of the IT Resources is in any way threatened.
| |
|
|
|
9.4 |
In the event of a malware infection, users shall immediately disconnect their infected system from both wired and wireless network, and contact CC Helpdesk or
ITSecurityManager@np.edu.sg to initiate appropriate follow up actions.
| |
|
|
|
9.5 |
In addition, users shall retrieve all removable storage media from locked cabinets and subject them to the necessary investigation, cleaning and recovery process.
| |
|
|
|
9.6 |
Users shall not knowingly connect an endpoint system infected by malware or suspected to be tampered with, onto the campus network.
| |
|
|
10 RIGHTS OF THE POLYTECHNIC | |
|
|
|
10.1 |
The Polytechnic shall have the right to access and disclose any information stored on corporate personal computers and peripheral devices.
| |
|
|
|
10.2 |
The Polytechnic shall have the right to access and disclose any email messages composed, sent or received using NP Email Systems.
| |
|
|
|
10.3 |
The Polytechnic shall have the right to control, monitor and disclose information stored on corporate personal computers, peripheral devices, users’ Internet access activities and email.
| |
|
|
|
10.4 |
The access and disclosure of email messages shall be authorised by Principal, and shall be conducted under strict control and supervision.
| |
|
|
11 FAILURE TO COMPLY | |
|
|
|
11.1 |
The Polytechnic reserves the right to take disciplinary proceedings against the offending user in the event that he/she conducts himself/herself in any manner considered to be irresponsible or is abusive of the computing facilities accorded to him/her.
| |
|
|
|
11.2 |
Users1 who fail to comply with this Acceptable Use Policy and other relevant Terms and Conditions of Use shall be subjected to penalties imposed. The penalties may include, but not limited to, withdrawal of computing services and/or termination of service, or dismissal from course of study.
| |
|
|
|
|
GLOSSARY |
|
|
|
1 |
Users – All Staff, associates and students of NP who has been authorised to access NP’s IT Resources. | |
|
2 |
Associates – Any third party staff who are not directly employed by NP or business partner who requires access to campus IT Resources to fulfil their contractual or other obligations to NP. Examples: Vendor staff, visiting or guest lecturers, International Fellows, etc. | |
|
3 |
IT Resources - The computing facilities, systems and infrastructure, information and data, and the personnel involved in the provision and maintenance of the services, applications and infrastructure. | |
|
4 |
Personal Computers – Any computing device designed for individual use, such as Desktop PCs, Notebook PCs or smart phones that is used to store, process or access NP’s Resources. | |
|
5 |
Authorised Software – Software which is licensed, legally acquired and approved by NP for use. These include Freeware, Shareware and Open Source Software. | |