information security policies & practices - iqac.iiitb.ac.in

IT- IS Security Policies & Procedures

For

International Institute of Information Technology

Bangalore

[Murugan]

Jan 2019

Use or disclosure of data on this page is subject to IIITB's notice of use and disclosure restrictions:Murugan IIITB Confidential

1.1.2019 of 88

Revision History

Date Change Description Change authorised By Reviewed By

1.1.2017 Review IT policy for the

year 2017

IT Committee Chairman IT Committee

members

1.1.2019 Review IT policy for the

year 2019 IT Committee Chairman

IT Committee

members

Use or disclosure of data on this page is subject to IIITB's notice of use and disclosure restrictions: Murugan IIITB Confidential

Jan 1 2019 of 88

Table of Contents

1 Introduction 4

2 Scope 6

3 Structure 6

4 Organization Structure 7

5 Policies 14

6 License Management Policy 25

7 Backup & Recovery Policy 30

8 Password Policy 36

9 Internet & Intranet Security Policy 42

10 Antivirus Policy 49

11 Physical Security 59

12 Network Security 69

13 Network Acceptable Use Policy 73

14 IT Configuration and Patch Management Policy 75

15 IT & IS INFRASTRUCTURE 77


1.1.2019 of 88

1 Introduction

International Institute of Information Technology Bangalore (IIITB) information assets and the

technology resources that support the institution are critical to the functioning of the

Institution. IIITB recognizes its information assets are at risk from potential threats such as

Physical security, Personnel security, Operations security, Communications security, Network

security, Information security,

Such events could result in damage to or loss of information resources, corruption or loss of

data integrity, interruption of the activities of the Institution, or compromise

confidentiality/privacy of information pertinent to Staff & Students of IIITB.

These IT Security policies are carefully formulated to reduce risks to electronic information

resources through implementation of controls designed to detect and prevent errors or

irregularities that may occur. IIITB recognizes that absolute security of IT resources against all

threats is an unrealistic preposition that would require the commitment of a prohibitively high

level of resources. The Institution’s goals for risk reduction are based, therefore, on the

following principles:

The criticality of an IT Resource to the operation of the IIITB.

The sensitivity of the data residing in or accessible through the IT Resources.

The cost of preventive measures and controls designed to detect incidents.

The amount of risk that management at the campus or the Office of the Director is

willing to absorb.

Achieving a successful information security program requires management/executive

committee’s planning for preparedness, detection, response and recovery with respect to

protection of the information enterprise. Risk assessment and determination of appropriate

security measures must be a part of all systems design and operations undertaken in the

institution.

These Policies identify the set of measures that should comprise campus security programs.

Security programs should include identification of the IT & IS Manager who is responsible for

campus compliance with its security program. Security programs shall undergo periodic

evaluation of administrative, technical, and physical safeguards to ensure that they adequately

address operational or environmental changes.


Jan 1 2019 of 88

The Policy describes the high-level direction for information security management within

IIITB and custodians of IIITB IT assets. It is based on three concepts: availability, integrity,

and confidentiality:

Confidentiality ensures that IIITB Information is not disclosed to anyone who is not

authorized to access it. In support of this is the idea of need-to-know, authorizing the

sharing of IIITB Information only among those who can demonstrate a legitimate need.

Integrity ensures that IIITB Information is correct or accurate to the degree anticipated

by those who use it. It also ensures that IIITB Information has not been changed and

has not been exposed to unauthorized modification, or disposal.

Availability ensures that IIITB Information is accessible when and where it is needed.


1.1.2019 of 88

2 Scope

These Policies apply to all students & Staff and to all entities/affiliates of IIITB. These Policies

do not apply to the Research network and other affiliate laboratories. Implementation of

these Guidelines, including development of more specific standards or guidelines as needed,

is the local responsibility of respective stake holders and the Office of the Director. The

Office of the Director in its enterprise wide role across IIITB has overall responsibility for

implementing the policy, including these Guidelines on IT Security.

The IIITB Information Security Policy & Practices will be reviewed and evaluated once in 6 or

9 months for updates. Updates may include the creation of new Practices, modifications to

existing Practices, and/or the deletion of line item details. Updates can be triggered by

several events including but not limited to:

New technology including applications, hardware, or software

Security deficiencies

Changes in legal, regulatory, or reporting requirements

Physical or environmental alterations

Request for deviation from a Service Provider

Periodic re-evaluation of current requirements

As IIITB is in the fore front of IT education & research in India, it is essential that all staff&

students understand the value of IIITB’s Information and their individual and collective

responsibility to protect it.

3 Structure

The Policy is supported by a set of common best Practices and guidelines. The office of the

Director and other relevant stake holders may also choose to add unique situation driven

practices and associated mechanisms that reflect IT security control requirements necessary

to support the smooth functioning of the institute. The document is structured as below.

The Policies have the following headings:

Purpose: The purpose of the policy is brought to the fore to the audience; this essentially tells

the managements intention by enforcing the policy


Jan 1 2019 of 88

Scope: The scope of the policy is to essentially outline the general applicability of the policy

to the respective stake holders; the scope further gives a broad idea as to the applicability of

the policy to the target audience.

Policy Statement: This is a single line statement explaining the crux of the overall policy,

primarily intended for the top management.

Policy: This section describes the policy in itself in its entirety

Responsibility: This section outlines the responsibilities of the individual stake holders in great

detail

Enforcement: This section brings out the ways and means by which the management intends

to enforce the policy which it has formulated.

Procedures: The procedures are a set of guidelines or best practices that must be followed to

effectively enforce the policy.

4 Organization Structure

Purpose

To explain the organization structure of IIITB

To define the roles and responsibilities for various functions within IIITB

To explain the process of organizational change management within IIITB

Scope

Applicable to all areas of IIITB functions.

Policy

Organizational structure within IIITB will be defined with the roles and responsibilities

identified.

Definitions of roles and responsibilities will be changed according to the organizational

change management policy.

Definitions of roles and responsibilities will have clear segregation of duties.


1.1.2019 of 88

Organizational Chart

The security organizational structure is as shown below:

Responsibility

The various roles and responsibilities for IIITB personnel are defined as follows:

Office of the Director

Primary Responsibility

Act as the custodian of IT security at IIITB.

Functional Responsibilities

Be the last word in any decision pertaining to the IT security of the Institute.

Uphold the dictum of IT security ethics outlined in the policy

Call for IT security reviews every month with ISO, Chairman computing.

Chairman Computing

Primary Responsibility

Act as the secondary in charge for the Director

Functional Responsibility

Be part of any decision pertaining to the IT security of the Institute Drive the user

awareness sessions along with the ISO.

Director

Inventory Officer

IT / Librarian/ Accounts

S ystem Admin for

Datacenter

N etwork Admin for

Campus

Chairman (Computing )

with 2 facu lty’s Members

IT Staff /IT Personnel

Helpdesk

Sr. IT & IS Manager


Jan 1 2019 of 88

IT & IS MANAGER (Information IT, IS and Security

Manager) Primary Responsibilities

Act as Information IT, IS and Security Manager for the organization.


Be the Institute’s single point contact on information security.

Promote information Technology and security awareness for all the Staff & Students in the

institute.

Develop, implement, revise and document location-wide (and subsequently institute wide)

security policies.

Periodically review the status of the information Technology infrastructure and security

policy implementation in IIITB and report the status to the office of the director

Be part of the decision-making team when the organization is involved in designing,

planning, procuring or upgrading technologies.

Conduct formal / informal training on relevant topics on security like firewall

implementation, VPN configuration within the IT staff.

Act as the single point of contact for all issues involving information security including, but

not limited to, questions, alerts, viruses and breaches.

System admin for Datacenter: (Servers, Application, database & Security Administrator

(Outsource Support staff along with in-house Sr.IT & IS Manager) Test and install available

patches for fixes for known security bugs in vendor software.

Primary Responsibilities

Plan, implement, monitor, administer and upgrade security controls for IIITB’s computing

infrastructure and environment (Computers and VM’s in datacenter).

Help develop internal security standards for IIITB in consultation with IT & IS Manager.


Test, install, and maintain security infrastructure equipment.

Help define, document, and maintain IIITB security policy.

Monitor, audit, test the systems and networks for possible security threats and

vulnerabilities.

Review security log files on a daily basis, investigate and report anomalies and breaches.


1.1.2019 Page 1

0 of 88

Be abreast with the technology changes and continuously evaluate possible threats

resulting from technology changes to the organization’s existing computing and network

infrastructure.

Investigate, coordinate, report, and follow-up on computer network security incidents.

Disseminate IIITB security policy and procedures to the appropriate entities on a need to

know basis.

Use or disclosure of data on this page is subject to IIITB's notice of use and disclosure restrictions: Murugan

IIITB Confidential Jan 1st 2019 of 88

System Administrator: regular Responsibilities of System Administration.

PC and laptop users Maintenance.

Users of LAN and WAN servers administration.

Critical Spare maintenance for all PCs and laptops


Perform regular security audits and take corrective action as required. These audits may

cover attempts to crack user passwords; maintenance of system logs of network activity in

order to watch for attacks on network/system security; deletion or alteration of system-

related files in user accounts; deletion of files or processes that are jeopardizing the

security of a user account or of the system as a whole or which have resulted in

degradation of system performance.

Perform periodic backups of user and operating system files. The frequency of these

backups will vary from system to system. Periodically reorganize file systems while

ensuring that proper file security is maintained.

Inspect, edit or delete private information (whether in the form of user accounts, files,

processes, etc.) as required, and dealing with incidents of suspected inappropriate use".

Apply patches and upgrades to operating systems and utilities as available.

Inform the users of the system about planned outage/unavailability of the system so that

they can plan their work accordingly.

Monitor console message during shifts and ensure data protection, diagnose and recover

system failures. Maintain production/uptime/hardware fault logs.

Ensure data security by taking regular/off site/Monthly backups, in accordance with

specified schedule/contingency plans as decided from time to time.

Trouble shooting of any hardware-related problems on PC’s and also inform IT department

about the status of the call.

Fault isolation, installation and diagnosis of Server/PC hardware.

Co-ordinate with Vendors for corrective maintenance of all hardware peripherals as and

when required.

Ensure the maximum uptime of links, Internet and maintain the logs of uptime/downtime

of this hardware. .

Allocation/tracking of laptops and maintain the necessary logs.

Use or disclosure of data on this page is subject to IIITB's notice of use and disclosure restrictions


Network Administrator (LAN/WAN) (Outsourced staff, monitored by Sr. IT & IS MANAGER)


Install, maintain, administer, support and upgrade the networks (LAN/WAN) in IIITB.

Support and administration of IIITB computing and LAN networking.


Configure workstations and servers on Microsoft Windows / Linux platforms for the

networks.

Install network monitoring/administration tools and troubleshoot the problems with the

networks.

Ensure uptime of networks and support the links for all the building blocks of campus.

Support helpdesk personnel for server and network related issues.

Perform off-line server activities such as backups.

Configure LAN and WAN switches, Access Points, hubs, and routers.

Install and ensure security controls such as firewalls and proxy servers are functioning

properly.

Evaluate network-monitoring tools and recommend relevant tools that will enhance the

network and provide defined security.

Report any breach of security on the servers that are assigned for monitoring

Inventory officer (Accounts and Purchase department / IT & IS Manager)


Ensure that appropriate information is available and organized to meet users’ needs.

Media management.


Analyze user needs using existing industry publications and sources to determine which

information is appropriate, searching for, acquiring and providing relevant information.

Educating users on information retrieval techniques that will ensure that information is

located in the shortest possible time.

Manage acquisitions of computer software, and information services, and prepare material

to communicate this on a timely basis to users.

Negotiate contracts with respect to coverage and pricing for services, materials, and

software to be purchased for users.

Compile multimedia material on specific subjects that are of value to the organization.

Manage the media procurement and distribution to users.



Maintain and track inventory of items under library management and report status at least

once a year to the office of the director.

IT Department Personnel (IT support /Helpdesk outsource work force)


Perform IT department’s activities as outlined in the contract for the activities.


Receive, assign and record support calls from users. Ensure that the problems are resolved

within the stipulated time period.

Reassign/escalate the calls based on the nature and status of the calls.

Execute helpdesk activities and collect feedback through various mechanisms especially

for day-to-day desktop support calls

Provide suggestions on improving service levels based on the day-to-day experience and

the feedback and data.

Take initiative in implementing directives resulting out of change in processes related to

desktop management and other support activities in a timely manner.

Implement and support the solutions based on the problem reported and follow change

management processes as defined in change management.

Plan and caution the users well in advance about problems anticipated and changes that

are planned before they are affected.



5 Policies

IT Infrastructure Usage Policy

Please read the following IIIT Bangalore (IIITB) Information Technology (IT) Infrastructure

usage policy carefully.

Whom this Document Concerns

All Users of IT infrastructure (Computers, Network and other Electronic Devices) at IIIT

Bangalore.

Reason for Policy

This policy presents the responsible use of the Information Technology Infrastructure at IIIT

Bangalore. Users of IIITB’s IT-Infrastructure will be subject to the following acceptable use

policy.

Statement of Policy

1. Student, staff, and Faculty with authorized accounts may use the computing and IT

facilities for academic purposes, official Institute work, and for personal purposes so

long as such use o Does not violate any law, Institute policy or IT act of the

Government of India.

o Does not interfere with the performance of Institute duties or work of an

academic nature.

o Does not result in commercial gain or private profit other than that allowed by

the Institute (as judged by IIITB Director or committee constituted by Director).

2. Users are expected to respect the privacy of other users and they shall not allow any

other person to use their password or share their account. It is the users' responsibility

to protect their account from unauthorized use by changing passwords periodically.

Sharing of passwords for any purpose whatsoever is strictly prohibited.

3. Any user’s attempt to circumvent system security, guess others’ passwords, or in any

way gain unauthorized access to local or network resources is forbidden. Users may

not use another person's computing account, attempt to forge an account identity, or

use a false account or e-mail address.

4. Transferring copyrighted materials to or from the IIITB systems without express

consent of the owner is a violation of law. In addition, use of the internet for



commercial gain or profit is not allowed. If done so, it will be at the sole responsibility

of the user.

5. The downloading and installing of new software has to be done with the explicit

consent of the respective faculty in-charge. Installation of unlicensed software on IIITB

facilities, or on individual machines connected to the IIITB network, is strictly

prohibited.

6. The assigned IIITB e-mail address constitutes the users’ official email id. To the extent

possible, users are expected to use only their official email addresses for official

communications with other members of the Institute and external official

communication.

7. Spamming or spreading any malware is strictly disallowed.

8. All communication carried out using personal email ids is entirely the individual’s

responsibility.

9. Subscribing to mailings lists and forums outside the Institute is an individual’s

responsibility.

10. It is forbidden to send frivolous or academically unimportant messages to any group.

Broadcast of messages to everyone in the system is allowed only for academic

purposes and emergencies.

11. Shared email accounts for any purpose whatsoever are not allowed. Any special

accounts, if need to be set up for conferences and other valid reasons as determined

by the institute authorities, must have a single designated user.

12. Recreational downloads and peer to peer connections for recreational purposes are

banned.

13. To the extent possible, users are expected to connect only to the official IIITB WiFi

network for wireless access. Setting up of unsecured WiFi systems on the IIITB network

is prohibited in accordance with a Government of India ban.

14. Users are expected to take proper care of equipment, and are expected to report any

malfunction to the staff on duty or to the in-charge of the facility.

15. NO FOOD OR DRINK is permitted in the laboratories and class rooms. Also making

noise either through games/ music or even talking and/ or singing loudly is prohibited.

16. Playing of Video Games in Institute laboratories or using Institute facilities for video

games is strictly prohibited. Display of offensive material (either on computer screens

or through posters etc.) is strictly disallowed and serious action will be taken against

offenders. Usage of non-academic audio/video streaming services are prohibited. One

should not offend anyone by sending electronic message with respect to religion, cast,

colour and law.

17. Any violations of policy will be treated as academic misconduct, misdemeanor, or

indiscipline as appropriate. Depending upon the nature of the violation, the institute

authorities may take an action by issuing a warning through disabling the account. In



extreme cases, the account may be completely deleted and/ or the user prohibited

access to IT facilities at IIITB and/ or sent to the Institute disciplinary action committee

as constituted by the Institute authorities.

18. A student spends a whole day attending theory, tutorial and lab classes and followed

by studies till late evening. It is well-known that a person needs at least 6-hours of

sound sleep at night to catch up with next day’s intellectual activity fruitfully. Hence,

Internet in hostels will be stopped from midnight to morning 6 AM. However, one week

before the exams, it will be relaxed by a few hours till end of exam. Moreover, if

someone wants to read for some urgent requirement, can come to academic building

and use the Internet.

19. For the safety of the students and to support their requirements, the labs will remain

open as long as a lab assistant / teaching assistant / research scholars / lab in-charge

is present in the lab.

20. The policy may change as and when it is considered required and new policies or the

changes in policy will take effect immediately after a brief announcement by any

means, e-mail, printed notices, or through the news groups.

21. Incubation: We are providing same students usage policy for all the

incubation/acceleration companies’ staff.

Computing and Networking policy for the Year 2016- 2017

1. IT Policy

The current IT policy is being reviewed and updates to this will be proposed. Target for Rollout:

end July 2017 . All students will be expected to sign this at the start of the new academic Year.

The policy will also be applicable for faculty and staff.

Some of the plans below make assumptions about the directions in the to be proposed Policy.

Specifically:

1. All devices (laptops/desktops/tablets/mobiles) connecting to the Institute network will

need to be registered with IT services. No open access points will be provided except

for experimental/evaluation purposes. The process for such special access points will

be worked out.

2. Antivirus (MacAfee) Software to be mandatory on all laptops/desktops connected to

the Institute Network.

3. Blocking of illegal/blacklisted/inappropriate sites will continue as before.

4. Overall internet usage patterns will be tracked on a per user level, to the extent required

by law. In addition, total bandwidth usage per user will be tracked and heavy users will

be notified. Based on usage patterns, we will evaluate the need for special Charges

where usage exceeds an agreed to threshold, and not specifically approved for a

project.



2. Internet bandwidth

The current bandwidth of 40 Mbps (20 each from Vodafone and Tata Teleservices) has

proved to be inadequate for backup internet facilities, based on analysis of usage patterns

compare to 1Gbps from BSNL NKN network. While there is potential capacity of 1 Gbps

internet bandwidth is used for entire campus. The current plan is to look at increasing the

leased bandwidth (from one or both existing suppliers), with the goal of at least doubling

the total bandwidth with minimal impact on the connectivity. In parallel, optimization of

internal networks and switches (as part of the plan to set up the new hostel) should help in

better utilization of available bandwidth.

Approved: To Upgrade Tata Teleservices connection to 100 Mbps . This will be operational

end June 2017. The current contracts will be terminated at the end of June, for which the one

month notice needs to be provided by end May.

In parallel, efforts will be made to improve the usability of the NKN connection, which will also

serve as the Primary in case of major failure, backup Tata Teleservices link used as load

balancing. The combination of these should help improve internet experience on campus.

Usage:

The available bandwidth will be shared between the academic and hostel segments, with the

ratio adjusted by time-of-day. This will be fine-tuned based on actual usage patterns. Each

download and upload file size is limited to 60 MBPS.

Tentative assignment:

Daytime (8am to 7pm): Academic: 40 Mbps, Hostels: 60 Mbps

Nighttime (7pm to 8am): Academic: 20 Mbps, Hostels: 80 Mbps

Between the hostels, the bandwidth will be allocated between the different blocks based on

occupancy. The NKN connection will be dedicated to backup link and also load balanced for

specific labs/projects and other requirements in the Academic block.

3. Tracking Internet usage

Total bandwidth usage per user will be tracked, and reviewed on a weekly/monthly basis.

The top 510 users (or those exceeding a defined threshold) will be notified. A mechanism for

identifying and approving legitimate “heavy usage” will be worked out.

4. Connecting Devices and BYOD

All devices connecting to the IIITB network will need to be registered with IT Services, and

will be assigned IP addresses. This includes desktops, laptops, tablets, mobile phones and

any other devices requiring network access, wired or wireless. This will ensure better

management of the health of the network, as also enable compliance with provisions of the

IT Act. This process will be rolled out in a phased manner in June, starting with the MTech



students (summer term), as well as other students who are on campus, faculty and admin

machines. Mobile phones and tablets will also be covered under this. By end June 2018,

there will be no open access on campus.

For this registration, students will need to bring their laptops/devices to the Data Center,

where their MAC addresses will be recorded and IP address assigned. A calendar for this

support will be published soon. The planned to complete by July 31st,2018.

A special process for guest and short-term access will be worked out, though this will

essentially go through the same process.

5. Antivirus protection

It has been observed that a number of devices connected to the network are infected with

Viruses and impact the overall network traffic and quality. Since the network and internet

bandwidth are shared resources, it is important that we minimize the impact of such viruses.

Hence, all machines (initially desktops and laptops) connected to the Institute network will

need to have antivirus protection. Specifically, the MacAfee Antivirus licensed by the Institute

will need to be installed on all connected machines. For dual boot machines, the antivirus

will need to be enabled on both operating system partitions. This will be tracked and

enforced by the IT group, and machines violating this will be taken off the network until they

are made compliant. This rollout will be along with the device registration described earlier,

over the month of June and July, 2017.

6. Print facility

We have new printer, available for faculty, staff and students. A separate printer (the existing

machine) will be retained for certain confidential and administrative printing. Some Faculty

have their own printers from there project and research purpose, which they will continue to

use.

7. Budget and Expense Tracking

The IT budget for the year 2016-17 is in place. As per the new Finance process, we will

present and get approval for the projected expenses for each month, and track expenses

against that.

To enable this, we have started tracking the Plan/Forecast/Actual expenses on a monthly basis,

for the entire financial year.

At the end of each month, we will present the projected expense for the next month, as well

as a summary of the actual expenses year-to-date, and the forecast for the rest of the year

(all compared to the plan).



Computing and Networking for the Year 2017-2018

1. IT Policy

The current IT policy is being reviewed and updates to this will be proposed. Target for

Rollout: before July 10th,2018. All students will be expected to sign this at the start of the

new academic year. The policy will also be applicable for faculty and staff.

Some of the plans below make assumptions about the directions in the to be proposed Policy.

Specifically:

1. All devices (laptops/desktops/tablets/mobiles) connecting to the Institute network

will need to be registered with IT services. No open access points will be provided

except for experimental/evaluation purposes. The process for such special access

points will be worked out.

2. Antivirus (MacAfee) software to be mandatory on all laptops/desktops connected to

the institute network.


4. Overall internet usage patterns will be tracked on a per user level, to the extent

required by law. In addition, total bandwidth usage per user will be tracked and heavy

users will be notified. Based on usage patterns, we will evaluate the need for special

Charges where usage exceeds an agreed to threshold, and not specifically approved

for a project.

2. Internet bandwidth

The current bandwidth of 100 Mbps (100 MBPS fibre 1:1 Premium from Tata Teleservices)

has proved to be inadequate for backup internet facilities, based on analysis of usage

patterns compare to 1Gbps from BSNL NKN network. While there is potential capacity of 1

Gbps internet bandwidth is used for entire campus.

The current plan is to look at increasing the leased bandwidth (from existing Vendor TATA),

with the goal of at least doubling the total bandwidth with minimal impact on the budget. In

parallel, optimization of internal networks and switches (as part of the plan to set up the new

hostel) should help in better utilization of available bandwidth.

IT Committee Approved for: 512 Mbps

Upgradation of the internet Bandwidth from Tata Teleservices connection ISP from 100

Mbps to 512 Mbps with 64 valid IP’s. This will be operational by end of December 2018. The

current contracts will be terminated at the end of November 2018, for which the one month

notice needs to be provided by end Oct 2018.



In parallel to 1 Gbps BSNL NKN connection, which serve as the primary, in case of failure of

this connectivity the secondary the Tata Teleservices link will be used.

The combination of these should help improve internet experience on campus.

Usage:


ratio adjusted by time-of-day. This will be fine-tuned based on actual usage patterns.

Tentative assignment: from June, 2018

Daytime (8am to 7pm): Academic: 55 Mbps, Hostels: 100 Mbps



occupancy. The NKN connection will be dedicated to specific labs/projects and other

requirements in the Academic block.

Other proposed Plan: To work with NKN to improve in bandwidth and stability for the

connectivity on day to day basis.




Identifying and approving legitimate “heavy usage” will be worked out.

4. Connecting Devices and BYOD/IOT

All devices connecting to the IIITB network will need to be registered with IT Services, and

will be assigned IP addresses, with two devices for each student. This includes desktops,

laptops, tablets, mobile phones and any other devices requiring network access, wired or

wireless. This will ensure better Management of the health of the network, as also enable

compliance with provisions of the IT Act. This process rolled out in last year June 2017 in

phased manner and now it is stable from January 2018 onwards after implementing in Aruba

Clear Pass and Airwave WiFi Management software. For any modification or new registration,

students will need to bring their laptops/devices to the Data Center, where their MAC

addresses will be recorded and IP address assigned.

A calendar for upgradation and reconfiguration of WIRED AND WI-FI LAN and also WAN

network.

Currently we have multiple model of Wi-Fi Access points and Controller, So we have

problem in Managing and monitoring the Wi-Fi Network. So committee has decided to

go for Single Vendor OEM for entire Wi-Fi Network.



Committee recommended to go for HP ARUBA WIFI Network solutions since we have

Wired Network and WI-FI network from HP for Last three years. IT committee will decide

based on Proposal From HP with respect to our IT Budget.

The planned dates are:

May 15, 2018 : 155 MBPS internet from TATA implementation

Jun 1, 2017 : Aruba Wi-Fi and Wired LAN implementation in entire campus Jun

8, 2017 : Pingdom or Uptrend monitoring system implementation.

Jun 10, 2017 : Register Faculty, Staff, Research Scholars MAC based authentication access

in clear pass

Jun 15, 2017 : New MTechs MAC address registration

Jul 31, 2017: All iMTechs/M.Sc (Digital Society)/other new programs








need to have antivirus protection. Specifically, the McAfee Antivirus licensed by the Institute

will need to installed on all connected machines. For dual boot machines, the antivirus will

need to be enabled on both partitions. This will be tracked and enforced by the IT group,

and machines violating this will be taken off the network until they are made compliant. This

rollout will be along with the device registration described earlier while admission to the

IIITB programs in the month of July, 2017.

6. Print facility

We have network printing facility available for faculty and staff in Ground floor and First

floor. A separate printer service from outsourced vendor is available on request basis, And

also one we have provided one new printer for printing certain confidential and

administrative printing. Some of the Faculty have their own printers from project for the

purpose of research and they continue to use those.




The IT budget for the year 2017-18 is 125 lakhs is in place. As per the new Finance process,

we will present and get approval for the projected expenses for each month, and track

expenses against that.






Computing and Networking for the Year 2018/2019/2020

Update 28 March, 2019

1. IT Policy

The current IT policy is being reviewed and updated in the current IT policy. Target for

Rollout: before July 10th,2019 . All students will be expected to sign this at the start of the

new academic year. The policy will also be applicable for faculty and staff.

Specifically:

1. All devices (laptops/desktops/tablets/mobiles) connecting to the Institute network

will need to be registered with IT services. No open access points will be provided

except for experimental/evaluation purposes. The process for such special access

points will be worked out on the basis of the Faculty request for labs or events.

2. Antivirus (MacAfee) Software to be mandatory on all laptops/desktops connected to

the Institute Network.


4. Overall internet usage patterns will be tracked on a per user level, to the extent

required by law. In addition, total bandwidth usage per user will be tracked and heavy

users will be notified. Based on usage patterns, we will evaluate the need for special

Charges where usage exceeds an agreed to threshold, and not specifically approved

for a project.

2. Internet bandwidth 1 Gbps BSNL NKN and 512 Mbps from Net4India

The current bandwidth of upgraded from 100 Mbps to 512 Mbps (fibre 1:1 Premium from

NET4INDIA ISP) and 1 Gbps from BSNL NKN network, In parallel, optimization of internal

networks router, switches and Aruba Wi-Fi AP’s should help in better utilization of available

bandwidth.

Approved for upgradation cost:

Upgradation of the internet Bandwidth from ISP NET4INDIA IP’s. Which Costs: Rs. 15 lakhs

plus tax per year.

The combination of these should help improve internet experience on campus.



Usage:


ratio adjusted by time-of-day. This will be fine-tuned based on actual usage patterns.

Tentative assignment: from June, 2018-19

Daytime (8am to 7pm): Academic: 100 Mbps , Hostels: 100 Mbps



occupancy. The NKN connection will be dedicated to specific labs/projects and other

requirements in the Academic block.




Identifying and approving legitimate “heavy usage” will be worked out.








need to have antivirus protection. Specifically, the McAfee Antivirus licensed by the Institute

will need to installed on all connected machines. For dual boot machines, the antivirus will

need to be enabled on both partitions of the operating systems. This will be tracked and

enforced by the IT group, and machines violating this will be taken off the network until they

are made compliant. This rollout will be along with the device registration described earlier

while admission to the IIITB programs in the month of July, 2019.

6. Print facility

We have network printing facility available for faculty and staff in Ground floor and First

floor. A separate printer service from outsourced vendor is available on request basis, And

also one we have provided one new printer for printing certain confidential and

administrative printing. Some of the Faculty have their own printers from project for the

purpose of research and they continue to use those.




The IT budget for the year 2019-20 is 133.70 lakhs is in place. As per the new Finance

process, we will present and get approval for the projected expenses for each month, and

track expenses against that.






IT BUDGET FOR 3 years from 2018 to Year 2019-20 and Projection budget for next 5 years

IT AND IS Expense Details in Lakhs

Actuals Budget Budget

Projection

Particulars 2018-

19

2019-

20

2020-

21

2021-

22

2022-

23

2023-

24

2024-

25

Computing and Internet

Spare Parts and consumables 8.21 6.5 7.3 7.65 7.9 8.9 9.9

Software 24.00 24 25.45 25.45 27.2 29.5 29.5

IT Services 58.50 61 77.35 83.35 83.35 90.2 95.2

Internet Charges 17.76 20 27 31 31 35 37

Data Card 0.28 0.5 0.5 0.5 0.5 0.5 0.5

AMC Computer 14.00 14.7 15.7 21.2 21.2 21.2 26.2

Sub Total 122.75 126.7 153.3 169.15 171.15 185.3 198.3

Operational Expense

Telephone

Land line 1.98 3 2.5 3 3 3 3

Mobile 1.23 3 2.5 3 3 3.5 3.5

AMC EPABX 0.39 1 4 1 1 1 1

Sub Total 3.60 7 9 7 7 7.5 7.5

Total 126.35 133.7 162.3 176.15 178.15 192.8 205.8



6 License Management Policy Purpose

To comply with applicable software licensing regulations.

To monitor usage of software licenses

Scope

This process applies to procured software, evaluation software, software on loan from

Industry partners and freeware.

Policy Statement

The policy explicitly states that IIITB shall use only licensed and approved software and follow

policies and procedures outlined below.

Policy

Software in IIITB will be duly licensed for use as per legal compliances and regulatory

directives. IIITB's office of Director & the IT department will be solely responsible for

acquiring and managing licenses in IIITB.

Evaluation software will be used as per the terms and conditions of the software.

Software on loan from Industry Partners shall be used as per the terms and conditions

specified.

Freeware shall be permitted for use provided it is authorized by the IT department.

Students & Staff will be held responsible for any unlicensed software found on their

machines. Any of the users using unauthorized software may be liable for disciplinary,

corrective, or penal action.



Evaluation Software

Evaluation software is acquired to assess the functionality and relevance of such software to

either a task/project specific or the institution as a whole. Such software may be acquired on

physical media, or downloaded from the Internet.

Cadence

DOCKER

KALI

XILINX

GAUSSIAN

Uptrends

OS tickets

ZenOs

Responsibility

The responsibility of license management rests with the ISO, system/network administrators.

Maintaining the sanctity of license is the responsibility of end users including faculty, staff &

students.

Enforcement

The enforcement of this policy depends on how the software master lists are maintained and

updated. The process flow outlined with regard to the software request form has to be strictly

adhered to.

Any Student/Staff found to have violated this policy may be subject to disciplinary action.

Procedures



The different steps involved in managing such software are as follows:

Physical Media

The process involves the following steps:

The IT staff shall receive and pass on the media to the designated inventory personnel, who

will update the Software Master List, Media Management System database and automated

licensing tool with the necessary details such as name of software, number of licenses,

date of receipt, duration of validity etc.

A sample Software Master List is available in the Annexure.

The designated inventory personnel shall inform the concerned department head/Professor

about the receipt of the software.

The department head/Professor will request the helpdesk/IT team to install the software

via the ‘Software Installation Request’ form.

IT team will check for viruses and will install the software on the specified machine(s) as

per the steps outlined in the Chapter on Desktop Management under the section “IT

Support”.

Once the installation is done, the media will be returned to the designated inventory

personnel, who will update the Software Master List likewise.

When the evaluation period of the software is due for expiry, the designated inventory

personnel shall inform the concerned department head/Professor, who in turn will inform

the Helpdesk/IT team about the same.

The Helpdesk/IT team will uninstall the software unless the concerned department

head/Professor obtains formal extension for the evaluation period. The designated

inventory personnel will update the Software Master List to reflect the same.

Even in cases where IIITB Staff & students bring in the media, all the above-mentioned

steps will apply as well.

Downloads

To obtain evaluation software through download the process involves the following steps:

The requestor shall fill in the ‘Software Download Request’ form and will obtain approval

from the corresponding department head and the request inturn will be submitted to

the Helpdesk/IT department. All such ‘Software Download Request’ forms will be kept with

Helpdesk/IT department. The Helpdesk/IT department in case of a repeat request for the

same software will refer to these forms.

Helpdesk /IT department will then download the specified software as per the ‘Software

Download Request’ form, which is available with Helpdesk.



Helpdesk/IT department will then download the specified software as per the ‘Software

Download Request’ form, which is available with Helpdesk/IT department.

The Helpdesk/IT department will inform the designated inventory personnel who will

update the Software Master List and automated licensing tool to reflect the same.

Procured Software

Procured software is software that is purchased by the institution for its use. This is categorized

into two, namely:

1. Standard software

2. Project specific software

Standard software

Standard software is the specific software that IIITB provides to every Staff & Students for the

day-to-day work. A list of standard software is to be maintained by the IT department.

The different steps involved in the license management of such software are as follows:

Software licenses may or may not be accompanied by media. If the software is

accompanied with media, Admin will receive and pass on the software to the Inventory

Officer. Subsequently the Inventory Officer will update the Software master list. The IT

department will check the media for viruses.

The Inventory Officer shall also update the Software Master List with the necessary details

such as name of software, number of licenses, date of receipt, etc.

When software has to be installed on a machine, department Head will direct the IT

department for installation of the software on the specified machine(s)

Once the installation is done, the media will be returned to the Inventory officer, who will

update the Software Master List.



1. Microsoft Campus License

Sr. No.

Description

FTE

Count

1

Microsoft Campus - OVS Education Solution Desktop Edu ALNG Lic/SAPk OLV E 1Y ( Conisit of

Windows 10 Updg, MS Office Prof 2013, Windows

CAL, Exchange CAL, SCCM CAL, Sharepoint CAL, Lync

std CAL, Forefront EPP )

40

2

WinSvrStd ALNG LicSAPk OLV E 1Y Acdmc AP 2Proc 1

3

SQLCAL ALNG LicSAPk OLV E 1Y Acdmc Ent DvcCAL

40

4

SQLSvrStd ALNG LicSAPk OLV E 1Y Acdmc AP 1

5 Visual Studio ProwMSDN ALNG LicSAPk OLV E 1Y Acdmc

AP

5

Standard Software

7 McAfee Antivirus for Campus ( 1001 Users)

1001

8 MOODLE ( COURSE MANAGEMENT SOFTWARE) 1

9

HP Data Protector and Synology Backup software

1

2.Project and Tools Specific Software:

1. Cadence Software 10 users license

2. Matlab Software 10 users License

3. Library software Libsys

4. VMWARE

5. IEEE



6. ARUBA CLEAR PASS AND AIRWARE

7. TALLY ERP 9

8. SSL certificate for Website and Domain registration

9. Academia ERP

10. Relyon

11. Koha opensource

7 Backup & Recovery Policy

Purpose

The purpose of this policy defines a set of guidelines related to the backup and recovery of

IITB’s information and computing resources.

Scope

This policy applies to The Network and Systems Administrators in-charge of IIITB Information

and computing resources

All other IIITB Staff, Students, innovation center, contractors, consultants, temporaries and

other workers at IIITB including all personnel affiliated with third parties

All IIITB Information and computing resources include, but are not limited to, academic data,

related application systems and operating systems software, Desktop computers, Server and

core database storage, network devices, security devices, mobile computing devices, etc.

Policy

Backup and Recovery

Back-up copies of essential academic data and software shall be taken regularly by System

administrator and shall reflect the needs of the academic/research and also any legal and

regulatory requirements. In his absence, another personnel designated by the datacenter

administrator shall take backup.



Adequate back-up facilities shall be provided to ensure that all essential

academic/research data and software could be recovered following a computer disaster

or media failure.

A formal documented backup plan and schedule shall be authorized by the The IT and IS

Manager and shall be implemented and followed by the System administrator.

The criticality, backup and frequency of backup of the information with respect to the

applications managed by the IIITB network shall follow the Backup plan. A monthly review

of the Backup plan shall also be conducted.

The IT and IS Manager shall formally intimate the System administrator about any new

applications and its data to be backed up. Similarly, the System administrator shall be

informed about discontinuing the backup of the applications systems no longer in use at

IIITB.

Desktop, laptop and hand held computers are not backed up by the system administrator.

IIITB Staff and students who use laptops or hand held computers shall ensure that these

are regularly backed up using external media such as floppy disks, CDs.

System Administrator shall be responsible for full back up, archiving and restoration of all

servers as nominated and listed as Core systems by the IT & IS Manager. The network

provided Home directories shall be backed up each night for "differential changes" and a

full system back up once per week. This shall include at a minimum: a) Servers

b) Databases

System/Network administrator shall be responsible for full backup, archiving, and

restoration of all the router configuration files and firewall rule bases.

Backup Controls

At least three generations of back-up data shall be retained for important applications.

System administrator shall establish and formally document an appropriate schedule of

full and incremental backups.

A minimum level of back-up information, together with accurate and complete records of

the back-up copies, shall be stored in a remote location, at a sufficient distance to escape

any damage from a disaster at the main site.

Back-up data shall be given a level of physical and environmental protection, consistent

with the standards applied at the main site. The controls applied to media at the main site

shall be extended to cover the back-up site.

Backup data shall be regularly checked, to ensure that they could be relied upon in an

emergency.

Data shall be retained for the period necessary to satisfy both business and legislative

requirements. Data owners shall identify the retention period for essential academic data,

and shall establish any requirement for archive copies to be retained.



Backup Media and Security

The storage media used for the archiving of information must be appropriate to its

expected longevity.

The format in which the data is stored must be carefully considered, especially where

proprietary formats are involved.

It shall be ensured by System administrator that the media is regularly examined as per

the media vendor recommendations. The backup media shall also be replaced as per the

vendor recommendation on number of rewrites.

The backup media shall be appropriately labelled and numbered.

Backup media shall be controlled and physically protected. Appropriate operating

procedures shall be established to protect tapes, disks, data cassettes, input/output data

and system documentation from damage, theft, unauthorized access and virus attacks as

appropriate.

There shall be clearly documented procedures for the management of removable

computer media, such as tapes, disks, cassettes and printed reports.

Media containing unclassified but sensitive material shall be distributed through normal

channels. Media containing unencrypted, classified information shall be delivered through

approved safe hand channels only. A formal record of the authorized recipients of media

containing classified information shall be kept and receipt notification requested.

Media shall not be removed from the department without written authorization. An audit

record of all such removals shall be maintained.

All media shall be stored in a safe, secure environment, and in accordance with the

manufacturers' specifications.

Media no longer required and planned for release or disposal from the department shall

be purged in an approved manner before release. Media holding up to and including

CONFIDENTIAL information shall be overwritten with an approved utility; media having

held higher-grade information shall be destroyed.

Storage of backup

On-site data backup shall be maintained in safe custody, preferably outside the server

room and in a fireproof cabinet. The key to the cabinet shall be available only with the

System Administrator and the duplicate shall be kept with IT & IS Manager for emergency

use.

Off-site data backup shall be maintained at a location identified as ‘off-site’ by the IT & IS

Manager. Every two weeks, the backup media is moved to and from off-site location, it

shall be carried in sealed and tamper-proof envelope or pouch.

Backup logs

The backup logs maintained by the Systems Administrator should either be manual

registers or the reports generated by the system, which should be printed, and hard copies

maintained.



Systems Administrator should also maintain the backup movement logs for the backups

at off-site location. Backup Restoration

The user should make an application to their Department Head (stating the reasons for

restoration) for approval of restoration of data. . Department Head should ensure that the

user has the right to access the data required for restoration prior to granting the approval.

Upon receiving the authorization, the data should be restored by the Systems

Administrator.

A log has to be maintained by the Systems Administrator which should contain date and

time along with name and signature of the person who required / requested for the

restored data. Log should also include number of backup media used for restoration.

All the backup media, which were used for restoration, should be returned to the offsite

location after the restoration is complete in a sealed and tamper proof envelope.

Restoration testing

To verify the readability of backup media, mock restoration tests should be carried out at

least once in 2 months on the Testing server.

The entire process should be documented detailing the test plan, the procedures executed

and the test results.

All the backup media, which were used for restoration, should be returned to the offsite

location after the restoration is complete in a sealed and tamper proof envelope.

It should be ensured that the restored data is deleted after successful completion of

testing.

Responsibility

Sr. IT & IS Manager is responsible for

Designating personnel responsible for backup operations Authorization of a

documented backup plan.

Deciding on the criticality, backup and frequency of information and application backup

Identification of ‘offsite’ for backup tapes.

System/network Administrator is responsible for

Taking Back-up copies of essential business data and software

Implementing the formally documented backup plan

Establishing and formally documenting an appropriate schedule of full and incremental

backups.



Backup, archiving and restoration of all servers

Full backup, archiving, and restoration of all the router configuration files and firewall rule

bases

Backup Media and Security

Maintaining the backup logs

Storage of backup

Request Forms

Restoration Request & Details Form

Request for restoration of backup

Name of the user:

Date

Department:

Signature of the user:



Reasons for restoration:

Name of the system and

data to be restored:

Authorized by and remarks:

Restoration details:

Date

Time

& Backup

used

media On-site/

Off-site

Performed

by

User’s sign-

off

Backup

returned on

Backup Register

Date Time Particulars Size Media Label Performed

by

Remarks



Note:

Particulars: reflect details regarding servers, directories and files backed up

Media: denotes the various types of backup devices used such as dat tapes, floppy diskettes,

DLT tapes, CDs, client PC hard disc, mirroring server, hot sites etc.

Label: shows the name label and number of the backup media used e.g. ‘Friday -1’.

Off-site Backup Movement Register

Date Time Backup media From To Performed

by Remarks

8 Password Policy

Purpose



Passwords are an important aspect of IIITB’s IT security. They are the front line of protection

for user accounts. A poorly chosen password may result in the compromise of IIITB’s entire

enterprise network and information assets. As such, all IIITB’s Staff & Students (including

contractors and vendors with access to IIITB systems & resources) are responsible for taking

the appropriate steps, as outlined below, to select and secure their passwords. The

document states the password policy for User’s / Logon IDs on IIITB’s domain.

To gain the access to the resources in IIITB’s Network, users need to logon to IIITB

environment/domain. Based on user's role and profile, access to certain resources has been

provided.

The purpose of this policy is to establish a standard for creation of strong passwords, the

protection of those passwords, and the frequency of change.

Scope

The scope of this policy includes all personnel who have or are responsible for an account (or

any form of access that supports or requires a password) on any system be it a desktop

,laptop, servers, network and security devices, that resides at any IIITB facility, has access to

the IIITB network, or stores any non-public IIITB information. This includes users on Windows

or UNIX platform/Linux plat forms (Multiplatform environment).

Policy Statement

The Policy states that, the information assets of IIITB would not be compromised because of

weak passwords in systems and infrastructure devices which host it.

To provide a mechanism to maximize the security of information stored on IIITB’s IT

infrastructure through the appropriate use of passwords.

Passwords are assigned to each individual as a method to control and monitor their unique

access to systems and information, and should never be shared with others.

Policy

As a policy – all logon IDs in IIITB’s domain should have password as per the following

details



Length of password: The password should be of minimum eight alphanumeric

characters. Password selected should be case sensitive.

Characters in Password: Should contain both upper and lower case characters (e.g.,

a-z,

A-Z)

Content of password: Should have digits and punctuation characters as well as letters

e.g., 0-9, @#$%^&*()_+|~- =\`{}[]:";'<>?,./)

Password History: Previous five passwords cannot be repeated. This means users

cannot use the last five passwords.

Maximum Password Age: Password expires after 90 days after it was last changed.

However it gives a warning message after 70 days. However users can change the

password at there wish before 90 days as well.

Minimum Password Age: Once the user changes the password, he/she should not be

able to change the password within 1 day.

Account Lockout: Account will get locked after 3 Invalid logon attempts. This is to

prevent any other user trying for your password for long.

Passwords shall not be displayed in any environment (including on office walls, desks

and workstations) at any time, including during sign-on procedures.

Compromised passwords, or those suspected of being compromised, shall be

immediately changed.

Passwords stored in computer files and/or documentation shall be encrypted.

Password reset will be done by IT Team on request, if user forgot the password or user

does not remember the password.

User is responsible for all actions and functions performed by his/her account.

Responsibility

All students and Staff are responsible for strictly adhering to the policy guidelines mentioned.

Enforcement

Any Student/Staff found to have violated this policy may be subject to disciplinary action.



Procedures

Strong Password Characteristics: Passwords are used for various purposes at IIITB. Some of

the more common uses include; user level accounts, web accounts, email accounts, screen

saver protection, voicemail password, and local router logins. Everyone should be aware of

how to select strong passwords.

Are not a word in any language, slang, dialect, jargon, etc

Are not based on personal information, names of family, etc.

Passwords should never be written down or stored on-line. Try to create passwords that

can be easily remembered. One way to do this is create a password based on a song title,

affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To

Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other

variation.

NOTE: Do not use either of these examples as passwords!

Do not use the same password for IIITB’s accounts as for other non-IIITB access (e.g.,

personal ISP account, Internet mail services, net-Banking etc.). Where possible, don't use

the same password for various IIITB access needs. For example, select one password for

the Personal use and a separate password for IT systems. Also, select a separate password

to be used for an NT account and a UNIX account.

Do not share IIITB passwords with anyone, including administrative assistants or

secretaries. All passwords are to be treated as sensitive, Confidential IIITB information.

General Password Construction Guidelines:

All system-level passwords (e.g., root, enable, Domain Admin, application administration

accounts, etc.) must be changed on at least a quarterly basis.

All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at

least every 60 days.



Passwords must not be inserted into email messages or other forms of electronic

communication

Where SNMP is used, the community strings must be defined as something other than the

standard defaults of "public," "private" and "system" and must be different from the

passwords used to log in interactively. A keyed hash must be used where available (e.g.,

SNMPv2).

All user-level and system-level passwords must conform to the guidelines described above

Here is a list of "don’ts":

Don't reveal a password over the phone to ANYONE

Should not be a word found in a dictionary (English or foreign)

Should not be a common usage word such as

Names of family, pets, friends, co-workers, fantasy characters, etc.

Computer terms and names, commands, sites, companies, hardware, software.

The words “IIITB”, ”International Institute of Information Technology Bangalore”,”

Welcome” or any derivation

Birthdays and other personal information such as addresses and phone numbers.

Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

Any of the above spelled backwards.

Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Don't reveal a password in an email message

Don't talk about a password in front of others

Don't hint at the format of a password (e.g., "my family name") Don't reveal a

password on questionnaires or any forum.

Don't reveal a password to the boss

Don't share a password with family members

Don't reveal a password to co-workers while on vacation

Do not use the "Remember Password" feature of applications (e.g., IE, Crome, Firefox,

Outlook, Etc…).

Again, do not write passwords down and store them anywhere in your work area. Do not

store passwords in a file on ANY computer system (including Palm top or similar devices)

without encryption.

“Do’s”

Change passwords frequently as per the policy.



If an account or password is suspected to have been compromised, report the incident to

Helpdesk/IT department and change all passwords.

IIITB, IT department may perform password cracking or guessing on a periodic or random

basis. If a password is guessed or cracked during one of these scans, the user will be

required to change it.

Password Change Process:

Users will be able to change the password at any point of time using the below mentioned

methods:

Windows Specific

LAN users: From Windows 2000 professional/Windows XP press Ctrl+Alt+Del and click Change

password.

Remote users: Users can change the password through web mail. For that, while you are on web

mail, go to “Options click Change password. (or contact Sysadmin for support) Request to use

the above mentioned methods in case of password expiry.

Password Reset Process:

On user request following details will be verified before Helpdesk/IT department change the

password of the user: (In case user himself is not directly present in front of IT personnel send

mail from your personal mail with some ID proof details mentioned below for genuine user

check)

Full Name / NT alias name

Student/Staff ID / DOB

Student Roll number

Any random questions to check he is valid user like Domain LoginID etc.

Blood Group

Mobile or Residence number

Only if the Helpdesk/IT Department confirms the authenticity of the user the password will be

changed and passed on by Phone. Once the password is changed, every user will be forced to

change password at next logon.



Account Lockout process:

As per the policy the Account will get locked after 3 Invalid logon attempts. This is to prevent

any other user trying for your password for long.

However user can request for unlocking of password to Helpdesk/IT department.

On user request following details will be verified before Helpdesk/IT department Unlock the

account of the user: (In case user himself is not directly present in front of Helpdesk).

Full Name / alias name

Student/Staff ID / DOB

Any random questions to check he is valid user like Domain LoginID etc. His Roll

number

Mobile or Residence number

Only if the Helpdesk/IT Department confirms the authenticity of the user the account will be

unlocked and intimated to the user.

9 Internet & Intranet Security Policy

Purpose

The purpose of this policy is to establish management direction to procedures and

requirements to ensure appropriate protection of IITB’s information and equipment by

Internet & Intranet connections.

Scope

This policy applies to all faculty, staff, students, employees, incubation companies’ staff,

contractors, consultants, temporaries, and other users at IITB's Network, including those users

affiliated with third parties who access IIITB’s computer networks. Throughout this policy, the

word "users" will be used to collectively refer to all such individuals in general. The policy also

applies to all computer and data communication systems owned by and/or administered by

IIITB.



Policy Statement

All information travelling over IIITB's computer networks that has not been specifically

identified as the property of other parties will be treated as though it’s an IIITB asset. It is the

policy of IIITB to prohibit unauthorized access, disclosure, duplication, modification, diversion,

destruction, loss, misuse, or theft of this information.

In addition, it is the policy to protect information belonging to third parties that has been

entrusted to IIITB in confidence as well as in accordance with applicable contracts and industry

standards.

To ensure compliance with applicable statutes, regulations, and mandates regarding the

management of information resources.

To establish prudent and acceptable practices regarding the use of the Internet.

To educate individuals who may use the Internet, the Intranet, or both with respect to their

responsibilities associated with such use.

Unless specifically stated otherwise, all statements and policies will apply to both the

Intranet and the Internet.

Policy

The new resources, new services, and interconnectivity available via the Internet all introduce

new opportunities and new risks. This policy describes IIITB’s official policy regarding Internet

security and addresses the risk aspect.

Internet Access Restrictions

IIITB IT department reserves the right to exclude from Internet access to those services

that have no reasonable relationship to the functioning of IIITB.

The Internet usage timings shall be strictly controlled.

Internet Rules of Behaviour

Using IIITB Internet facilities or equipment to make abusive, unethical or "inappropriate" use

of the Internet shall not be acceptable. Examples of inappropriate employee Internet use

include, but are not limited to, the following:



Conducting or participating in illegal activities like gambling

Accessing or downloading pornographic material

Solicitations for any purpose which are not expressly approved by institution management

Revealing or publicizing proprietary or confidential information

Representing personal opinions as those of the institution

Making or posting indecent remarks

"Flaming" (e.g. malicious written attacks directed at someone) or similar written attacks

Uploading or downloading commercial software in violation of its copyright

Uploading or mailing of company’s confidential documents

without the permission/authorization of the concerned parties.

Downloading any software or electronic files without reasonable virus protection measures

in place

Intentionally interfering with the normal operation of any other organizations Internet

gateway

Prohibitions on User Internet Activities

To prevent any appearance of inappropriate conduct on the Internet and to reduce risk

exposures to the organization, users shall not:

Enter into contractual agreements via the Internet; e.g. enter into binding contracts on

behalf of the institution over the Internet

Use the institution logos or the institution materials in any web page or Internet posting

unless it has been approved, in advance, by the institution management

Use software files, images, or other information downloaded from the Internet that has

not been released for free public use

Introduce material considered indecent, offensive, or is related to the production, use,

storage, or transmission of sexually explicit or offensive items on the institution network

or systems

Attempt to gain illegal access to remote systems on the Internet

Attempt to inappropriately telnet to or port scan remote systems on the Internet

Use or possess Internet scanning or security vulnerability assessment tools

Post material in violation of copyright law

Establish Internet or other external network connections that could allow other

organisation users to gain access into IIITB’s systems and information assets

Authentication Required for Internet Access to IIITB’s Systems

All users wishing to establish a trusted connection via the Internet with the IIITB’s systems shall

authenticate themselves at the existing authentication mechanism before gaining access to



the institution internal network. (Currently each device user provided MAC based

Authentication by Aruba ClearPass)

All Internet/Intranet users are expected to be familiar with and comply with these policies. Any

queries in this regard should be directed to the Head of IT. Violations of these policies can

lead to revocation of system privileges and/or disciplinary action.

Responsibility

Management Responsibility:

Management of IIITB is responsible for:

Enforcing the policy

Conducting user awareness sessions.

User Responsibility:

Users of IIITB’s Network Internet connections must:

Know and apply the appropriate IIITB Network policies and practices pertaining to Internet

security.

Not permit any unauthorized individual to obtain access to IIITB Network Internet

connections.

Not use or permit the use of any unauthorized device in connection with IIITB's Network

personal computers.

Not to use IIITB Network Internet resources (software/hardware or data) for other than

authorized institution purposes.

Maintain exclusive control over and use of his/her password, and protect it from

inadvertent disclosure to others.

Select a password that bears no obvious relation to the user, the user's organizational

group, or the user's work project, and that is not easy to guess. Please refer to IIITB’s

Password Policy for details.

Ensure that data under his/her control and/or direction is properly safeguarded according

to its level of sensitivity.

Report to the IT Manager or IT Support staff for any incident that appears to compromise

the security of IIITB's Network information resources. These include missing data, virus

infestations, and unexplained transactions.



Access only the data and automated functions for which he/she is authorized in the course

of normal business activity.

Obtain course supervisor authorization for any uploading or downloading of information

to or from IIITB Network multi-user information systems if this activity is outside the scope

of normal learning activities.

Make backups of all sensitive, critical, and valuable data files as often as is deemed

necessary.

Enforcement

Violations of these policies can lead to revocation of system privileges and/or disciplinary

action.

Procedures

Information Movement

All software downloaded from non-IIITB Network sources via the Internet must be screened

with virus detection software prior to being opened or run. Whenever the provider of the

software is not trusted, downloaded software should be tested on a stand-alone (not

connected to the network) non-production machine. If this software contains a virus, worm,

or Trojan horse, then the damage will be restricted to the involved machine.

All information taken off the Internet should be considered suspect until confirmed by

separate information from another source. There is no quality control process on the Internet,

and a considerable amount of its information is outdated or inaccurate.


IIITB Confidential 1.1.2019 of 88

It is also relatively easy to spoof another user on the Internet. Likewise, contacts made over

the Internet should not be trusted with IIITB's information unless a due diligence process has

first been performed. This due diligence process applies to the release of any internal IIITB

information.

Users must not place IIITB’s material (software, internal memos, etc.) on any publicly accessible

Internet computer that supports anonymous file transfer protocol (FTP) or similar services,

unless the office of Director or the respective stake holder has first approved the posting of

these materials.

In more general terms, IIITB’s internal information should not be placed in any location, on

machines connected to IIITB's Networks, or on the Internet, unless the persons who have

access to that location have a legitimate need-to-know.

All publicly write able (common/public) directories on IIITB’s Internet-connected computers

will be reviewed and cleared periodically. This process is necessary to prevent the anonymous

exchange of information inconsistent with IIITB’s business.

Information Protection

Wiretapping and message interception is straightforward and frequently encountered on the

Internet. Accordingly, IIITB’s secret, proprietary, or private information must not be sent over

the Internet.

Unless specifically known to be in the public domain, source code must always be encrypted

before being sent over the Internet.

Credit card numbers, Debit card numbers, telephone calling card numbers, log in passwords,

and other parameters that can be used to gain access to goods or services must not be sent

over the Internet in readable form.

In keeping with the confidentiality agreements signed by all Faculty, Staff & Students, IIITB’s

research findings, software, documentation, and all other types of internal information must

not be sold or otherwise transferred to any non-IIITB party.

Exchanges of software and/or data between IIITB and any third party should not proceed

unless a written agreement has first been signed. Such an agreement must specify the terms

of the exchange, as well as the ways in which the software and/or data is to be handled and

protected.

IIITB strongly supports strict adherence to software vendors’ license agreements. When at

work, or when IIITB computing or networking resources are employed, copying of software in

a manner that is not consistent with the vendor's license is strictly forbidden.

Likewise, off-hours participation in pirate software bulletin boards and similar activities

represent a conflict of interest with IIITB's ethics, and are therefore prohibited. Similarly,



reproduction of words posted or otherwise available over the Internet must be done only with

the permission of the author/owner.

Expectation of Privacy

Students & Staff using IIITB's information systems and/or the Internet should realize that their

communications are not automatically protected from viewing by third parties.

At any time and without prior notice, management/IT Staff reserves the right to examine email,

personal file directories, and other information stored on computers. This examination assures

compliance with internal policies, supports the performance of internal investigations.

Resource Usage

IIITB's Network encourages Students & Staff to explore the Internet, but if this exploration is

for personal purposes, it should be done on personal, not on institution time. Likewise, games,

news groups, and other non-business activities must be performed on personal, not on

institution time.

Use of computing resources for these personal purposes is permissible so long as the

incremental cost of the usage is negligible, and so long as no business activity is pre-empted

by the personal use. Extended use of these resources requires prior written approval of the

respective stake holder.

Based on the usage pattern and status of Bandwidth, IIITB can implement web filtering of

certain sites. Such list will be published to the Staff & Students and will be updated on regular

basis.

Public Representations

Faculty, Students & Staff must not publicly disclose internal network information via the

Internet that may adversely affect IIITB’s credibility or public image unless the approval of the

Office of the Director or Head of IT has first been obtained.

Care must be taken to properly structure comments and questions posted to mailing lists,

public news groups, and related public postings on the Internet. If Faculty, Students & Staff

isn’t careful they may let undesirable elements know that certain internal projects are

underway. If a Student/Staff is working on an unannounced product, a research and

development project, or related confidential matters, all related postings must be cleared by

the one's Professor prior to being placed in a public spot on the Internet.

Reporting Security Problems

If sensitive IIITB's Network information is lost, disclosed to unauthorized parties, or suspected

of being lost or disclosed to unauthorized parties, the IT Team must be notified immediately.

If any unauthorized use of IIITB's information systems has taken place, or is suspected of taking

place, the IT team must likewise be notified immediately.



Similarly, whenever passwords or other system access control mechanisms are lost, stolen, or

disclosed, or are suspected of being lost, stolen, or disclosed, the IT team must be notified

immediately.

Because it may indicate a computer virus infection or similar security problem, all unusual

systems behavior, such as missing files, frequent system crashes, misrouted messages, and the

like must also be immediately reported. The specifics of security problems should not be

discussed widely but should instead be shared on a need-to-know basis.

10 Antivirus Policy

Purpose

This policy establishes information security requirements for the IIITB as well as for all affiliates

faculty, staff and students. This policy is to ensure that IIITB’s confidential information and

technologies are not compromised, and that production services and other IIITB interests are

protected from Viruses, Worms & Trojans.

This policy defines a set of guidelines to provide the IIITB’s computers and computer systems

with comprehensive protection against computer viruses and malicious code and the

responsibilities of IIITB’s network users in protecting the network and responding to a virus

threat to prevent major and widespread damage to user applications, files and hardware.

Scope

This document addresses policies and procedures related to the antivirus control for the IIITB

information assets. This policy is applicable to all the IIITB IT team. This is also applicable to all

the users of the IIITB network.

Policy Statement

The Policy states that all information assets of IIITB will be protected from malicious codes,

Viruses, worms and Trojans by way of effectively enforcing the antivirus policy of IIITB.



Policy

The anti-virus policy is designed to deal with the known virus that IIITB IT team is aware of &

also the zero day vulnerabilities that may arise.

General Guidelines are:

Deployment and Configuration of anti-virus software

All computers of IIITB including servers, desktops & laptops shall have standard and

supported anti-virus software installed.

The virus scanner shall be scheduled to run to scan for viruses at regular intervals. The

scanning engines must be chosen to ensure defense in depth. Anti-virus controls must be

placed such that any foreign content entering the organization is scanned by at least two

different anti-virus technologies.

A Centralized antivirus server shall be deployed to check all the incoming and outgoing

traffic through Internet. The server shall be configured to verify against the virus signatures

for both incoming and outgoing data/files of Email/message, ftp and http servers.

Antivirus activities shall be centrally managed. Central monitoring and logging console

shall be deployed, to monitor the status of pattern updates on all the computers and to

log the activities performed on them.

The IT& IS Manager shall identify a person or a team that is responsible for creating

procedures that ensure anti-virus software is run at regular intervals, and computers are

verified as virus-free.

Maintenance/Updating of software

Anti-virus software scanning engine and the virus signature files shall be kept up-todate.

The time of updating the virus patterns shall be kept minimized. The time frame acceptable

for updating the new pattern file shall be maximum 8 hours after the release of the patch.

Periodic audit on all the users’ desktops and laptops shall be performed to ensure that

proper and latest version of virus engines and the definitions files are running and no virus

threat exists. The user himself shall ensure that the XYZ approved Antivirus software is

running on his working machine.

All servers must have real-time and “batch” scanning enabled.



Containment and Managing of virus incidents

In the event of a virus outbreak, System-admin or IT Staff shall initiate appropriate action

to contain virus infections and assist in their removal.

Virus-infected computers shall be removed from the network as soon as they are

identified, until they are verified as virus-free.

Software downloaded from electronic bulletin boards, shareware, public domain software,

the internet and other software from untrusted sources shall be prohibited unless prior

authorization is received from the IT Department.

A memory-resident virus protection program or a virus-scanning program shall be used

on all files downloaded from diskettes, tapes, CD ROMs, or electronic connections.

All hard disks serviced, or newly installed workstations (including portables) are scanned

for viruses before use.

Virus protection programs shall not be disabled.

All virus detection incidents shall be logged, along with the action taken; Quarantine,

Deletion or Successful cleaning.

Logs shall be maintained on the Centralized antivirus server, and Alerts shall be configured

to send warnings to the Incident Response Team and the originator of the email.

All backups shall be checked for viruses during backup schedule. All restorations shall be

checked for Viruses, before a restoration is made.

When critical vulnerabilities are announced for application software, the patches shall be

made quickly so that the window of exposure is very small. Application software shall

include at a minimum, Windows7 or Windows10, Outlook, Internet Explorer, etc.

Awareness and training

System Administrator shall maintain current knowledge and expertise on viruses and virus

protection. This shall be kept up to date through suitable staff training, awareness and

access to resources.

ISO/IT-Manager shall conduct a regular user awareness session for all staff on virus clean

systems.

Responses to a virus infection

Users must immediately call the Desktop Information Systems Help Desk/IT staff when

they believe a system has been infected. The Incidence Response Team shall be then be

contacted if required.

The following information shall be provided if known: virus name, extent of infection,

source of virus, and potential recipients of infected material.



The policy will cover the following areas:

Desktop’s

Server’s

Email’s

Firewall’s

User awareness

For a detailed configuration and maintenance of the above mentioned devices refer to the

procedures.

Responsibility

IIITB IT Associates and users (faculty, Students & Staff) at individual location are responsible

for the implementation and execution of this policy. IT & IS Manager is responsible for the

monitoring of the successful implementation of policy. IT manager can initiate a revision in

the policy.

Enforcement

Any Student/Staff found to have violated this policy may be subject to disciplinary action. The

IT staff would is also empowered to take the affected system/device out of the network,

without prior warnings what’s so ever.

Procedures

The policy procedures will cover in detail the procedures to be implemented in the IT

infrastructure of the IIITB to protect it against the virus threats.

The policy is designed to meet following types of viruses -

Boot track and partition table virus

Executable file virus

Multipartite, parasitic, stealth and polymorphic virus

Trojans and worms

Malicious code and self-updating malicious code



Desktop Policy and Procedure:

This policy and procedures are applicable to all the desktops that are installed in the IIITB

infrastructure. This is also applicable to all the partners or customers desktop/laptop that are

connected to the IIITB infrastructure on a temporary basis.

Antivirus Software:

IIITB approved antivirus software has to be installed on all the desktops that are connected

to IIITB infrastructure on a temporary or permanent basis. This is applicable to all the laptops

which are disbursed among the students and staff.

Antivirus Signature

Antivirus signature must be updated on the entire desktop automatically when the antivirus

signature is updated. In case of a virus outbreak the desktop should be forced to update the

virus signature and IT team should ensure that the entire desktop in the IIITB infrastructure

has an updated virus signature.

Desktop Antivirus Configuration

All the desktops/laptops in the IIITB infrastructure should be configured as per the following

configuration –

Enable system real time protection.

Enable start-up scanning of memory, master/boot record, and system files.

Enable scanning of all the files in your system.

Logging should be enabled for all the desktop virus related activity.

Schedule a scan of the desktop daily.

All virus related security patches should be installed on all the desktops.

Set site attribute of wsock32.dll to read only.

Set the attribute of normal. dot to read only.

Enable the floppy to be scanned before use by the desktop.

Software will be installed only from approved internal server to limit exposure to

contaminated software.

Server Antivirus Policy

Servers are the centralized resource for all the staff & students and it should be adequately

protected since it can become the probable cause of widespread of virus.



Following procedures have to be implemented on all the servers in IIITB infrastructure:

IIITB approved antivirus software for servers should be installed on all the servers.

Update the virus signature regularly.

Use centralized virus management for all the servers.

Email Antivirus Policy

Email is the common application used by the IIITB Faculty, Staff & Students and it is the most

common means of virus outbreak, the email policy describes the procedures to limit the

virus outbreak through email.

Configuration of Mail Server

Following policies are applicable to the exchange server installed in IIITB -

IIITB approved antivirus software for exchange server should be installed on all the

exchange servers.

Antivirus software should be configured to scan all the incoming and outgoing mails.

The sender and recipient should be notified about the virus if found in the mail.

Antivirus software should be configured to update the virus signature daily.

In case of a virus outbreak from a particular user, the user should be disabled till the virus

is cured.

IT team should be able to rapidly adjust the filtering rule in case of a virus outbreak.

Configuration of Mail Client

The mail client should be configured properly to prevent the virus outbreak in the network.

User uses different mail client for accessing mail. IIITB supports three mail clients Outlook,

Outlook Express, Netscape, Webmail (OWA), and Thunderbird

The following procedures are applicable to these clients only –

Outlook

Set Internet Explorer security setting in the Internet Zone to high.

Disable activex and active scripting.



Outlook Express

Disable open and /or preview panes

Set Internet Explorer security setting in the Internet Zone to high.

Netscape

Disable java script.

Policies for all mail clients

All the mail clients should be configured to implement the following policies -

Mail client should be configured for plain text only.

Configure to challenge execution of all *.exe, *.hta, *.vbs and other executables.

Configure to challenge opening of all *.doc and *.xls files. Turn off auto-open

attachment.

Firewall Security Policy

1. Indroduction

1.1 Scope: This Policy establishes which services are allowed through our current firewall and

in which direction these services operate. We also attempt to define whether or not the

default is normally open or closed.

1.2. Definitions. A Firewall is a system (or network of systems) specially configured to control

traffic between two networks. A Firewall can range from a simple packet filter, to multiple

filters, dedicated proxy servers, logging computers, switches, hubs, routers and dedicated

servers. A gateway or host is a secured computer system that provides access to certain

applications. It cleans outgoing traffic, restricts incoming traffic and may also hide the

internal configuration from the outside.

1.3. Why Use a Firewall?

• Each external connection to the internal network should be secured so

that it does not reduce the security of the internal network. The

security of the network is only as secure as its weakest link.

• Every enterprise should have a firewall and/or security policy, and

connections to external networks should conform to that policy.

Normally, this is only possible through some kind of firewall.



• A firewall can stop confidential information from leaving a network

and attackers from entering it.

• It can provide detailed statistics on communication between the

networks (for example, who used what service and how often, as well

as showing details of performance and bottlenecks).

• It can provide logging and audit trails of communications; the analysis

of logs can be used to detect attacks and generate alarms.

• However, a strong firewall doesn't mean that the internal host security

is no longer needed - on the contrary, most successful attacks come

from insiders!

• Our policy is to take a widely used firewall solution and use it for all

external connections.

• Examples of technical threats addressed by firewalls include IP

spoofing, ICMP bombing, masquerading and attempts to gain access

to weakly configured internal machines.

• Examples of risks reduced by firewalls are attacks from curious and

malicious hackers, commercial espionage, accidental disclosure of

company data (i.e. customer, employee and corporate data) and

denial-of-service attacks.

2. Internet Firewall Policy

• 2.1. Security Requirements.

• 2.1.1. Access Control. All internet access from the Institute network

must pass over the situated firewall. The default configuration, unless

otherwise specified, is that services are forbidden. All users are allowed

to exchange emails in and out through the firewall. IT department

users are allowed to use www, ftp, https; others require authorisation.

• 2.1.2. Assurance. Firewall machines are to be installed as sensitive

hosts. All unnecessary services are to be stopped. Users should not be

able directly to logon to these machines, but only through the IT

department's machines. The firewall policy and configuration must be

accurately documented. The firewall machines must be subject to

regular monitoring and yearly audits. Users and Firewall

administrators should be aware of their responsibilities and be

educated so that they can assume these responsibilities.

2.1.3. Logging. Detailed logs must be kept (where possible on a separate server).

They should be automatically analysed, with critical errors generating alarms. Logs



should be archived for at least six months and up to one year. The non-trivial log

entries should be examined daily.

2.1.4. Availability. The firewall must offer high availability and fulfil the resilience

requirements (including backup/restores functions etc.) Processes exist for the

change of management and incident response.

2.2. Required Functionality.

2.2.1. Outgoing services. The following services are required from specific internal

hosts (e.g. via proxies) to the internet:

• SMTP,POP,IMAP,SSL,HTTPS, secure login through VPN, www (http),

SSH,

• DNS (resolve Internet names),

• News (NNTP),

• NTP (Network Time service),

• Office 365 port 587,993,

• On request based ftp, telnet,

2.2.2. Incoming Services. The following Internet services need to be allowed in:

• Email: all users should be able to receive internet email

• News (NNTP)

• Secure Logins via VPN + SSH

• https

• RDP

• Institute IT Services IP Ranges.

Anyone requiring other internet services will need to ask the IT department for

authorisation. Access from the hosts to the internal network follows the same rules as

access to internet hosts and should always use VPN.

2.2.3. Special Services provided to the Internet. These include:

• www Servers (like LMS, Academia, Libsys, cadence, Matalab etc..);

• Institute Guest, Events,

• Eventually a User ftp Server for special projects / collaboration with

other companies;



Internal Server access for specific remote access by third party Companies that

maintain internal systems (Website, Academic solutions, Microsoft mail support).

These are provided a specific location IP and sometimes an assigned port.

2.3. Monitoring. The Institute Computing department will continue to monitor, evaluate,

develop and, where applicable, incorporate new rules and checks into the firewall. The

Institute Computing department will also monitor the traffic going through the firewall, to

identify any threats or misuse of the network.

Antivirus Policy

Firewall is the main entry point of all the communication in the IIITB infrastructure. Firewall

should be configured as per the policy below to stop the virus at the gateway only – (this is

applicable only if the firewall application resides on OS and firewall is essentially not a device).

IIITB approved antivirus software for firewall should be installed.

Firewall should be configured to scan all the HTTP, FTP and SMTP traffic through it.

Firewall should be configured to block the ActiveX control.

Users Policy

User should follow the policies below to restrict the virus outbreak in the network. Each user

is responsible for the virus outbreak due to his/her negligence.

Users shouldn’t open attachment from unknown users.

Users should not use IIITB infrastructure to send or receive mails containing attachment as

jokes, greetings cards, fun attachment and sexually oriented attachments, as they are the

cause of virus infection.

Users shouldn’t visit any pornographic sites as these sites download certain programs

containing virus.

Users shouldn’t download any unknown programs.

User Awareness Policy

Users should be educated to understand the potential damage caused by the virus.

Following policies should be followed to educate the users –

Educate user regarding the potential damage of the email attachment. Appraise them to

open the attachment from known sources.



IT team should appraise the new user about the potential risks involved with the email

system and appraise him/her about the user responsibility.

11 Physical Security

Purpose

This policy details the physical and environmental criteria necessary to protect sensitive IT

systems, information and assets of IIITB.

Scope

This policy applies to

• All IIITB Students, Faculty, Staff, Incubation staff, contractors, consultants, and other

workers at IIITB including all personnel affiliated with third parties.

• All IIITB information resources including academic data, applications and systems software,

physical buildings, critical business areas and equipment that is owned or leased, utilities

and services supporting IT.

The policy also includes utilities and services supporting information processing facilities



Policy

General policies

Only authorized individuals shall have access to IIITB's physical information systems resources.

Physical information systems resources include, but are not limited to, computer rooms,

electronic mail facilities, communications wiring rooms ("smart closets"), network control areas

(LANs, application servers, file servers), technology centers, incubators and workstations.

IIITB information located in non-IIITB physical areas, such as employee residences, customer

sites and while travelling must also be protected.

No IIITB Students, Staff, contractor, consultant, or others performing on behalf of or for IIITB

is entitled to an expectation of privacy with respect to IIITB's information systems resources.

A personal workstation/laptop is an IIITB information systems resource and, as such, shall be

secured from loss, theft and accidental or unauthorized use or modification.

Personal computers/Laptops may not be used to develop programs or data, or to prepare

documents, for purposes unrelated to IIITB functioning, without prior authorization from the

appropriate stake holders.

Students, staff and non-affiliated visitors permitted within IIITB physical information systems

resource area shall display approved, visible identification (e.g., a badge) at all times.

Students, Staff and non-affiliates who are visiting IIITB physical information systems resource

area shall obtain permission from the necessary stake holder of the area to be visited and shall

log in and log out.

Logical and procedural measures shall be established to prevent and detect attempts to

disrupt IIITB operations, or to enter or depart from restricted areas in an unauthorized manner.

Response to attempted disruptions or any unauthorized system access shall be timely and

appropriate.

IT Team is committed to maintaining security with regard to all assets, including those that are

tangible, intangible, material, or information-oriented.

IT Team establishes goals and responsibilities for the protection of the IIITB’s information

assets as they relate to data (magnetic, image, text, and/or voice) and computer software

within internal systems. This includes the prevention of misuse or loss of information assets,

establishing the basis for audits and self-assessments, and preserving the ABC’s options and

legal remedies in the event of information asset loss or misuse.

All Faculty, Staff and Students or authorized agents of the IIITB are responsible for ensuring

the integrity and accuracy of the IIITB’s data; providing for the privacy of propriety, trade



secret, personal, privileged, or otherwise sensitive data; and protecting and preserving

institution assets from misappropriation, misapplication, and conversion.

Head of the departments and other respective stake holders are responsible for identifying,

classifying, and protecting information and computer assets within their respective areas. The

IT Team should be notified immediately of any security breaches.

Access to the IIITB’s information assets is restricted to authorized individuals and should be

used only for authorized purposes. All data and applications stored on the IIITB’s systems shall

be considered the property of the institute unless specifically noted otherwise.

Access to systems shared by multiple users shall be controlled through unambiguous

identification of the individual or machine accessing the system. For example, unique user IDs

and passwords should be assigned to individuals.

All individuals shall employ reasonable measures to protect the integrity of their

communication sessions with other systems. For example, individuals should not disclose

passwords to others and users should not leave active communication sessions unattended.

Computing installations (servers, midrange, and microcomputer systems) and supporting

facilities shall be controlled in areas of restricted physical access when operation is considered

essential or when storing confidential or proprietary information.

Installation of proprietary and vendor software must be authorized through the IT department

to prevent system or licensing violations.

Controls for restricted software programs shall be established and enforced to prevent

unauthorized use, reproduction, and modification. Disk files and hard drives are subject to

inspection to ascertain that original documentation, system diskettes, and required licensing

material exist for each copy of software products found.

Access to the IIITB’s systems through remote connectivity is restricted and requires

authorization by the IT Team or other appropriate management.

Attempting to alter any computing or networking components (including, but not limited to,

IDF’s, Switches, routers, and Access Points) without authorization or beyond one's level of

authorization;

Unauthorized wiring, including attempts to create unauthorized network connections, or any

unauthorized extension or re-transmission of any computer or network services; intentionally

damaging or destroying the integrity of electronic information.

Intentionally disrupting the use of electronic networks or information systems.

Intentionally wasting human or electronic resources.

Negligence leading to the damage of IIITB’s electronic information, computing/networking

equipment and resources.



Keep storage media from view of unauthorized people; erase whiteboards, do not leave in

view on tabletop. Machines should be administered with security in mind. Protect from loss;

electronic information should have individual access controls where possible and appropriate.

Deposit outdated paper information in specially marked disposal bins on institute’s premises;

electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Methods of accomplishing this include having a special key to unlock the computer so it can

be used, thereby ensuring that the computer cannot be simply rebooted to get around the

protection. If it is a laptop or other portable computer, never leave it alone in a conference

room etc. In the office, always use a lockdown cable. When leaving the office for the day,

secure the laptop and any other sensitive material in a locked drawer or cabinet.

Storage media should be labelled. i.e. the classification level should be written on documents,

media (tapes, diskettes, disks, CD's etc), electronic messages and files.

Data should stay within the company, if it must transit public media (e.g. the Internet), it should

be encrypted.

Storage Media should be securely disposed of when no longer needed (e.g. shredders for

documents, destruction of old disks and diskettes etc.).

Users are responsible for their Laptops outside the corporate buildings.

Switch off the computer when not in use.

Only system administrators should install or update software on servers. Users may not install

software on class workstations.

Systems should be cleanly installed according to vendor instructions.

OS installations should include installation of all recommended patches.

Only patches from the original software vendor should be applied. Patches downloaded from

public networks (e.g. Internet) should be checked for integrity using a strong hashing

mechanism (e.g. MD5 or latest). Patches should be pre-tested in a test environment (for at

least a few weeks if possible) before being applied to production systems.

The directives below apply to all the staff & Students of IIITB:

Diskettes should be stored out of sight when not in use. If they contain highly sensitive or

confidential data, they must be locked up.

Diskettes should be kept away from environmental hazards such as heat, direct sunlight,

and magnetic fields.



Critical computer equipment, e.g., file servers, must be protected by an uninterruptible

power supply (UPS).

Environmental hazards to hardware such as food, smoke, liquids, high or low humidity,

and extreme heat or cold should be avoided.

Since the IT team is responsible for all equipment installations, disconnections,

modifications, and relocations, employees are not to perform these activities. This does

not apply to temporary moves of portable computers for which an initial connection has

been set up by IT department.

Students & Staff shall not take shared portable equipment such as laptop computers

without the informed consent of their department head. Informed consent means that

the manager knows what equipment is leaving, what data is on it, and for what purpose it

will be used.

Staff & Students should exercise care to safeguard the valuable electronic equipment

assigned to them. Employees who neglect this duty may be accountable for any loss or

damage that may result.

Physical security of the institute can be segregated to various entities

Security at the Institute entrance: All the visitors including technology partners, vendors and

third party contractors must sign in at the entrance with proper credentials, contact details,

purpose of the visit & whom to visit in register or if possible security Guard can use technology

support to provide Photo-ID. Only on confirmation of by the person to be visited must the

visitor be allowed to enter the premises.

Access control to datacenters: The datacenter holds key and critical information resources

pertaining to IIITB and hence it’s paramount to safeguard those. The entry into the datacenter

should be regulated and only authorised personnel should be allowed access to the data

center. The movement of personnel can be regulated by way of installing access card

mechanisms or biometric systems.

Fire prevention and containment: Fire poses a major threat to IT assets of IIITB, its imperative

that fire prevention and detection mechanisms are installed all over the IIITB facility. The data

center in particular should have a combination of manual and automatic fire extinguishing

systems which complements the water sprinklers which are redundant in the event of a “class

C “fire.



The physical security policies apply to the following:

SECURE AREAS

Physical security perimeter

Physical Entry Controls

Securing Facilities, Rooms and Offices

Workspace Security Measures

Isolated delivery and loading areas

EQUIPMENT SECURITY

Equipment sitting and protection

Power supplies

Cabling Security

Equipment Maintenance

Security of equipment off-premises

Secure Disposal of Equipment

For a detailed description of the above. Refer to procedures section

Responsibility

IIITB IT staffs at individual location are responsible for the implementation and execution of

this policy. IT & IS Manager is responsible for the monitoring of the successful implementation

of policy.

Enforcement

All the parties mentioned in the policy has to strictly abide by the policy. If anyone is found

violating the policy strict disciplinary action would be taken in tune of denying entry to the

premises.

Procedures



Security at the Institute entrance: All the visitors including technology partners, vendors and

third party contractors must sign in at the entrance with proper credentials, contact details,

purpose of the visit & whom to visit. Only on confirmation of by the person to be visited must

the visitor be allowed to enter the premises. The entry log should contain the following

Sl no Visitor

name/with

contact details

Whom to visit Purpose Time in/Timeout

Access control to datacenters: The datacenter holds key and critical information resources

pertaining to IIITB and hence it’s paramount to safeguard those. The entry into the datacenter

should be regulated and only authorised personnel should be allowed access to the data

center. The movement of personnel can be regulated by way of installing access card

mechanisms or biometric systems. The datacenter should maintain a sign in record for all the

visitors .The sign in record template should be as follows:

Sl no: Name Purpose

Sign in /Sign out time

Physical security perimeter

IIITB Premises are enclosed by wall / fence and all gates are guarded by security guards All-

important areas like entry/ exit points, reception areas, areas behind the buildings and along

the periphery are under CCTV coverage

Physical information processing resources like servers, workstations, etc that support key

business processes shall be housed in a secure area that reasonably protects the resources



from unauthorized physical access, fire, flooding, explosions, and other forms of natural or

man-made disaster.

IT Manager/ISO, responsible for sensitive information or for information processing resources,

shall periodically perform a self-assessment to determine the existing level of security

vulnerability and compliance with the physical security requirements

Physical access to the secure areas housing information systems and networks shall be

restricted only to authorized personnel. The authorization shall be provided by the ISO.

Access rights shall be reviewed by the ISO on a periodic basis. All access shall be recorded and

reviewed by the IT manger/ISO.

Physical Entry Controls

Suitable Authentication controls, like biometric access system/access card system, shall be

used to authorize and validate all access.

An audit trail of all access shall be securely maintained and reviewed regularly.

Security personnel shall supervise all visitors to computer facilities at all times whilst in the

room. All visitors, short-term contractors and third party engineers etc., even if authorized,

shall be accompanied at all times. A visitor log shall be kept and reviewed regularly.

All the Students & Staff, housekeeping staff, contractors, and visitors shall wear and display

identification badges (ID badges) provided by the IIITB while on office premises and for

entering and exiting office premises. This is applicable on all days of the year. Staff shall be

encouraged to challenge strangers and report their presence to local physical security

personnel.

The housekeeping staff are not be permitted to enter the premises before 7.30 AM and are

expected to leave before 5.30 PM

Visitors are allowed to enter the premises only after confirmation of appointment from the

concerned person.

Visitors are not permitted beyond the reception area unless they escorted by Security

personnel or employees

Vehicles without valid stickers and gate pass will not be granted entry to any of the parking

areas

All personal belongings will have to be declared when entering or exiting the office premises.

The housekeeping & security staffs are physically frisked every time they enter or leave the

premises.



The security team checks the contractors/caterers/drivers thoroughly at the time of exit

Office premises will be under guard 24 hours a day

A higher degree of care will be taken as regards controlled areas

Quarterly review shall be performed by ISO to ensure that only those individuals with a job

related need have access to the computing facilities.

Securing Facilities, Rooms and Offices

IT facilities shall be sited away from areas of public access or direct approach by public vehicles,

and consideration shall be given during siting to any security threats presented by neighboring

accommodation.

Appropriate safety equipment shall be installed, such as heat and smoke detectors, fire alarms,

fire extinguishing equipment and fire escapes. Safety equipment shall be checked regularly in

accordance with manufacturers' instructions. Employees shall be properly trained in the use of

safety equipment.

Doors and windows shall be locked when the facility is unattended. Additional external

protection shall be considered for windows if necessary.

Support functions and equipment including photocopiers and fax machines shall be sited

appropriately within the secure area to avoid demands for access, which could compromise

information.

Suitable intruder detection systems installed to professional standards and regularly tested

shall be in place to cover all external doors and accessible windows.

Hazardous and combustible materials shall be securely stored at a safe distance from the site.

Combustible computer supplies such as stationery, other than immediate operational needs

shall not to be stored within dedicated computer operations rooms.

Photographic, video, audio or other recording equipment should not be allowed, unless

authorized.

Fallback equipment and back-up media shall be sited at a safe distance to avoid damage from

a disaster at the main site.

Equipment siting and protection

Adequate power supplies and auxiliary power supplies shall be provided to information

processing resources.

Adequate protection shall be provided to information and information processing resources

against damage from exposure to water, smoke, dust, chemicals, electrical supply interference,

etc.



The minimum-security protection activities specified by the vendor/manufacturer of

information processing equipment shall also be implemented.

Smoking, eating, and drinking shall be prohibited in computer equipment areas.

Physical emergency procedures shall be clearly documented. All IIITB staff & students shall be

trained in appropriate behavior in emergencies.

Equipment Maintenance

Information processing equipment shall be maintained in accordance with the

vendor/manufacturer’s recommended service intervals and specifications.

Only authorized personnel shall perform repairs and servicing of information processing

equipment.

Records shall be maintained of all repairs, maintenance, faults and suspected faults on

information processing resources by the IT Manager, after collating the same from the

respective administrators.

Workplace Maintenance

Each user is provided a safe with lock and key for keeping all confidential data / papers / media

safely. The duplicate key for the entire safe will be kept with the security.

Users secure all the confidential items before leaving at the end of the day and maintain desks

clean. (clean desk policy)

Users are to lock the keyboards, even when they leave the workstations for a short period

apart from when they are leaving for the day.

By default, self-locking screen saver gets enabled after 15 minutes of inactivity.

Confidential document disposal

A locked box is placed on each floor of every building where the employees drop all

confidential papers / media, that needs to be disposed of.

These boxes are cleared and items are shredded using a shredder by housekeeping team

under the supervision of security personnel



12 Network Security

Purpose

IIITB computing and communication networks (wired and wireless) are part of IIITB’s overall

computing and communication infrastructure. Infrastructure is the underlying electronic

information system hardware, software, and services that provide computing, information

management, and communication capabilities to IIITb’s departments, staffs, Students, and

industry partners. IIITB computing and communication network is defined as the hardware

and software components that support the movement of the institutes Information from one

device to another. Examples of IIITB computing and communication networks include local

area computing networks, wireless networks, telephone networks, and videoconference

networks and CCTV surveillance network .The policy aims to enforce certain network

controls so as to enhance the overall network security posture of IIITB.

Scope

The scope of the policy encompasses the students, staff and all the systems/network

administrators of IIITB.

Policy

When IIITB Information is transferred from one IIITB computing and communication network-

attached device to another, the receiving network-attached device must be secured to a level

that protects the sensitivity of the IIITB Information transferred.

All network-attached devices and communication lines must be authorized in order to access

the IIITB computing and communication networks. Change control procedures must be

developed, documented, and utilized for all IIITB computing and communications networks.

Audit logs must be created, maintained, protected, and reviewed.

The following are the controls for the IIITB computing and communication network

configuration:

Wired Network

Remote execution of IIITB computing and communication network security operations

only within procedurally specified parameters and practices;



ccess Practices in place for all IIITB computing and communication resources to

prevent unauthorized access to any segment of the IIITB computing and

communication network;

Audit trails available and reviewed for all access attempts and configuration changes;

A level of back-up in place for IIITB computing and communication network devices

consistent with the level of risk and the impact on the IIITB’s smooth functioning;

Standardized protocols in place across the facility, with encryption capabilities and

standards supported by the IIITB computing and communication network where

appropriate;

IIITB Information transmitted from any point within the IIITB computing and

communication network and received only at the destination(s) it was intended to

reach;

IIITB Information received at any point within the IIITB computing and communication

network exactly the same in content as the IIITB Information transmitted;

Reasonable precautions implemented so that IIITB Information, while in transit, cannot

be observed, tampered with, or extracted from the IIITB computing and

communication network by some unauthorized person or device;

Practices in place to identify any attempt to gain unauthorized access to the IIITB

computing and communication network, so that appropriate corrective action can be

taken (e.g. intrusion detection systems or system audit logs of unauthorized attempts);

Alternate routes made available within the IIITB computing and communication

network to provide for failure or deliberate destruction of any IIITB computing and

communication network component (e.g. redundant links, device redundancy etc.)

Other means of communication assured if both primary and back-up communication

links are simultaneously unavailable, and this alternate tested;

Technological diagnostic equipment (e.g., data scopes, line monitors) controlled to

prevent unauthorized access to IIITB Information transmissions;

Accurate, detailed, and current IIITB computing and communication network topology

including the installed and applicable security measures maintained for all IIITB

computing and communication network configurations. (Topology is the description

of the locations of all IIITB computing and communication network components e.g.,

printers, personal computers, voice encryption devices). This documentation provides

complete descriptions including:

Points of access,



IIITB computing and communication network devices,

Communication protocols,

Physical location(s),

IIITB computing and communication network usage.

All IIITB computing and communication networks must manage access when

connecting to other internal and external computing and communication networks

(e.g., firewalls) as specified by IIITB IT department;

Segregation of duties maintained for the performance of IIITB computing and

communication network administration and security activities in both test and

production environments.

Wireless Network (Wi-Fi) (802.11ac and 802.11n WiFi)

Wireless local area network (WLAN) both 802.11ac vs 802.11n Wi-Fi is deployed in entire

campus of IIITB with controller for management and Aruba Clear Pass for MAC

authentication for each device on the network. Since it is Wi-Fi, we must understand and

accept all risks associated with deploying a wireless system to the IIITB Network. Approvals

must be obtained from each of the following:

1. The Office of the director, Registrar and Computing Chairman

2. The IT & IS Manager

3. The relevant department head

WLANs must be tightly controlled and monitored to ensure that they are properly

configured to meet minimum security standards.

"Rogue" wireless access points must be immediately disconnected until they receive

formal approval.

Requirements

All wireless local area networks (WLANs) that transmit IIITB Information must meet the

following minimum security requirements: IIITB wireless networks:

Be Wireless Protected Access (WPA) compliant

Be enabled with 802.1X/EAP-MS-PEAP for authentication and authorization



All AP’s( Access points ) Manage with Wi-Fi Controller

All the users are authenticated by Aruba ClearPass Tool

Implement a separate VLAN for the WLAN compliant with IIITB network zoning

requirements.

Perform site surveys to ensure minimum RF leakage outside the intended environment.

Improperly configured WLANs pose many threats to the security of IIITB, including loss of

confidential data, compromising of end systems, spreading of worms and viruses, etc.

Wireless Glossary of Terms:

ACL - access control list

EAP - extensible authentication protocol

IAS - internet authentication service

IEEE 802.1x

LDAP - lightweight directory access protocol

PEAP - protected extensible authentication protocol

VLAN - virtual local area network

WEP - wired equivalent privacy

WLAN - wireless local area network

WPA- wireless protected access

Responsibility

The responsibility of managing the Wired and Wireless networks of IIITB rests with IT staff

comprising the ISO/IT manager, Network and systems administrators.

IT manager/ISO: Is responsible for the approval of Wireless/wired and network devices prior

to it deployment in the institute’s network and also responsible for maintaining the

compliance level of the deployed network entities.

Network/System administrators: Responsible for configuring and managing the devices as per

the guidelines.



13 Network Acceptable Use Policy

Purpose

IIITB communication networks (e.g., IIITB Intranet) provide networking services to the institute

as a whole. These networks may carry IIITB Classified Information. As more and more staff &

students utilize communication networks to conduct IIITB functioning, users must understand

their responsibilities in using these networks and in protecting all information that is accessible

via these networks. This policy aims to outline the industry best practices to be adopted by

the IIITB network.

Scope

The scope of this policy extends to all the computing and network equipments within the

control of IIITB IT department. The scope also extends to the network as well as system

administrators and more importantly the students and staff of the institution.

Policy

Students & Staff who are authorized to use IIITB computing and communication networks or

General Information Resources, must act responsibly when using network resources.

Consistent with IIITB’s ethics policies and requirements for the conduct of students & Staff.

Users are expected to access only those IIITB computing and communication resources for

which they are authorized. IIITB Information in any form is considered an asset of the institute

and must be protected. This protection of IIITB Information includes controlling the

transmission of information over communication networks and guarding the IIITB computing

and communication networks and servers from unauthorized access and intrusion from

unauthorized users.

While access and security provisions for specific communication networks should be

documented and incorporated into specific procedures and control mechanisms, general

requirements are as follows:

1. Encrypt any IIITB Classified Information transmitted externally via communication

networks;



2. Use security mechanisms (e.g., virus protection) in order to prevent the corruption of IIITB

Information. Be aware of the risks associated with utilizing external communication

networks (e.g., downloading files, especially those from unknown sources);

3. Grant access to external communication networks through approved IT procedures;

4. Access only those systems and networks for which you have been authorized;

5. Protect all IIITB Information according to the provisions of the Information Security

Practices relating to the authorized release of IIITB Information including any electronic

distribution (e.g., e-mail attachments, Ms-Excel, databases, Internet home pages);

6. Comply with any specific procedures issued relative to the communication network being

accessed. Review and understand your responsibilities when accessing resources on the

public network;

7. Respect the academic/business (in case of incubators) purpose for which access to the

communication network(s) has been authorized. Utilize the communication network(s)

prudently.

8. Abide by all applicable laws and regulations, including copyright and software licensing;

9. Do not engage in deliberate attempts to impair the integrity of IIITB computing and

communication resources accessed via the networks;

10. Remind IIITB staff & students that in accordance with the local law:

a) IIITB IT department has the right to monitor, audit, store, retrieve, or otherwise

capture any electronic information occurrence, including but not limited to

transmissions, sessions, or storage that occurs over its owned, controlled, or

connected IIITB computing and communication resources (e.g., e-mail content, voice

mail content, network addresses, frequency or occurrence, and identification of

specific on-line services),

b) IIITB reserves the right to block, alter priority, or terminate execution or access to

any service or activity that diminishes the effectiveness of IIITB’s use of computing

and communication networks by whatever means necessary,

c) IIITB IT department may temporarily or permanently disconnect any user, division, or

subsidiary to prevent any further unauthorized activity, if circumstances warrant,

d) IIITB IT department may report any violation of local, state, federal, or international

laws to the appropriate authorities,

11. IIITB computing and communication resources (e.g., personal computers) are solely for

academic use. Limited personal use, is permitted so long as it is reasonable, ethical, does

not interfere with work/academic responsibilities, and is not in conflict with IIITB’s stated

code of conduct



14 IT Configuration and Patch Management Policy

Purpose

As IIITB becomes increasingly dependent on information technology solutions to support its

day to day functioning, it also increases its exposure to security and other software

vulnerabilities. This policy aims to minimize the threats to Operating system residing on the

various computing and network equipment by way of effective patch management.

Scope

The scope of this policy extends to all the computing and network equipment’s within the

control of IIITB IT department. The scope also extends to the network as well as system

administrators who manage the systems and network devices within the IIITB network.

Policy

An IT configuration and patch management process is part of IIITB’s overall security strategy.

All service provider agreements must contain an adequate configuration management

process. Oversight and accountability is the responsibility of IIITB and any contracted

Service Providers.

The following are mandated for a configuration and patch management process:

Configuration Management:

Provides assessment of asset compliance. Compliance here effectively means compliance to

basic security standards as envisaged by the IT & IS Manager. The following are the

fundamental configuration management principles

Identifies non-compliant assets: A periodic scan of the systems and network devices

must be carried out by the system and network administrators for devices/systems

that do not comply with a basic security standard in terms of latest patches, antivirus

updates and system configurations.

Creates a plan to bring non-compliant assets into compliance: A strategy must be

formulated by the IT Manager or ISO to bring the non compliant systems or devices

to compliance.

Executes the plan: The plan must be executed under the strict supervision of IT

Manager/ISO, each patching exercise or updation on a production system must be

preceded by an effective testing cycle



Patch Management:

Vulnerability identification and remedies (e.g., patches, etc): IIITB or its designated service

provider will proactively monitor for vulnerabilities and patches for all software identified in

the system inventory.

Prioritization of Patches: IIITB or its service provider must prioritize the set of known patches

and provide classification to sectors, regions, and business units on the criticality of each

patch.

Risk assessment: When IIITB or its designated service provider discovers vulnerability and a

related patch and/or alternative workaround is released, then IIITB or its designated service

provider will consider the importance of the affected assets and/or area of operations, the

criticality of the vulnerability, and the risk of applying the patch. When vulnerability is

identified and no patch is available, IIITB or its designated Service Provider must evaluate the

risk of the vulnerability and, based on that risk, take action to mitigate the risk through other

means until a patch becomes available.

Change Control: IIITB or its designated service provider will follow the standard Change Control

process for application of any changes to configuration.

All devices must be either

patched

removed from the IIITB network

Placed behind a firewall with appropriate filters to prevent transmittal of vulnerability.

Responsibility

The configuration management and patch management are the collective responsibility of

the IT manager or ISO, Network and system administrators. The individual segregation is as

outlined below.

IT Manager/ISO:

• Responsible for overall patch management and configuration management.

• Responsible for strategizing; planning the deployment of patching and

configuration changes.

• Responsible for overseeing the patch deployment during the test phase.

• Responsible for updating the change management log.

Network/System administrator: Responsible for carrying out the changes on systems approved

by the IT Manager/ISO.



IT & IS infrastructure

Computational Facilities

PCs/Laptop

exclusively

Available

to

Students:

PCs/Laptop

available in

Library:

PCs/Laptop

available in

Administrative

Office:

PCs/Laptop available

to Faculty Members:

220 5 95 57

Number of

PCs/Laptop

in

Language

Lab:

Internet

Bandwidth

in Mbps:

Number of Legal

Application

Software:

Printers available to

Student:

73 1,500 48 3

Number of

A1 Size

Color

Printers:

Number of

Legal System

Software:

Number of Open

Source Software:

Number of Proprietary

software:

1 11 32 20



SOFTWARE LICENSE

Part no Descrption Qty

JW546AAE Aruba LIC-AW Aruba Airwave with

RAPIDS and VisualRF 1 Device

License E-LTU

350

H1L06A3#ZXZ HPE Partner-Branded NBD Support

SVC - HPE Aruba AirWave 1 Dev E-

LTU Supp [for JW546AAE]

350

JW472AAE Aruba LIC-AP Controller per AP

Capacity License E-LTU

400

JW473AAE Aruba LIC-PEF Controller Policy

Enforcement Firewall Per AP License

E-LTU

400

H1L06A3#ZXQ HPE Partner-Branded NBD Support

SVC - HPE Aruba Cntrl per AP Capcty

E-LTU Supp [for JW472AAE]

400

H1L06A3#XS4 HPE Partner-Branded NBD Support

SVC - HPE Aruba License PEF Contro

Supp [for JW473AAE]

400

Sl No: Open Sourse Software in Campus

1 Linux operating system.

2 Android by Google.

3 Open office.

4 Firefox browser.

5 VCL media player.

6 Moodle 3.9

7 WordPress content management

system.

8 VLC Media Player

9 Amarok

10 Audacious

11 Apache OpenOffice

12 LibreOffice

13 Avidemux

14 Open Shot Video Editor



15 Audacity

16 GIMP

18 7zip

19 Tor Browser

20 Mozilla Thunderbird

21 KeePass

22 DC++

23 BRL-CAD

24 Inkspace

25 Blender

26 WordPress

27 Magento.

28 Mozilla Firefox


30 FileZilla

31 GnuCash

32 GIMP

Number of Legal System Software:

1 MICROSOFT CAMPUS LICENSE ALL VERSION OF OS

2 RED HAT

3 MAC OS 10

4 DOCKER

5 KUBERNETS

6 CENTOS

7 MINT

8 SUSE

9 KALI

10 VMWARE

11 HP EXSI



Proprietary software 20 PLUS

Microsoft Windows, Adobe Flash Player, PS3 OS, iTunes, Adobe Photoshop, Google

Earth, MACIOS

Skype, WinRAR, Oracle's version of Java and some versions of

Unix.

MSOFFICE

CADENSE

MATLAB

XILINX

WEBEX

GAUSSIAN

ARUBA

AIRWAVE

ARUBACLEAR

PASS

ARUBA MOBILITY MASTER

ARUBA CONTROLLER



Campus Network

• IIITB Campus network designed for 5000 user devices

• 2 ISP providers for Internet Bandwidth 1.BSNL :1Gbps and 2. NET4INDIA : 500Mbps

• 1000+ I/O ports for wired Network 1G/10G switch and Wave-2 WiFi network

1.733Gbps for entire campus with 350 plus Access points (Supports up to 1,733Mbps

in the 5GHz band and 400Mbps in the 2.4 GHz band) with complete solution from

OEM HP Aruba.

• Entire campus network is 10G Fiber backbone and expandable to 40G.

• All DATACENTER Servers are on 10G/40G.

• IIITB Computer Lab consists of 200 plus systems

• Smart Classroom for all the classes.

• Online recording audio and Video for all the important Classrooms

• 100 plus laptop/Desktops for Faculty and Staff.



ITEM MODEL SERIAL NO USER LOCATION

DESKTOP HP COMPAQ 6200 PRO MT SGH220RTYW RAM DATA CENTER BSNL

DESKTOP HP ELITE 100MT SGH052Q8KJ Ranjith DATA CENTER

DESKTOP ACER UXVD9S1633E1321836 MURUGAN DATA CENTER

DESKTOP HP COMPAQ 6200 PRO MT SGH220RTY1 MANOJ DATA CENTER BACKUP MACHINE

DESKTOP SGH220RTY2 VINGNESH FINANCE

DESKTOP HP-DX2480MT SGH852ONVY PARUL ADMIN DEPARTMENT

DESKTOP HP ELITE7100 INA110WG40 SOMASHEKHAR ADMIN DEPARTMENT

DESKTOP ACER UXVD9S1633E132832 Smriti ADMIN DEPARTMENT

DESKTOP ACER UXVD951633E132831 PUSHPA FINANCE

DESKTOP DELL OPTIPLEX 390 GH768R8 CYNTHIA ADMIN DEPARTMENT

DESKTOP HP ELITE INA110WG41 NIRMALA ADMIN DEPARTMENT

DESKTOP HP DESKTOP INA110WG43 SURESH FINANCE

DESKTOP DELL 00184034571816 Student CEEMS-LAB









DESKTOP HP Z400 SGH049SW5S SWATI MEDIA CENTER

DESKTOP LENOVO THINK CENTER 1S34923JQPG07344 SOMASHEKHAR 201

DESKTOP I MAC APPLE W803114FDAS (IT0249) SHRISHA RAO 122

DESKTOP LENOVO THINK CENTER 1S34923JQPG07340 MEENAKSHI 121

DESKTOP HP ELITE SGH052Q8K RC 116

DESKTOP HP ELITE 7100 MT INA110WG48 PRABHU 126

DESKTOP ASUS AS324125 PRASANT 101

DESKTOP BIOSTAR I945C-M7B MAHESH REDDY 106

DESKTOP ACER UXVD9S1633E132839 BRIJESH KUMAR 215

DESKTOP ACER UXVD9S1633E132820 SRIKANTH 213

DESKTOP WIPRO W23514554 MURALIDHARA 111

DESKTOP HP PROLIANT MT HP131241425 S RAJAGOPALAN 113

DESKTOP HP PROLIANT MT HP131423267 MADHAV RAO 112

DESKTOP DELL TOWER GH768324 NEELAM SINHA 109

DESKTOP ACER UXVD9S1633E132837 JAYA PRAKASH 110

DESKTOP HP UXVJSS1W85G2860948 VEDHA 108

DESKTOP HP ELITE 7100MT INA110WG42 Jyostna Bapat 125

DESKTOP HP SGH90304ST Faculty CL NO: 132

DESKTOP HP PRO INA410VOKZ Faculty CL NO:133

DESKTOP HP SGH8520NZM Faculty CL NO:103

DESKTOP HP PRO INA408T265 Faculty CL NO : (102/133)

DESKTOP ACER IUXVD9X1633E1321834 student ESDM 315-B


DESKTOP DELL 6H5HVS1 student ESDM 315-B


DESKTOP DELL OPTIPLEX GH768R1 student ESDM 315-B

DESKTOP LENOVO 1S3492H2QPG38037 student HIDES LAB-317





DESKTOP LENOVO 1S3492H2QL9CVH04 student HIDES LAB-317




DESKTOP LENOVO 1S3492H2QI9CVG77 student HIDES LAB-317






DESKTOP ACER UXVD9SI633E1321833 DR. RANGANAHAN HIDES LAB-317

DESKTOP DELL 0084034571818 ASHWINI HIDES LAB-317

DESKTOP Acer Veriton AIO M200-H81 UXVJSS1W85G2860638 Student COMPUTER LAB107


























































DESKTOP HP Compaq 6200 SGH220RTXP Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYB Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYK Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXY Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYX Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTy1 Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYL Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYC Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYM Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTZ2 Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXK Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYQ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYH Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYV Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTy7 Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTXC Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXR Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXV Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYZ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTX8 Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXB Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXM Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTXX Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXG Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYG Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTY4 Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTYR Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYF Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTYN Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTXS Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXD Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYZ Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH220RTXN Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYD Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYP Student COMPUTER LAB107





DESKTOP HP Compaq 6200 SGH220RTXR Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYJ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXZ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYT Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXQ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXY Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXL Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTXW Student COMPUTER LAB107


DESKTOP HP Compaq 6200 SGH8520NXQ Student COMPUTER LAB107

DESKTOP HP Compaq 6200 SGH220RTYY Student COMPUTER LAB107

Apple Desktop I-Mac -Apple IT0265 Prof.Amit 217

Total number of Desktop: - 179



ITEM MODEL SERIAL NO USER LOCATION CONFIGURATION

LAPTOP HP PROBOOK 4530 S C-12047 SARAVANAN R DATA CENTER I5/4GB/500GB

LAPTOP HP COMPAQ NX6310 cnd76890 DC DATA CENTER DISPLAY MACHINE CELERON/512MB/40GB

LAPTOP HP CND1276Z PICHIYA FINANCE

LAPTOP HP PRO 4520S 2CE048151P ROSHINI DSOUZA ADMIN DEPARTMENT I3/4GB/250GB

LAPTOP DELL cnju8956 REGISTRAR - Sridhar ADMIN DEPARTMENT I5/4GB/500GB

LAPTOP HP PROBOOK 1929ZY REGISTRAR - Prakash ADMIN DEPARTMENT CORE2DUO/4GB/500GB

LAPTOP DELL VOSTRO 5CG63330H7 Rashmitha PLACEMENT/Upgrade i5/4GB/1TB

LAPTOP COMPAQ NX6310 cnhy754787 Faculty MEDIA CENTER CELERON/1.25GB/500GB

LAPTOP HP PAVILLION DV6 544092 SWATI MEDIA CENTER I5/4GB/500GB

LAPTOP COMPAQ NX6310 CNU63101HX ANGEL MEDIA CENTER CELERON/1.25GB/40GB

LAPTOP COMAPQ NX6310 CNZ13X ANGEL MEDIA CENTER CELERON/1.25GB/40GB

LAPTOP HP PROBOOK 2CE102090L RAMA 201 I3/4GB/320GB

LAPTOP COMAQ NX6310 CNA63101NW SOMASHEKHAR 201 CELERON/1.25GB/40GB

LAPTOP LENOVO THINKPAD R10ZXY RC 116 I3/4GB/500GB

LAPTOP HP PROBOOK 4530S XYZ17UZD PRASANA 127 I5/4GB/500GB

LAPTOP HP PROBOOK 4440S cfhy7890 THRICHA ANJALI 212-C I5/4GB/500GB

LAPTOP HP PROBOOK 4530S cvdf7894 ASHOK BALAKRISHNAN 211 I5/4GB/500GB

LAPTOP HP PROBOOK 4530S XY1U2DX SUBHAJIT SEN 210 I5/4GB/500GB

LAPTOP HP PROBOOK 4440S ZUXY1279 AMIT PRAKASH 209 I5/4GB/500GB

LAPTOP HP PROBOOK 4530S 66BU66 MANISH KULKARNI 208 I5/4GB/500GB

LAPTOP SONY VIO YU68Z1U NIVEDITA MENON 207 I5/4GB/500GB

LAPTOP DELL VOSTRO CNC1XUD SREEENIVASA RAGAVAN 206-C I5/4GB/500GB

LAPTOP LENOVO THINKCENTER CNU12790 DINESH BABU 206-D I5/4GB/500GB

LAPTOP SONY VIO ZXC19UD VINOD VYASULU 206 I5/4GB/500GB

LAPTOP HP PROBOOK 4440S D5J48PA V. SRIDHAR 224 I5/4GB/500GB

LAPTOP HP PROBOOK 4440S INA311YHT12 ASHISH 223 I5/4GB/500GB

LAPTOP SONY VIO 54576298 BIDISHA CHAUDURI 214 I5/4GB/500GB

LAPTOP HP PROBOOK 4440S CNC1ZDYZ JOY PRABHAKARAH 212-D I5/4GB/500GB

LAPTOP HP PROBOOK 4530S CNC1Z29Z MURALIDHARA 111 I5/4GB/500GB

LAPTOP HP PROBOOK 4520S CNZ1927Z D.V. JAGADISH 114 I3/4GB/500GB

LAPTOP DEL VOSTRO X1C16000 MADHAV RAO 112 I5/4GB/500GB

LAPTOP DELL VOSTRO ZXC2876 JAYA PRAKASH 110 I3/4GB/500GB

LAPTOP HP PROBOOK CNYZ2D1X DAS 117 I3/4GB/500GB

LAPTOP HP PROBOOK CND5389A DAS 117 I3/4GB/500GB

LAPTOP SONY VIO XY2DY2H BALAJI 120 I5/4GB/500GB

LAPTOP HP NOTEBOOK CND438B1JN BALAJI 120 I5/4GB/500GB

LAPTOP HP NOTEBOOK cvny689nd JOSENA BAPAT 125 I5/4GB/500GB

LAPTOP HP PROBOOK cvn67hdgtd D Das 117 I5/4GB/500GB

LAPTOP HP PROBOOK 440 INA425ZTVS Faculty MAIN CLASS ROOM (106) I5/4GB/500GB

LAPTOP HP PROBOOK 4520S 2CE480YRS Faculty BOARDROOM 107 I3/3GB/320GB

Laptop HP Pro Book INA328D3JW Prof.Chetan Parikh 115 1TB/4GB

Laptop HP Envy R41000680 Prof.G.Srinivas Raghavan 206c i7/16GB/2TB

Laptop HP Probook 450G2 yhj89c6 Prof.Sachit Rao 224e I5-52OOU/4GB/500GB

Laptop Dell Inspiron 5558 CMKGZ52 Prof.P.V.Dinesh Babu 206b I55250U/8GB/1TB

Laptop HP ProBook 450G2 hjk789fhj Prof.Preeti Mudalar 220 I5-52OOU/4GB/500GB HDD

Laptop HP Compaq NX 6310 CNU1XUDY Harish Ponnappa 202 i3/2gb/40GB

Laptop HP Compaq CNU2152F30 Faculty Claass Room 204

LAPTOP Dell Vostro 3458 87H2762 Faculty Class ROOM 102 I3/4GB/500GB

LAPTOP Dell Vostro 3458 6TFZ662 Faculty Class ROOM 308 I3/4gb/500GB

LAPTOP Dell Vostro 3458 1Z50762 Faculty Class Room 303 I3/4G/500GB

LAPTOP Dell Vostro 3458 455D662 Faculty Class Room 304 I3/4G/500GB

LAPTOP Dell Vostro 3458 INA425ZTV9 Faculty Class Room 307 I3/4G/500GB

LAPTOP HP Probook xcvnj73567 ROSHNI ADMIN DEPARTMENT I3/4gb/500GB

LAPTOP Dell Vostro 3458 3Y72762 Faculty Class Room 309 I3/4gb/500GB

LAPTOP Dell Vostro 3458 vbhj89kmj Faculty Class Room 310 I3/4gb/500GB

Laptop Lenovo Lr01kee Mythri Reception I3/1tb/4gb

Laptop Lenovo LR01s198 Security Gate1 I3/1tb/4gb

Laptop Lenovo LR09S1KK Security Gate2 I3/1tb/4gb

Laptop Lenovo LR09S1CL Security Gate3 I3/1tb/4gb

Laptop Lenovo LR09UD2S Registrar 122 I5/1tb/4gb

Laptop Lenovo E430 Security Reception Display I3/500gb/4gb

Laptop Lenovo vbyuj8965 Prof.Manisha 208 I5/1tb/4gb

Laptop Lenovo Yoga cfy12sdf79 Prof.Srinivas 133f i7/500GB/8GB

Laptop Lenovo Yoga 77V0P87 Prof.Uttam Kumar 123 i7/500GB/8GB

Laptop Lenovo 310 77609AM Prof.Madhav Rao 112 I5/1tb/4gb

Total Laptop :- 65



SOFTWARE LICENSE

Part no Descrption Qty JW546AAE Aruba LIC-AW Aruba Airwave with

RAPIDS and VisualRF 1 Device License

E-LTU

350

H1L06A3#ZXZ HPE Partner-Branded NBD Support SVC

- HPE Aruba AirWave 1 Dev E-LTU

Supp [for JW546AAE]

350

JW472AAE Aruba LIC-AP Controller per AP

Capacity License E-LTU

400

JW473AAE Aruba LIC-PEF Controller Policy

Enforcement Firewall Per AP License E-

LTU

400

H1L06A3#ZXQ HPE Partner-Branded NBD Support SVC

- HPE Aruba Cntrl per AP Capcty E-

LTU Supp [for JW472AAE]

400

H1L06A3#XS4 HPE Partner-Branded NBD Support SVC

- HPE Aruba License PEF Contro Supp

[for JW473AAE]

400

SL.No Dell 3060MT Desktop Issued To SL.No DELL 19" E1916HE Monitor Issued To

1 G41M9X2 R106 1 CN0CH5KXFCC0094HC4UB R109

2 G41P9X2 JYOTSNA 2 CN0CH5KXFCC0094HC7LB JYOTSNA

3 G41N9X2 R109 3 CN0CH5KXFCC0094HC75B RLAB-107

4 C0L0HY2 RLAB-107 4 CN0CH5KXFCC0095ICGWB RLAB-107

5 C0D2HY2 RLAB-107 5 CN0CH5KXFCC0095ICHCB RLAB-107

6 C0J0HY2 (DOA) 1F2WBZ2 R103 6 CN0CH5KXFCC0095ICH0B RLAB-107

7 C0RYGY2 RLAB-107 7 CN0CH5KXFCC0095ICH6B RLAB-107

8 C0BYGY2 RLAB-107 8 CN0CH5KXFCC0095ICH7B RLAB-107

9 C0FWGY2 RLAB-107 9 CN0CH5KXFCC0095ICGTB STORE ROOM

10 C0PYGY2 RLAB-107 10 CN0CH5KXFCC0095ICH5B RLAB-107

11 C0G1HY2 JVPrasad A134-E 11 CN0CH5KXFCC0095ICH1B RLAB-107

12 C0DZGY2 RLAB-107 12 CN0CH5KXFCC0095ICHAB RLAB-106

13 C0NWGY2 RLAB-107 13 CN0CH5KXFCC0095ICH2B RLAB-107

14 C0R3HY2 RLAB-107 14 CN0CH5KXFCC0095ICHEB RLAB-107

15 C0P1HY2 RLAB-107 15 CN0CH5KXFCC0095ICGFB RLAB-107

16 C0MXGY2 RLAB-107 16 CN0CH5KXFCC0095ICGVB RLAB-107

17 C0M0HY2 RLAB-107 17 CN0CH5KXFCC0095ICH3B JVPrasad A134-E

18 C0K2HY2 RLAB-107 18 CN0CH5KXFCC0095ICGPB RLAB-107

19 C0JXGY2 RLAB-107 19 CN0CH5KXFCC0095ICH4B RLAB-107

20 C0Q3HY2 RLAB-107 20 CN0CH5KXFCC0095ICGGB STORE ROOM

21 C0GYGY2 RLAB-107 21 CN0CH5KXFCC0095ICGNB RLAB-107

22 C0H3HY2 RLAB-107 22 CN0CH5KXFCC0095ICGUB RLAB-107

23 C0QZGY2 RLAB-107 23 CN0CH5KXFCC0095ICGRB RLAB-107

Intel i-5 Desktops



Sl No: Open Sourse Software in Campus

1 Linux operating system.

2 Android by Google.

3 Open office.

4 Firefox browser.

5 VCL media player.

6 Moodle 3.9

7

WordPress content management system.

8 VLC Media Player

9 Amarok

10 Audacious

11 Apache OpenOffice

12 LibreOffice

13 Avidemux

14 Open Shot Video Editor

15 Audacity

16 GIMP

18 7zip

19 Tor Browser


21 KeePass

22 DC++

23 BRL-CAD

24 Inkspace

25 Blender

26 WordPress.

27 Magento.

28 Mozilla Firefox.

29 Mozilla Thunderbird.

30 FileZilla.

31 GnuCash.

32 GIMP.

Number of Legal System Software:

1

MICROSOFT CAMPUS LICENSE ALL VERSION OF

OS

2 RED HAT

3 MAC OS 10

4 DOCKER



5 KUBERNETS

6 CENTOS

7 MINT

8 SUSE

9 KALI

10 VMWARE

11 HP EXSI

Proprietary software 20 PLUS

Microsoft Windows, Adobe Flash Player, PS3 OS, iTunes, Adobe Photoshop, Google Earth, MACIOS Skype, WinRAR, Oracle's version of Java and some versions of Unix.

MSOFFICE

CADENSE

MATLAB

XILINX

WEBEX

GAUSSIAN

ARUBA

AIRWAVE

ARUBACLEAR

PASS

ARUBA MOBILITY MASTER

ARUBA CONTROLLER

information security policies & practices - iqac.iiitb.ac.in

Documents