Administrative rules of IT services

​​​1 Introd​​​​​uction 

1.1 Definitions 

Information system or service refers to 

  • data processing devices or systems, or a collections of such,
  • University computer network,
  • software and services running in the above-mentioned and
  • the information content within the above-mentioned.

In these rules, administration refers to 

  • maintaining information systems and keeping them secure
  • making necessary changes or corrections in the information systems,
  • administering user IDs and usage and access rights in information systems and
  • monitoring and keeping statistics on the operation and usage of information systems. 

Administrator refers to persons responsible for the computer administration and technical management of the University information systems, and other University IT support personnel, who take care of the administrative tasks of the systems, ​user support and guidance. In the broadest sense, administrator refers to all persons having administrative rights in the information system.

A University unit refers to a university department, division or other functional unit. 

A responsible owner of an information system within the University is the unit for which the information system has been procured for functioning and data processing, and which defines the persons entitled to use the information system. Author of programs, web pages and other such material can also be considered to be the responsible owner of the material according to the Copyright Act 

A responsible owner of an information system within the University is the unit for which the information system has been procured, and which defines the persons entitled to use the information system. Author of programs, web pages and other such material can also be considered to be the responsible owner of the material according to the Copyright Act 

The duty of an administrator of an information system within the University is to take care of the information system technically. 

The owner of an information system is also the administrator, unless administrative duties have been moved to another unit within the University or outsourced by a contract. 

1.2 Autho​​rities of administrator 

In order to guarantee the functionality of information systems, an administrator has adequate privileges to inspect the status of the systems and, if necessary, to intervene in the function of the systems, to the use of said information systems by individual users and their data in the information systems. 

In order to combat breaches of information security and to eliminate any disturbances targeting information security, an administrator has the right to take necessary steps to ensure information security. 

The administrator privileges are directed through guidelines and regulations that are primarily based on Finnish legislation and additionally on the regulations of the use of the University's information systems along with the information security principles of the University. The principles concerning administrators are described in University's Information Security Policy, E- mail Rules, and these Administrative Rules. 

These rules apply to all administrators, also students responsible of maintaining and managing information system connected to University network. 

These regulations and other guidelines to the use of the University's information systems are available at the University Intranet.

2 Re​sponsibilities ​

A unit must document the information systems or system entities in its possession. These systems have to be prioritised and information system administrator and technical administrators have to be assigned. The owner of the information system is responsible for the producing eventual information system declarations and privacy declarations and making them available. ​

The owner of the information system and ultimately the head of the unit are responsible for the adherence to law, good administration practice and the current regulations and policies of the University in the system. 

The owner always has the ultimate responsibility to the administration of the system. An information system administrator is responsible for the technical administration of the systems in a manner adhering to good administration practice. Every system must have assigned administrators. Administration duties are distributed, where possible, to several individuals with different access rights. Also information about administrator actions must be collected to a log. 

The owner or administrator of an information system is not responsible for the content of an individual users' data. A user him- or herself is responsible for the legality of his or her data and is required to protect them in accordance to guidelines set by the University. An information system administrator has, however, a legal right and obligation to intervene with user's data, if there is a reasonable suspicion that it contains information security vulnerabilities or illegalities. 

If an administrator is under suspicion to have misused his or her privileges, a contact is made to the foreperson of the unit, who along with the inofmation Security Officer or Director of IT decides on any further and protective measures taken. 

3 Acting prin​ciples 

3.1  Good adm​inistration practice ​

The information systems are to be administrated in accordance to good administration practice. A good administration practice means planned, responsible and professional administration, in which the good information management practice, detailed in the Act and decree on the Openness of Government Activities and on Good Practice in Information Management. ​

3.2  Respecting the​ Right to Privacy ​

The right to privacy and confidentiality of communications of the users and their communication partners is observed in the administration of the University's information systems. However, the University has, while observing these basic rights, a right to control the information content and define the appropriate use of the information systems in its possession. This also applies to the communications in the University network. The appropriate use is defined in detail in the Rules of IT service use or in an individual system's usage regulations.

When users ask an administrator to handle their e-mail or other files, the administrator must secure the person's identity in an appropriate way, e.g. via a legitimate proof of identity, should the administrator not know the user personally.

When an administrator has the need to contact a user, it can be done either to a phone number or an e-mail address available in the University administration's information systems. However, in cases where there is a doubt that the user ID is being abused, e-mail must not be used. ​

An administrator shall sign a non-disclosure agreement​.

3.3 Professio​​nal Secrecy 

Obligation of secrecy and non-exploitation bind administrators with regards to any non-work related matters and the existence thereof that they may become aware of while performing their duties. Non-public work-related matters may only be discussed with such persons or officials that are bound by the same confidentiality as the administrator and whose duties the matter involves. 

An administrator may reveal or exploit any university's professional or commercial secrets to others. The administrator is specifically bound by the Criminal Code, chapter 40, section 5, which states that administrators cannot without authorization reveal or exploit any secret or otherwise legally confidential matters, such as private matters of the users, that they, during or after their tenure, have become aware of because of their duties or position. Any private matter is considered to be an example of such information. 

4 Practi​ces

4.1  Identities and pass​words

An administrator does not need any user's password to fulfil his duties, and he or she must not inquire password from the user.

Should the correcting of a problem require a momentary use of the user's identity, then either the user must be present to input his or her password to the authentication service, or the administrator must assume the identity of the user through an administrators privileges. The user must be informed of the latter as soon as possible. The identity must not be used any longer than what is necessary to correct the problem.

In these situations the administrator must secure the identity of the user in an appropriate manner.

Administrator privileges are to be used only when administrator's duties so require.

4.2  Limiting User Rights for​ Duration of Investigation

When suspecting an information security breach or user's violation of information security guidelines, the University is entitled to restrict or revoke the right to use its IT services.
Limiting user rights is defined in document Consequences for IT system abuse.

4.3  E-Mail Processing

According to the Constitution of Finland, the secrecy of a personal letter, phone call and other confidential messages is inviolable, unless otherwise stipulated by law. E-mail is treated equally with letters. E-mail messages are deemed confidential, unless they are intended for public disclosure. ​

The principles of normal e-mail handling are outlined in the E-mail rules. These Rules of IT Service Maintenance deal with special situations in which the administrator must intervene with mail delivery in order to secure a sufficient service level or system security. 

The administrator may be required to open files containing users' e-mail messages in the following cases 

  • The user requests the administrator to open his/her e-mail, for example, in a case where the user is unable to open the mailbox him/herself. Such requests always concern the single instance only. If a user requests information about mailbox contents, the administrator must reliably verify his/her identity (see chapter 3.2).
  • The  user's mailbox causes problems, for example, due to an excessively large size.
  • The primary action to be applied to mailboxes that hamper the mail system due to their large size is to move the mailbox elsewhere without opening it. The user must be notified of this, and the hand-over of the mailbox contents to the user must be agreed on. In special, exceptional cases, it is also possible to delete an oversized mailbox, if no other action is reasonably available. This decision is made by the supervisor of the unit in charge of the system.
  • The administrator is entitled to fix a structurally damaged mailbox without separate permission from the user. However, the administrator is not entitled to read any contents that are intended for the recipient only. In these cases, as always, the administrator is bound by a non-disclosure obligation.
  • The user shall be notified of all non-automatic measures concerning the mailbox.
  • When the mail system is unable to deliver a message due to its inadequate or malformed structure, the administrator is entitled to inspect and repair the envelope, but must avoid inspecting the contents of the message to his/her best abilities.
  • Kaikista Postilaatikkoon kohdistuvista ei-automaattisista toimenpiteistä ilmoitetaan käyttäjälle.

Furthermore, the administrator is entitled to remove queuing messages that are deemed harmful for the functionality of the mail system, as well as unnecessary messages generated due to a technical error. ​

4.4 Processing Other Files 

An administrator has no general right to read or otherwise process the contents of files owned by users. 

However, an administrator has the right to process user files for example under following circumstances: 

  • When the user has authorized this in order to solve a problem situation.
  • After a specific written request (e.g. should the performance of University duties be impaired through absence, it may be necessary to process files owned by the absent worker/student and protected from others. The head of a unit or equivalent can order the administrator to give an assigned person access rights to the necessary files).
  • If a user account holds programs or initialization files that cause disturbance to the functioning of the system, to security or to information security of other users. In this case the administrator can verify the contents of the files and, if necessary, stop their operation. ​
  • If there is reason to suspect the account has been compromised, and owns files or programs that pose a security threat to the University.
  • If the administrator suspects an account has been compromised, the account may be temporarily disabled as a security measure. As a general rule, the user shall be contacted prior to any action. The measures may however be deemed necessary to enact immediately, without a prior notice.
  • If it is deemed probable that a user is performing malicous activities, certain files may be accessed to validate the suspicion.
  • The administrator may temporarily suspend any account for malicous activity.
  • The administrator may prevent visibility of web pages that are illegal or against Rules of IT service use.
  • When files' access privileges already are sufficiently open.

In addition to aforementioned privileges, an administrator always has a right: 

  • To access and change initialization files, e-mail forwarding or sorting files and other files that have an effect on the functioning of the systems, should these files threaten the functionality or security of the system or the information security of the users. 
  • If the modifications cannot be done without erasing the modifications made by users themselves, the old version modified by the user is transferred to another file name and the user is notified of the change.
  • To certify that common disk areas have no files that are illegal or threaten the functionality or security of the system or the information security of the users. Such files include e.g. malware, recordings that are in violation of copyright or data that is illegal according to the Criminal Code.
  • To manually or automatically delete files from disk areas assigned for temporary storage. This deletion must happen in adherence to predefined principles. The deletion principles must be available to the users, but deletions adhering to them do not have to be reported to the user concerned. ​

4.5  Monitoring Directories and File Lists

Under normal circumstances, an administrator cannot fully avoid requesting and seeing file lists of directories owned by users. Processing directory structures, filenames, modification dates, sizes and protection levels along with other information pertaining to files is a part of normal administration that is done in accordance with good administration practice.

Should a file's or a directory's protection found to be too weak in relation to its nature, administrator has the right to upgrade the protection to necessary levels.

An administrator is bound by confidentiality. In performing administrator's duties care is taken to not display filenames etc. unnecessarily. E.g. when file listings are needed to solve a problem case, "private" is printed in place of such files that do not pertain to the matter at hand. ​

4.6  Monitoring programs and processes

The administrator and the information system administrator together define what software shall be available in the system. Programs can be prohibited or removed from use, if the use of said programs is not necessary for the functioning of the University and the present a threat to the service level and security. This decision is made by the head of the unit administrating the system.

An administrator routinely monitors the programs running in the information system.

An administrator can adjust the processing priority of a process, should it consume the system's resources to an excessive extent.

An administrator can terminate a process if

  • the function of the process has clearly been disturbed, ​
  • the process impairs the function of the rest of the system by extra load and is not contributing to the University's functions, or
  • the process is connected to software, the use of which is against the guidelines and regulations given by the administrator. In this case the user is notified of the termination of the process and the aforementioned regulations. ​

4.7  Monitoring data communications network

An administrator of the University network monitors the traffic of the network and its external connections with monitoring software and by reviewing log data in order to guarantee a reasonable service level and security as well as to take care of financially efficient use of the external connection.

The monitoring of network traffic does not concern the content of the transferred information but the amount and nature of the traffic. The monitoring of source and target computers is statistical and does not target an individual user. However, the traffic can be monitored in more detail in the case of an individual system, when traffic anomalies, e.g. excessive traffic load, are being investigated. Automatic intrusion detection and prevention systems may analyse all network traffic.

An administrator of the data communications network can contact the person responsible for the computer that causes excessive traffic or other anomalies in order to investigate a possible disturbance or misuse situation.

An administrator of the data communications network may deny communications or the use of a certain service from a computer or a part of the network,

  • that causes traffic which threatens the service level or security of the network,
  • if there is a valid reason to suspect that a computer or computers are being abused or are infected by malware,
  • in which the Acceptable Use Policies of Information Systems are being breached,
  • which is not properly administrated especially with view to information security.

In all cases, the responsible administrator of the computer or the part of the network shall be contacted immediately after the denial of traffic. ​

4.8  Process​​ing log files

The University's information systems create log files to document the functioning of the system, to investigate eventual disturbance or misuse situations and to collect billing information. In the University, the logged information is only used in the technical duties of administrators bound by confidentiality as well as to enable billing. Log files can form a registry that falls under the scope of the Personal Data Act (523/1999), or contain recognition information that falls under the scope of the Information Society Code (917/2014). ​

4.9  Backup of data

The provider of information system services must, as a part of system administration, take care of backing up their systems. Backups shall be taken sufficiently frequently, generally daily. ​

Backup copies shall be stored appropriately, and the administrator shall make sure that the backups are accessible. The information on backups shall be processed in adherence to the same principles as equivalent information in an information system. The deletion of backup copies shall take place in such a manner that the confidentiality of the information contained therein will not be compromised. 

5 Supervision of These Rules 

These rules are supervised by the IT Services of the University and the respective owners of other information systems of University units. The rules shall be updated when necessary, or when the common recommendations of the Universities are changed. The need for updates shall be monitored by the Information Security Officer. 

Appendix 1: Guiding legislation 

All administrative actions must obey the Finnish law. Laws concerning system administration include: 

  • -  Constitution of Finland (731/1999), decrees concerning privacy, freedom on speech and publicity 

  • -  Universities Act (558/2009) 

  • -  Personal Data Act (523/1999), 

  • -  Act on the Openness of Government Activities (621/1999), 

  • -  Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999), 

  • -  Information Society Code (917/2014), 

  • -  Act on the Protection of Privacy in Working Life (759/2004), 

  • -  Act on Provision of Information Society Services (458/2002), 

  • -  Criminal Code (39/1889), 

  • -  Coercive Measures Act (450/1987)
    and decrees, statuses and regulation based on above-mentioned laws. ​

Appendix 2: Non-disclosure Agreement​​

Keywords:
Tags:

20014 Turun yliopisto, Finland
Tel. +358 29 450 5000

People search

Follow us: 
Facebook   Twitter   Instagram   Youtube   LinkedIn
© University of Turku