1.

Preamble

The University operates to enable University activities in all that relates to computing resources, including in the areas of research, teaching and work, and to protect the information resources of the University, while preserving the privacy of members of the University community. This document is intended to set out the competences and the principles of information security and the protection of privacy at the University.

2.

Definitions

2.1

University computing resources (hereinafter: “computing resources”): Any hardware, embedded system, device, software, network and computing system of every type of the University and/or connected to the activity, operation or functioning of the University, including through an external supplier and through the “cloud” service.

2.2

University information (hereinafter: “University information”): Any information of any type whatsoever, including intellectual property and personal information, owned by the University and/or stored at, processed by or produced by the University, including by the systems owned or used by the University and/or by an external supplier, including the “cloud” service: hereinafter jointly: “information resources”.

2.3

Information and cyber security (hereinafter: information security): The range of activities and devices that are implemented by the University for the purpose of protecting the confidentiality, integrity and accessibility of information resources as well as the privacy of the users of the information resources.

2.4

Information security provisions: The regulations, procedures and standards in the area of information security and privacy at the University that are published from time to time by the Director of Information Security, including written or oral instructions that are issued by any of the workers of the information security zone [Ma1] at the time of information security events or for the purpose of oversight and monitoring.

2.5

Information security events: Any disturbance, harm or damage, through an act or an omission, whether deliberate, inadvertent or through negligence, to the information resources of the University.

2.6

User: Any person or entity that uses the information resources of the University.

3.

Application of the Information Security Provisions

The information security provisions apply to every University worker and student, and to all users of the University’s systems and facilities, including visitors, suppliers and contractors of every kind, whether they are located within University premises or whether they access the information resources remotely.

4.

Competence and Responsibility

4.1

Directors of Units

4.1.1

The heads of University units (department, faculty, authority, school etc.) are responsible for the information resources in their units or under their control, and they are responsible for the information security of their information resources.

4.1.2

Heads of University units, or whoseover is authorized by the Director General, shall be “database directors,” according to the provisions of law for the relevant databases.

4.2

Administrators

4.2.1

The administrators are those who are directly responsible for the physical installations and the logs, such as network managers, communications directors, applications directors, database directors etc.

4.2.2

They are responsible for the integrity and the operation of the information resources they manage and their security in a proactive manner. They must report to the Director of data security concerning any suspicion of a data security event.

4.3

Director of the Division for Computation, Communication and Information

4.3.1

The Director of the Division is responsible for the approval of work programs and for the allocation of resources required for the execution of the task of information security.

4.3.2

The Director of the Division is responsible for the construction and operation of infrastructure protection systems in the networking and information systems of the University.

4.4

The Director of Information Security (CISO) -

4.4.1

-  is responsible for and has authority with respect to the protection of information resources of the University and its units.

4.4.2

-  is authorized to issue written and oral guidelines in any area of information security at the University, and to conduct technical and administrative supervision of the University systems.

4.4.3

-  is in charge of preparing the University for information security threats and for handing information security events.

4.4.4

- guides and advises the Administration and various officer holders of the technical and regulatory aspects of information security risk management and the protection of privacy.

4.4.5

- prepares, updates and publishes from time to time the binding information security provisions at the University, subject to the approval of the Administration.

4.5

Workers in the area of information security -

4.5.1

-  are entitled to issue written or oral instructions in all relating to information security and to handling information security events.

4.5.2

-  are responsible for the operation of the various technological means of control, monitoring and protecting the information resources.

4.5.3

-  are active in and lead the response to information security events at the University.

4.6

Computation coordinators in the Units -

- are responsible for the operation of the information resources that they manage and their security in a proactive manner. They must report to the information security zone any suspicion of an information security event.

4.7

Researchers, workers and students:

All members of the University community are bound to protect the information resources that they use and for which they are responsible in accordance with the information security provisions of the University, and they must report to the information security people at the University any suspicion of an information security event.

4.8

External bodies, suppliers and visitors -

4.8.1

-  must refrain from doing anything that is liable to endanger the information resources of the University, and must act with the required utmost caution to prevent any harm or risk as aforesaid.

4.8.2

-  must report to the Information Security Department any suspicion of an information security or cyber event, whether it is connected to their direct activity or beyond it.

4.9

Bodies at the University who transact with external bodies, suppliers or visitors:

4.9.1

The body responsible for transactions at the University must act in accordance with the guidelines in the information security zone and the Office of the Legal Advisor, including the Protection of Privacy (Information Security) Regulations with respect to outsourcing.

4.9.2

In all communications with external bodies involving an aspect relating to information resources, the transaction documents must include an information security appendix that has been approved by the information security zone and the Office of the Legal Advisor.

5.

Access to Information Resources and Means of Identification

Use of information resources may require use of means of identification that have been issued by the University, such as user name and password, OTP, smart card or other means of identification. Means of identification are personal and must be kept absolutely confidential. To remove all doubt, the following are prohibited:

-   Sharing – passing on the means of identification to any other person or body.

-  Impersonation – use of the means of identification of any other person or body.

In the event of a suspicion of unauthorized use of means of identification, the Support Center must be contacted immediately by e-mail  abuse@savion.huji.ac.il or by phone – 02-5883450 .

6.

Authorized Use of Information resources

6.1

General

6.1.1

Use of information resources at the University shall be made only for administrative or academic purposes, including research, that are connected to the function and the objectives of the University or to any other activity that has been approved explicitly by the University.

6.1.2

Use of some information resources is limited under licenses, agreements or laws that apply to them. The user is responsible for compliance with the provisions of the licenses, agreements and laws, as relevant.

6.1.3

The above notwithstanding, use of the internet and electronic mail for private purposes (only) is permitted in a reasonable scope and a responsible manner, provided that such use is not detrimental to the needs of the job, as decided by the superior, nor contrary to law. Nevertheless, the University may, for reasons of information security or other reasonable reasons, prevent or limit such use. 

6.2

Documents and Files

6.2.1

Documents and files that are connected to working requirements must be kept only on University servers in the folders or information systems designated for that purpose. Saving of documents and files on University servers is permitted only for whosoever has received express authorization and appropriate training for this, and only for University purposes. The documents and folders are accessible for viewing and copying only by the University and the worker. The University, according to its considerations, retains back-ups of all the files in its systems.

6.2.2

It is recommended that personal information (such as wage slips, photographs and personal letters, financial data etc.) not be saved on University servers.

6.2.3

In general, University information should not be saved on a private cloud service or by removable storage devices (such as disk on key). Nevertheless, use of private storage or cloud devices in accordance with guidelines to be set by the area of information security will be permitted.

6.2.4

It is permitted to save personal information (“files”, mails etc.) in a private account on a cloud server.

6.2.5

The University is not responsible for the information security of personal data and information that has been saved contrary to the provisions of this document.

6.3

Central information systems

Use of central information systems such as those relating to human resources, finances and others, is permitted only to those who have received express authorization as well as appropriate training. Activity in these systems is permitted only for a University purpose that comports with the position of the user.

6.4

E-mailboxes

6.4.1

Private e-mailboxes may not be used for sending and receiving University information. For these purposes, only professional or mixed mailboxes may be used, as specified below.

6.4.2

The University allocates e-mailboxes to administrative and academic workers for work purposes. These mailboxes are of two types:

6.4.2.1

Professional mailbox for use of a particular office holder or unit, where the name of the mailbox is not that of the worker, and it is prohibited to keep personal correspondence in the box or to make private use of it.

6.4.2.2

Mixed mailbox that is used for work purposes and bears the name of the worker. Private use of such a mailbox is permitted, subject to the policy governing use of mailboxes at the University.

7.

Development of Systems and Provision of Services on the University Network

7.1

Any transaction with a third party on a subject that involves information resources, including acquisition of off-the-shelf software or cloud services, or development of an information system that is intended for University use, requires prior approval of the Computation, Communication and Information Division in general, and of the information security zone in particular.

7.2

The supply of services on the University network without the prior approval of the Division is absolutely prohibited.

8.

Prohibited Use of Information Resources

8.1

Unreasonable private use or commercial use:

Unreasonable private use or commercial use of the information resources is not permitted. This provision does not apply to the trading of information or intellectual property that is regulated in Administrative Regulations, or to commercial activity on the part of the University.

8.2

Breach of intellectual property and other rights of third parties:

8.2.1

It is absolutely prohibited to make use of information resources of the University in a way that may breach the intellectual property and/or other rights of any third party. To remove all doubt and for illustrative purposes only: it is absolutely prohibited to make use of software or files that were copied illegally or that violate copyright, patents or other property rights of a third party, to install software or to use media files without a legal license.

8.2.2

It is prohibited to use copying and file sharing services or similar services that are intended for sharing and distributing content that is in breach of intellectual property rights.

8.3

Transfer of information resources

The transfer of information resources or communication with any third party for the purpose of using or processing information resources requires the express approval of the Director of Information Security and the Office of the Legal Advisor.

8.4

Conduct on the Internet and on social networks while surfing from the University network

Use of the Internet and social networks from University resources must comply with the conditions of use of the sites and subject to all laws.

8.5

Harm to the computing infrastructures and systems

The computing infrastructures and systems, as with all University information resources, are the responsibility of the Division for Computation, Communication and Information, and the information security zone at the University is charged with their protection. It is absolutely prohibited to do anything that is liable to harm them directly or indirectly. Any change in the computing infrastructures and systems requires the advance approval of the Division and of the information security zone. The prohibited actions include, inter alia:

8.5.1

Connecting any device of any type to the University network , including external lines of communication, without the prior approval of the Division.

8.5.2

Running private VPN services or network sharing access services, whether encoded or otherwise.

8.5.3

Executing any actions, including those related to construction, that are liable to cause damage to the infrastructures whether directly or indirectly.

8.5.4

Unreasonable use or processing of the network resources.

8.5.5

Interfering with or affecting the configuration and the operations of systems of any type whatsoever without the prior approval of the Division or the information security zone.

8.5.6

Unauthorized change, bypassing, or harm to the operation of software or information security devices of all types.

8.6

Hostile hacking and cyber

Any act of hostile hacking and cyber of any type against the information resources of the University, or from them to any external entity, is absolutely prohibited, irrespective of the identity of the user. Such prohibited acts include, inter alia:

8.6.1

Gaining unauthorized access to any information resources of the University.

8.6.2

Bugging information resources including telephony, communication lines, networks, equipment or systems of all types.

8.6.3

Operating instruments, from any place whatsoever, for the purpose of vulnerability assessment of information resources of the University without the prior written approval of the Director of Information Security at the University.

8.6.4

Operating devices, from any place whatsoever, for the purpose of penetration testing of the information resources of the University without the prior written approval of the Director of Information Security.

To remove all doubt, “social engineering” activity, for any purpose whatsoever, is prohibited without the prior written approval of the Director of Information Security at the University.

8.6.5

Operating devices for the purpose of penetration testing or vulnerability assessment from within the University network to other networks and organizations without the written prior approval of the relevant entities in the other organizations and of the Director of Information Security at the University.

8.6.6

Operating devices for attacking or for any action that can be thought of as malicious cyber from within the University network to other networks and organizations.

8.6.7

Preparation, distribution, use or causing the operation of malicious code of any sort (virus, malware etc.).

9.

Monitoring and Control of Information Resources

9.1

The University monitors the use of its information resources by means of reasonable and accepted technological means in the area of information and cyber security for the purpose of information security, protection of information resources, protection of the privacy of users and protection of the users from information security and cyber threats.

9.2

All the information that is gathered in the framework of monitoring activities is saved on the University servers, and in certain cases, by external suppliers such as cloud services. The information is saved and backed up for a reasonable period that is specified in the Back-up Policy and/or Terms of Use of the University and/or of the External Suppliers, in accordance with the law.

9.3

The University does not apply blocking or filtering according to the nature of the content. The University will apply blocking or filtering for addresses or activity on the Internet or on the University network only according to the degree of possible risk to the information security of the users and of the University systems.

9.4

Use of the information resources constitutes consent to all monitoring and control activities conducted in accordance with the provisions specified in this document by the University and by other bodies authorized for this purpose by the University, by any means whatsoever and subject to all laws.

The University will ensure compliance with the provisions of the law and the preservation of the privacy of the users in all that concerns the activities specified above. The protection of privacy policy can be viewed at the following address:

……

10.

Handling Breaches and Enforcement

10.1

A breach of this policy constitutes a disciplinary offence. The University may, and at times is required by law to share information that is related to computing crimes with the authorized enforcement authorities and bodies.

10.2

The user will bear responsibility for all damage caused to the University as a result of a breach of these regulations.

10.3

The University may, upon becoming aware of a breach as aforesaid of this policy, cancel the permission of the user or the computer to access the information resources or the network. In these cases the University will provide the user with an opportunity to present his case prior to implementing the cancellation of permission to access.

10.4

In urgent cases, the University is entitled, through the Director of Information Security or a person on his behalf, to immediately revoke or limit access to information resources even before the user has been given a hearing, provided that the user is given a hearing within reasonable time, and that the decision is then reviewed.

11.

Publication of the Policy and Receiving Consent of Users

The University will adopt the necessary measures in order to ensure that the policy and the instructions regarding the use of computing resources and information resources at the University are relayed in a clear, transparent manner to the workers.

APPENDIX 1: POLICY FOR USE OF ELECTRONIC MAILBOXES

AT THE HEBREW UNIVERSITY

1.

Preamble

1.1

The objective of this policy is to specify the manner of use of electronic mail at the University, the monitoring of mailboxes and the information resources connected to them, and the cases in which the University is authorized to view the existing content of the mailboxes.

1.2

E-mails sent through University computers are identified with the University; therefore any use that may be detrimental to the University and its image must be avoided.

2.

Definitions

2.1

Professional e-mailbox:  A mailbox for the use of an office holder or a worker of a particular unit, which does not bear the name of the person but rather that of the unit or the subject, and which is intended for work purposes only (“professional mailbox”).

2.2

Mixed e-mailbox:  A mailbox bearing the name of the worker, which is issued for the purpose of work and in respect of which reasonable personal-private use is permitted, in accordance with the terms of this policy (“mixed mailbox”).

3.

Use of a Mixed Mailbox and Instructions Regarding Such Use

3.1

Insofar as possible, the worker should separate content that is related to his personal use from any other content that is connected to the University and work purposes. This may be done by indicating the subject of the mail or creating a personal folder for saving private mails.

3.2

Upon termination of the worker’s employment, the worker will be sent a written notice whereby he must remove all personal information in the mixed mailbox within 60 working days. In the course of this period, the worker is responsible for removing all personal information from the e-mailbox and ensuring that this information is deleted from the  mixed mailbox and from all computing resources in which the worker was active. After this period, the University will act on the assumption that there is no personal information of the worker in the e-mailbox, the mixed mailbox will be closed for use, and all professional information in the mailbox will be handled at the discretion of the head of the unit. Without detracting from the above, where, in the course of transferring the material from the mixed mailbox to the relevant office holder or thereafter, information is identified as personal information connected to the worker who left the position, the information will be destroyed and no use will be made of it.

3.3

Notwithstanding the above, a member of the academic faculty who retires is permitted to continue using the mixed mailbox.

3.4

In the case of the death of an academic or administrative member of staff, if the worker did not inform the University (the Human Resources Division) otherwise in his lifetime, or leave a Will that stated otherwise, the University will inform, in writing, the spouse of the worker, and in the spouse’s absence, his children or other legal heir of the worker, that they are permitted to view the mailbox and to remove all personal information of the worker, and the provisions of section 5 above will apply to this process. The University may require that this process be carried out under the supervision of someone on its behalf.

4.

Use of the Mixed Mailbox and Instructions Regarding the Information it Contains

4.1

A worker who is required to use a professional mailbox will receive notice to that effect. It is absolutely prohibited to use a professional mailbox for any personal-private purpose, and no personal-private information relating to the worker may be kept therein.

4.2

The University may continue to make use of a professional e-mailbox after the worker has left the position and to transfer the professional mailbox, including its contents or any information resources connected to it, to another worker.

5.

Monitoring, Viewing and Penetrating Mailboxes

5.1

For the purposes of information security, including protection of information resources, protection of the privacy of users and protection of the users from information security and cyber threats, the University may conduct monitoring and surveillance activities of communication data, web traffic and of all activity of the systems connected to electronic mail of all mailboxes. This will be carried out subject to the provisions relating to monitoring in the information security policy and the privacy policy of the University and subject to all law.

5.2

Monitoring that is carried out for the above purposes may include monitoring of the contents of a mailbox, which is normally done by means of automatic information security devices that locate anything that is liable to damage information resources or the population of users of the information resources (e.g., malware, phishing).

5.3

In addition to the above, in relation to a professional e-mailbox the University is authorized also to view the content and professional correspondence contained therein, in a proportionate manner and for a reasonable and appropriate purpose, subject to the approval of the Office of the Legal Advisor and in consultation with the Director of information security at the University. Such viewing will be done after coordination with the Director General in relation to administrative workers, and with the Rector in relation to academic workers, in the presence of a representative of the Office of the Legal Advisor insofar as the Legal Advisor deems this necessary. The Director General or the Rector, as relevant, is also entitled to be present in the course of viewing the mailbox.

5.4

In addition to the above, the University is authorized, in exceptional cases only, to follow and/or view professional data content that is contained in a mixed mailbox, and the professional correspondence contained therein upon the fulfilment of all the following conditions:

5.4.1

The viewing is sought in circumstances in which there is a founded suspicion of serious damage to the University (such as a suspicion of criminal conduct of the worker, or of other seriously harmful conduct of the worker such as sexual harassment, embezzlement, fraud, dishonesty in exams);

5.4.2

No other means has been found to achieve the purpose of the viewing, which would be less harmful to the privacy of the worker;

5.4.3

Use will be made of the outcome of the viewing only for the purpose of realizing the objective for the sake of which the viewing was initially conducted;

5.4.4

The viewing has been approved in writing by the Legal Advisor and the Director of information Security at the University;

5.4.5

The viewing is approved by the Director General with respect to administrative workers and the Rector with respect to academic workers.

5.5

The viewing will be carried out in the presence of a representative of the Office of the Legal Advisor, insofar as the Legal Advisor deems this necessary. The Director General or the Rector, as relevant, is also entitled to be present in the course of the viewing of the mailbox.

5.6

Reasonable and accepted measures will be adopted to prevent viewing of personal data content, insofar as such has been saved by the worker on the mixed or professional e-mailbox. Viewing of such personal data will be possible only with the express, specific consent of the worker to any penetration action or according to the provisions of the law.

5.7

All the above stated, including the monitoring and/or viewing, will be carried out by devices that are accepted in the area of information security, ensuring compliance with the provisions of the law and the preservation of the privacy of users, all subject to the principles of reasonableness, appropriate purpose and proportionality.

5.8

To remove all doubt, it is hereby clarified that there is nothing preventing use of an external private e-mailbox owned by the user (such as Gmail) in the virtual space of the University. The University will not monitor or view content of the mailbox.

5.9

The University will adopt the necessary measures to ensure that the policy and the provisions with respect to use of the electronic mailboxes, including that which is permitted and that which is prohibited in the use of the computer and its applications in the virtual space of the workplace, will be published in a transparent, clear manner on the University website.

6.

Responsibility

Use for personal-private purposes of the above mailboxes is the exclusive responsibility of the worker, and the University will not be responsible in any form whatsoever for information or content that is connected to the personal use of workers that is saved in the above mailboxes.