Nicholas School Information Technology - Policies
Administrative Access Agreement >
Backup Policy >
Choosing a Password >
Computing at the Nicholas School >
Data Storage on the Nicholas Network >
ESRI ArcGIS User Agreement >
Faculty & Staff Computer Refresh Policy >
Linux & Windows Security Procedures >
Nicholas School IT Security Policy >
Nicholas School User Account Policy >
Sensitive Data Policy >
You use your network password to login to your Nicholas School account and to access your home directory on the network. When choosing a password, choose a password that is at least 11 characters long. Do not choose a proper name or a single word that can be found in a dictionary - even a non-English dictionary - as your password. Instead of thinking of a password as a word, think passphrase, a longer string of words or a phrase.
For instance, if you have a pet named Snowball, this would be a poor password. It isn't long enough and is too easily guessed or 'cracked' by tools used by bad guys trying to compromise accounts. A better password for example, would be based on the phrase, "I have a cat, I named her Snowball": ih@c,inhSBl
Effective Date: January 27, 2017
Responsible Area: Information Technology
Faculty and staff use of administrative access to their computers for installing software and possible other operations requiring elevated rights.
As an administrator of your computer on the Nicholas School network, you are responsible for paying for, and licensing, any software not provided by Nicholas School IT or Duke University, and providing proof of payment and license when required.
If your computer becomes compromised or non-functional, it will be removed from the network and may be rebuilt to the basic install by Nicholas IT. You will be responsible for restoring data that was stored locally on the computer and any additional software that you installed.
It is understood that certain applications are required on machines (security/patch management/anti-virus) and users with admin rights should not disable these applications. While the computer is on the Nicholas School network, Nicholas IT will utilize these various methods to maintain security patches and updates. Nicholas IT support staff will also maintain administrative access to machines in order to provide support.
The site license for ESRI ArcGIS software is administered by the Nicholas School. Software is available from OIT for installation on University-owned computers.
A basic description of the agreement between the University and ESRI is available here.
The Nicholas IT Computer Purchase Program is designed to provide a streamlined process for purchasing computers for Nicholas faculty and staff. The primary goals of the program are:
- to provide a regular, predictable replacement cycle for faculty and staff computers,
- to allow users to have reasonably up-to-date equipment,
- to ease the support burden on IT staff associated with troubleshooting and maintaining outdated or out-of-warranty equipment and non-standard hardware,
- and to budget accurately for computer purchases.
POLICY FOR FACULTY AND STAFF PROVIDED COMPUTERS
Nicholas IT will provide a new primary administrative computer - every five years for a desktop; every four years for a laptop - for each qualifying faculty and staff member. Qualifying faculty and staff are those members whose salaries are funded by the School's administrative budget, not research grants. Desktop computers are typically assigned to staff, although a supervisor may submit a request to justify a laptop instead. Faculty may choose a desktop or a laptop.
Computers are selected from the Blue Level of the Duke Computer Purchasing Program negotiated with Dell, Lenovo and Apple. Other models in the program may be ordered. Nicholas IT contributes the cost of an equivalent Blue Level model plus the applicable standard warranty. The user must pay the cost difference using other Duke funds. This additional funding is considered to be part of the fully depreciated cost of the device and will not be reimbursed when the device is next refreshed. Computers are the property of Nicholas IT, and must be turned in when a new computer is provided. These computers cannot be retained for use as a second faculty/staff machine, nor purchased for personal use. Nicholas IT will decide if they will be re-purposed for other uses, such as for graduate students without other resources.
COMPUTERS PURCHASED ON STARTUP OR GRANT FUNDS
When purchasing computers from startup or grant funds, Nicholas IT will help you make selections that will satisfy your requirements and also assure quality support. In most cases the negotiated models and prices on the Duke Computer Purchase Program are sufficient. However, Nicholas IT can assist with customizations, when needed.
Nicholas IT will appropriately configure computers to perform the administrative tasks associated with the staff/faculty position at the Nicholas School. For example, Microsoft Office Professional is installed. Additional software licenses must be covered by the user.
Nicholas School IT can only fully support computers purchased through our office and configured by our staff. Users who choose to purchase computers on their own should be aware that their computer may not be able to be supported by either Nicholas School IT or the Nicholas network.
Computers for new employees are purchased from the funds of the hiring department. New faculty pay for their computers from their start-up funds. It can take from 2-4 weeks to configure, order and set up a new computer, so bear this in mind when contacting Nicholas School IT.
Primary vendors for desktop and laptop computers are Dell, Apple and Lenovo.
The standard software install for administrative staff and faculty includes Microsoft Office. Other software may require installation discs and licenses provided by the requester. Administrative access to the computer on the Nicholas network can be granted to users who agree to certain terms and conditions.
YOUR NICHOLAS SCHOOL ACCOUNT
Your Duke NetID credentials will be used as your logon to the Nicholas network. All new staff and faculty are assigned NetIDs by Duke OIT. The NetID should not to be confused with the UniqueID - a seven digit identifier used for administrative record-keeping at the University. With a NetID, and upon the request of the hiring department, Nicholas School IT will provide access to shared network directories.
All users at Duke are provided approximately 5G of personal network storage by OIT. This space is backed up regularly and users are encouraged to save their personal files to this location. We strongly discourage users from saving music and local email files to the network. Music files are best saved to a local computer hard drive and email should be left on the email server. Faculty can arrange for additional network storage for research by contacting Nicholas School IT.
Nicholas School IT budgets funds to replace desktop computers for administrative staff paid from school funds, and in recognition of the administrative tasks performed by many faculty. Currently, these replacements are made approximately every five years. Computers purchased with these funds revert to Nicholas IT when replaced.
Nicholas IT does not support storage of non-work or -class-related personal data, .mp3 or other audio files, audiobooks, movie or video files, or image files on Nicholas School servers.
We do periodically audit disk space usage. If we notice that a user has a lot of non-work or non-class-related .mp3, image, or movie files stored in their home directory, they will be asked to remove this data.
If you have email stored on Nicholas School servers - for example, your local folders are mapped to your Z drive - this email should be moved back to the email servers. Contact us for help in doing this.
Faculty, staff, visitors, and students who use the Information Technology (IT) resources in the Nicholas School, are expected to follow the same expectations and guidelines as written in theDuke Human Resources Policy Manual. Policy Number: 04.10; Issued Date: 07/01/2006. (See the link for revisions.) Any evidence of gross infringements to this policy will be reported to the Duke University IT Security Office. As of June 25, 2007 the policy is:
Access to and use of computing and networking resources at Duke are privileges extended to members of the Duke community. Access to Duke's computing and networking resources is limited to authorized users for approved purposes only. Such resources include computer hardware and software, computer-based files and data, and all networks – including the Internet. Approved purposes are those consistent with both the broad instructional, health care and research goals of Duke and with the user's relationship with the institution.
POLICY DETAILS - ACCESS AND USE
At certain times, Duke may find it necessary to access and disclose information from computer and network users' accounts (to the extent required by law) in order to uphold contractual obligations or other applicable institutional policies or to diagnose and correct technical problems. For this reason, the ultimate privacy of messages and files cannot be ensured. In addition, system failures may lead to a loss of data – so users should not assume that their messages and files are secure.
Neither Duke nor its agents restrict the content of material transported across its networks. While Duke does not position itself as a censor, it reserves the right to limit access to its networks or to remove material stored or posted on computers when applicable Duke policies, contractual obligations, or state or federal laws are violated.
Duke computers and communication systems must not be used for solicitations, chain letters, sexual or ethnic jokes or slurs, email stalking, threats, or harassment
Use of Duke computers or communication systems for any of the above actions may result in corrective actions up to and including termination. An extensive policy that authorizes access and security provisions is available from the Office of Information Technology (OIT). To obtain a copy of this policy, please contact this office at 684-2200 or refer to the office's web site.
The Nicholas School Information Technology Security Policy is couched within the framework of Duke University's OIT Security Policy Statements.
Keeping shared Nicholas computing resources secure and functioning at their best is one of the Nicholas IT department's primary goals. Details are outlined in the Standard Procedures for Windows and Linux Security.
Minimum requirements for computers on the Nicholas network (including personally owned computers) are:
- Secure passwords on all accounts. This includes a minimum length of eight characters and a combination of characters with upper and lower case letters, at least one special character, and at least one number. An account will be locked after 10 invalid login attempts and the account will be automatically unlocked after 15 minutes.
- Maintenance of an up-to-date operating system, including all security patches, and a functioning procedure for regularly applying updates (e.g., Yum, BigFix, Microsoft or Apple Software Updates).
- Installation of virus scanning software (e.g., Network Associates Virex or VirusScan, or Symantec’s AntiVirus), with current virus definitions, on computers running Microsoft Windows or Apple OS.
To receive administrative rights to Nicholas-owned computers, users must agree to the Nicholas School IT Administrative Access Agreement.
If security is compromised, the computer will be removed from the network.
The Nicholas School IT department provides accounts to authorized users of the computer systems in the school. Although these accounts are different from those assigned by Duke University's Office of Information Technology (OIT), the Nicholas account userid will be the same as the user's OIT NetID.
Each account is provided to one user only, i.e. the owner of the account should not share the password. The owner is fully responsible for any actions taken using their account and the content of all the files belonging to their account. Each user must take all reasonable precautions, including proper password maintenance and file protection measures, to prevent use of accounts by unauthorized persons.
Accounts may be revoked or restricted at any time if evidence is found of irresponsible behavior such as "cracking" (trying to break into accounts on this or remote systems) or lending accounts to others.
Home directories are established when accounts are created and are the property of the corresponding user. As a general rule, home directories are considered private.  Group related information or work done for hire should therefore never be stored in a user's home directory.
Group directories will be used for storing files related to that group. Files and directories stored in a research or administrative group project space are the property of the group head. In most cases this is the faculty member or supervisor in charge of that group. This means that if a user is to leave the group, the files contained within the project space are the property of the group head.
 Privacy is used here to the extent as privacy is described in the Nicholas School IT Acceptable Use Policy.
The OIT Security office scans for known vulnerabilities on a regular basis. Currently, vulnerability scanning of the Durham Nicholas School subnets occurs monthly. Results of those monthly scans are emailed to Durham Nicholas IT system administrators on the 15th.
The Nicholas IT sysadmins review the reports each month for all Nicholas School subnets. Any machines that are lacking serious security patches will be manually patched unless yum provides a patch. Any systems which appear to be compromised or are a security risk will be immediately removed from the network and rebuilt.
Durham and Marine Lab
The OIT Security office scans for known vulnerabilities on a regular basis. Currently, vulnerability scanning of the Nicholas School Marine Lab subnets occurs monthly.
Users are educated to use at least 8-character passwords, non-dictionary words, and to include uppercase letters, numbers, and non-letter, non-numeric characters in their passwords.
Operating systems are kept current by using Yum, BigFix, Microsoft or Apple Software Updates. Security patches are applied as soon as possible after released.
Symantec Endpoint Protection is installed and configured to look for "unwanted" programs, and viruses. Virus definitions are updated daily.
IPSEC rules are used via group policy.
Linux servers and workstations use a host-based firewall.
In addition, a 'VRF'-type firewall also surrounds the Nicholas School subnets in Durham.
Epylog is used to digest and create a daily report of attempted root logins (failed or successful), dictionary attacks, SSH scans and/ or any other potentially maliciously-intended activity on linux/unix-based workstations and servers.
Durham and Marine Lab
To avoid compromising information to the unexpected visitor, we educate users to either lock or log-off of their workstation when they leave the office.
Backups of files stored on Nicholas IT's storage are *performed daily between 9:00 p.m. and 5:00 a.m., and are retained for six months. Our backup location is in a separate datacenter on campus.
To request a previous version of a file, email email@example.com and include the full path to the file and the date.
Depending on when they are requested, restores are generally performed the same business day of the request. The restored data is placed in its original location with the same name, or with the word “-restored” appended. You will be notified when the restore is complete.
Usually, data stored directly on computers and laptops, either on internal drives or externally attached devices, is not backed up by Nicholas IT. We advise that you store important data on Nicholas IT’s network.
If you do need to backup data stored directly on a computer, laptop or externally attached device, talk to Nicholas IT about other backup options.
*NOTE: If a file is both created and deleted during the same day, even if it was saved to the network, we will be unable to restore it because it will have not been backed up.
In accordance with Duke University Security Office, Nicholas School does not provide facilities to allow storage of sensitive information on Nicholas School servers, desktops, laptops, mobile devices or external storage devices. Additionally, sensitive information may not be stored on any personally-owned electronic devices or storage devices.
Sensitive information includes the following:
- Social Security numbers (see https://security.duke.edu/policies/data-classification-standard)
- Credit Card numbers
- ePHI (HIPAA)
- FERPA protected (non directory information)
- Prospective Student data
- Donor data
- Contract data
- Financial data
- HR data
- Physical Plant details
- Certain management information
Once per year, Nicholas School IT scans the network storage we manage for sensitive data using Duke Security Office recommended DLP (Data Loss Prevention) tools. This scanning does not include desktops, local or group server storage, laptops, mobile or external storage devices. Only centralized network storage that Nicholas School IT manages is scanned.
If sensitive data is found, the user is notified and given three options:
- Modify the data or document to remove the sensitive information
- Remove/delete the data or document
- Advise Nicholas IT that the user has a business need to store the data, at which point we will assist the user in moving the sensitive data to secured (encrypted) storage managed by ITSO/OIT.
If you need to retain sensitive data or if you have questions about this policy, please contact Nicholas IT so that we can assist you.
More information about sensitive data can be obtained at http://security.duke.edu/policies-procedures.
A yearly reminder will be emailed to all Nicholas School students, staff, faculty and affiliates regarding this policy.