Skip Ribbon Commands
Skip to main content
Sign In

: : IT Policies & Practices (Acceptable Use Policy)
IT SECURITY ADVICE


  1. Clear your browser's cache and history after each session, especially if you are using a shared/public PC.

  2. Do not store your NPNet Login ID/Password when using the browser.

  3. Never use the same NPNet Login Password for other Internet services such as free email (eg Yahoo! mail), online shopping and other online subscription services.

  4. Always LOGOUT from your online session before leaving your system, even for a short while.
                                               

TOPICS

1   GENERAL REQUIREMENTS
2   DATA HANDLING
3   ACCOUNT IDs & PASSWORDS
4   PERSONAL COMPUTERS (PCs, NOTEBOOKS or SMART DEVICES) AND ELECTRONIC STORAGE MEDIA
5   USE OF AUTHORISED SOFTWARE AND HARDWARE
6   EMAIL USAGE
7   INTERNET ACCESS, USAGE AND SOCIAL NETWORKING
8   NETWORK AND REMOTE ACCESS
9   INCIDENT REPORTING
10 RIGHTS OF THE POLYTECHNIC
11 FAILURE TO COMPLY

GLOSSARY
1 GENERAL REQUIREMENTS

1.1
Users1 shall use the campus IT Resources3 according to the purpose for which they are provided, which is for the administrative, teaching and learning activities of NP.




1.2
Users shall familiarise themselves with the Polytechnic's IT Security Policies and Guidelines posted in the Staff Intranet. 






1.3
Users shall use the campus IT Resources according to the laws and regulations of the Singapore Government. 



1.4
Staff and associates shall comply with Government Instructions Manual (IM) and other regulations and guidelines when handling Government classified data or Personal data.



1.5
Users shall not abuse or misuse the IT Resources and shall take all reasonable measures to safeguard against any potential abuse, misuse, malicious attacks or theft.  Abuse or misuse of the IT Resources includes, but not limited to, the doing of any act that would contravene the provisions of:
a. Copyright Act;
b. Computer Misuse Act;
c. Spam Control Act;
d. Films Act;
e. Penal Code;
f. Undesirable Publications Act;
g. Broadcasting & Television Act;
h. Indecent Advertisements Act;
i. Common Gaming Houses Act;
j. Maintenance of Religious Harmony Act;
k. Singapore Broadcasting Authority Act (in particular, Internet Code of Practice);
l. Official Secrets Act; and
m. Personal Data Protection Act.






1.6Users shall not, under any circumstances and in any manner, transfer or copy any software, computer program, personal data, classified information or trade secret that is the subject of any copyright, special licence or other intellectual property right from NP or IT Resources without NP’s prior written consent.



1.7Users shall not use, modify or adapt corporate IT resources for any commercial purpose or personal financial gains, unless duly authorised by NP in writing.



1.8
Users shall not attempt to monitor another user’s data communications nor access, read, copy, change or delete another person’s files or software without authorisation.






1.9
Users shall not harass or intentionally deny or degrade another person’s legitimate access to IT resources.



1.10
User shall not circumvent any technological access control or protection measures which have been applied to a work or audio-visual item or a performance. Examples of circumvention are cracking of passwords, unscrambling of encrypted information or removal of digital watermarks.




1.11
Users shall not install and use diagnostic and/or vulnerability scanning tools on NP production systems and network under any circumstances, as such tools may be used to compromise the security of the systems.







1.12
Users shall not cause damage or otherwise attack or degrade the performance of NP network or systems.



1.13
Upon termination of employment (for staff), termination of contract (for associates) or cessation of study (for students), users shall promptly declare and return to NP all NP assets, software, files, manuals and material of whatever description and copies thereof, and any or all material relating to the Polytechnic's business or affairs which are in his possession or under his control. 





 
2 DATA HANDLING
2.1 Users1 shall not obtain data or IT services without authorisation or through fraudulent means.
2.2Users shall use all data obtained, including personal data, for the purpose which they were collected from individuals or obtained from other organisations. Personal data collected may not be reused for a different purpose without first seeking consent from the individuals. Users shall not pass on the data to another organisation without explicit approval from the data owner.
2.3Staff shall abide by the IM8 Policy on Data Management and NP’s Data Administration Policy when releasing NP data to individuals or other organisations. The Data Administration Policy is available in the IT Service Portal.
2.4Staff shall exercise due diligence to ensure the confidentiality, integrity, availability and consistency of NP’s data, as well as data obtained from other organisations.
2.5
Staff shall safeguard data in their possession in accordance to the data classification and sensitivity of the data.  Staff shall exercise due diligence when applying the relevant methods of protection such as:
a. Secure Physical objects;
b. Encrypt classified data or personal data residing on Personal Computers and/or removable storage devices, e.g. authorised thumbdrives and mobile phones; and
c. Adherence to relevant policies and procedures.

2.6Staff shall not use public Internet services such as GoogleForms, SurveyMonkey etc to collect or store classified data, personal or business entity data as NP has no control over the security measures of these systems.
2.7Staff shall apply additional security when storing personal or business entity data on notebooks and authorised PSM.  For example, set a strong password or restrict access through Rights Management Services (RMS).
2.8Staff shall apply additional security on the electronic file when transmitting classifed, personal or business entity data.  For example, set a strong password or restrict access through Rights Management Services (RMS).
2.9
Staff shall protect Personal Data from unintended disclosure by:
a. Verifying that the message is addressed to the correct recipient,
b. Maintaining a mailing list for regular mass communication to specific groups, and
c. Using BCC field when mass emailing to a group or the public.
 
3 ACCOUNT IDs & PASSWORDS
3.1 Users1 shall be responsible and accountable for all activities conducted via his/her accounts.

3.2Users shall keep their computer accounts and accompanying password confidential. Users shall not attempt to share or disclose their accounts to anyone. Users shall not email the information to a third party.
3.3Users shall not use a computer account that has been issued to another user.
3.4Users shall change their passwords every 90 days to prevent break-in.
3.5Users shall change passwords whenever there is any indication of possible system or password compromise.
3.6Users shall not keep a record of password (e.g. on paper, soft copy file or handheld device) unless this can be stored securely.
3.7Users shall avoid re-using or recycling old passwords.
3.8Users should change the temporary or issued passwords at first logon.
3.9Users shall not include passwords in any automated log-on process, e.g. stored in a macro or function key.

3.10Users shall not use the same password for business and non-business purposes. For example, your personal hotmail, yahoo or gmail account shall not have the same password as your NP accounts.

3.11
Users shall select quality passwords which are:
a. Easy to remember;
b. At least 8 characters long;
c. A mix of upper and lower case letters and numbers, and special characters where supported by the system;
d. Use PassPhrase that you can remember
e. Not based on anything that can be easily guessed or obtained using person related information, e.g. names, telephone numbers, and dates of birth, etc.; and
f. Not consist of words included in dictionaries.


 
4 PERSONAL COMPUTERS (PCs, NOTEBOOKS or SMART DEVICES) AND ELECTRONIC STORAGE MEDIA
4.1
Users shall ensure that their systems are adequately protected before connecting to NP’s Campus Network.  The minimum protection includes:
a. An up-to-date anti-virus software installed and activated;
b. A Personal firewall installed and activated; and
c. Latest software security patches installed.


4.2 Users shall exercise due diligence to ensure all critical and security patches for their systems are applied within 1 week from the date of patch release.

4.3
Staff shall use only NP-issued and centrally managed (NICE) equipment on the Staff network and to access staff eServices such as eMail, NPal, EasiShare and Sharepoint. Corporate Mobile devices are centrally managed by Intune Mobile Device Management while NICE computers are managed by Group Policy. Staff will not have local administrative rights to NICE equipment. Staff may use their personal computers and devices only on the NP Wireless network. Personal devices are not allowed to access eServices in the staff intranet.



4.4

Staff have up to 5 invalid login attempts.  The account would be locked on the 6th attempt for 25 minutes.  This is to prevent robots from hacking the system.  The account would be released after 25 minutes.


4.5

Users shall turn off communication ports, such as WiFi or Bluetooth, when not required.
 

4.6

Users shall be accountable for the confidentiality of data residing within their desktop systems. Users shall not share out directories on their personal computers and securely delete sensitive files when sending the computer for repair. 


4.7

Staff shall use only authorised Portable Storage Media to store classified data or personal data, and only remove them from campus when authorised to do so. The use of authorized Portable Storage Media is restricted to staff authorized by Principal. Portable Storage Media refer to thumbdrives, flash memory cards, portable hard disks and optical storage media.


4.8

Staff shall store classified data or personal data, such as evaluations, appraisal forms, official papers and staff/student information on officially issued Portable Storage Media and the contents shall be encrypted.  Teaching and learning materials that do not contain classified data or personal data may be stored on personal portable storage media.


4.9

Users shall not place their notebook, portable electronic storage media and authentication token near an exterior window or public access area where it could be subject to physical theft.


4.10

Users shall not leave their notebook, portable electronic storage media and authentication token unattended.  If it is not possible, these shall be securely locked away when not in use, or the notebook secured with a high quality cable lock by attaching it to something immovable.


4.11


Users shall not store their portable storage media and authentication tokens together with the notebooks when bringing them out of NP.

When Travelling
4.12Unless carry-on restrictions are imposed, users shall hand-carry their notebook, portable electronic storage media and authentication token when travelling overseas.


4.13

When clearing customs, users should hold onto their notebooks, portable storage media and authentication tokens until the person in front has gone through the metal detector.


4.14

When travelling to countries with carry-on restrictions, the portable storage media with classified data or personal data, and authentication token shall be kept separate from the notebook. The portable storage media and authentication token shall be kept with the staff at all times.  The checked in notebook shall not have any classified or personal data stored on the local hard disk, and shall be re-formatted or re-imaged after the overseas trip. 


4.15

Staff shall bring only minimum classified data or personal data required for the business travel. All classified data or personal data stored shall be encrypted.


4.16

In the event where staff suspect their endpoint devices may have been tampered with, they shall not connect those devices to the staff or campus network upon return from overseas trip. They should report their suspicion to ITSecurityManager@np.edu.sg as soon as possible.

 
5 USE OF AUTHORISED SOFTWARE AND HARDWARE

5.1

Users
1 shall use only authorised software5 on corporate personal computers. Authorised software is one which is licensed for use, legally acquired and approved by NP for use. These include Freeware, Shareware and Open Source Software.


5.2

Users shall use only authorised software and/or hardware from their personal computers within our campus network.  Users shall write in for explicit permission to install and use software and/or hardware that is not authorised by NP.  Software and/or hardware that may compromise the security of NP systems are not authorised for use by NP.  Examples of such software and/or hardware include those which may affect the performance of campus network infrastructure or those which may result in loss of confidentiality, integrity or availability of data.


5.3

All software used on corporate personal computers and within our campus network shall meet legal requirements, such as having valid licenses.  Staff shall participate in the annual Software License Audit.


5.4

Users shall not expose the Polytechnic to infringement proceedings resulting from a breach of Singapore Law, including but not limited to the following areas:
a. Copyright;
b. Patent;
c. Trade mark;
d. Registered design; and
e. any other intellectual property laws.


5.5

Under the Copyright Act, individuals, their supervisors, as well as the Polytechnic, are liable for any infringement to the Act.  As such, the use or copying of purchased software so that it can be used on a computer other than the computer for which it is licensed is strictly prohibited.


5.6

Unless approval has been granted, users shall not modify or remove software or hardware which NP provides as part of the campus IT Resources3.


5.7

Users shall not install, execute, or assist or abet another to install or execute a program that could result in the damage or excessive load to any component or part of the IT Resources or place excessive load on the Computer Resources. This includes, but is not limited to, computer viruses, worms, Trojan horses or any other malicious program.


5.8

Users shall scan software for viruses or other malicious program before installing on corporate personal computers.

 
6 EMAIL USAGE

6.1

Users
1 shall not spam or send unsolicited commercial mail to others.


6.2

Staff and associates2 shall not indiscriminately forward corporate email to an Internet service provider email account.


6.3

Users shall avoid sending out large email to a large mailing list of recipients. Whenever possible, large attachments should be hosted in a separate repository and only a link shall be provided in the email.


6.4

Users shall housekeep their mailbox regularly. Email that needs to be kept for department records shall be moved out of the user mailbox and kept in the respective departmental repositories.


6.5

Staff shall use the NP email address (@np.edu.sg) for official or student correspondences.


6.6

Staff shall make use of the following Email delivery functions to maintain authenticity, integrity and security of their email:
a. SIGN function to digitally sign their email when authenticity is required;
b. To further ensure data integrity, staff shall use the PREVENT COPY function to avoid alterations; and
c. Staff shall use the ENCRYPT function to ensure that the readership is limited to only those in the circulation list.


6.7

To further safeguard our email correspondence, it is highly recommended that staff add the following clause to their email footer: “This message may contain privileged/confidential information. If you are not the intended recipient of this email, please delete it and notify the sender immediately.”  This helps us in assessing the extent of the damage as a result of incorrect recipients.


6.8

For staff who are maintaining distribution lists, the following additional clauses shall apply:
a. Your messages shall state the channel(s) for the recipients to unsubscribe from the distribution list;
b. The recipient's name shall be removed within 10 working days from the day the unsubscribe request is submitted; and
c. The subject for advertising mail shall be prefixed with <ADV>.

 
7 INTERNET ACCESS, USAGE AND SOCIAL NETWORKING

7.1

Users
1 shall be discerning when accessing websites, especially links provided through spam or unsolicited email. Users shall avoid websites of unknown or disreputable origin.


7.2

Staff should not allow automatic execution of codes or plug-ins on their personal computers.  Staff should configure their systems to prompt for permission before executing trusted codes.  Examples of codes are Active X, Java, Javascript, etc.


7.3

Users shall be responsible for the Content that they upload, post, email, transmit or otherwise make available via NP's IT Resources3 and shall ensure that intellectual property rights are not infringed in any way.


7.4

For social networking and publishing content associated with NP, users shall take responsibility for the content and shall include a disclaimer stating that they are conveying a personal view-point and not from a corporate NP position.


7.5

Users shall not upload or download, send or post, enter or publish any content to the Internet that is objectionable or illegal under the Singapore Law.


7.6

Users shall not upload or download, send or post, enter or publish any content to the Internet that is against the public interest, public order, national interest, racial and religious harmony, or which offends good taste or decency, or is otherwise indecent, obscene, pornographic or defamatory.


7.7

Users shall not upload or download, send or post, enter or publish any content to the Internet that is confidential, distasteful or prejudicial to the good name of the Polytechnic.


7.8

Users shall be mindful of the public nature of the Internet and shall not discuss or disclose classified or personal data, and proprietary information of NP or of any organisation without authorisation.


7.9

The intellectual property rights to all NP teaching materials (eg. lecture notes, videos, courseware, tutorials, worksheets etc.) belong to the Polytechnic. Students shall not upload, send or post, enter or publish any NP teaching materials  to the Internet. Staff shall not publish or otherwise make available any NP teaching materials on the Internet except in accordance with the policy of NP or its School/Division.


7.10

Users shall be respectful of NP, staff/lecturers/tutors, students and their rights for privacy. 


7.11

Users shall be mindful of the need to safeguard personal and official information.  Users shall not disclose, publish and/or host such information on external websites without proper authorisation from the owner(s).  Personal and official information shall be used for its intended purpose and shall be securely discarded immediately after use.


7.12

Users hosting forums, discussions and other sites supporting posting by visitors of the site shall ensure that the sites are moderated or actively monitored for acceptable contents.


7.13

Users intending to use corporate branding and identity such as NP’s logo and the ‘.np.edu.sg’ domain name, in online or on printed materials shall seek advice and clearance from the Corporate Communications Office.

 
8 NETWORK AND REMOTE ACCESS

8.1

Users
1 shall not install and operate their own wireless Access Points emulating or interrupting the performance of campus network infrastructure wireless Access Points. 


8.2

All campus network infrastructure wireless Access Points shall be operated and managed by Computer Centre.  Computer Centre reserves the right to remotely disconnect any unregistered devices that are interfering with the normal performance of campus network infrastructure. 


8.3

Users shall manage the access to rooms where staff wired outlets are available.  Only  NICE computers are authorised to be connected to a staff wired outlet.


8.4

When connecting from home and campus wireless network, users shall enable the Virtual Private Network service to access sensitive corporate systems that are accessible by staff only.



8.5

Staff shall access the Singapore Government Network (SGNet) from a WoG notebook.


8.6

Staff shall not concurrently connect to wireless network (e.g. campus wireless network and mobile broadband) and staff wired connection to avoid becoming a bridge between the insecure wireless environment to our secured staff network.

 
9 INCIDENT REPORTING

9.1

Users
1 shall immediately report any security violations, weaknesses, suspected violations of laws or policies and any loopholes or potential loopholes in the security of the IT Resources to the Computer Centre.  Security incidents include, but are not limited to, misuse of email, malware infection and unauthorised act by a person to obtain classified data or personal data.


9.2

Users shall immediately report any lost personal computers, portable storage media or loss/compromise of NP Classified data or personal to ITSecurityManager@np.edu.sg


9.3

Users shall cooperate fully in investigations of misuse or abuse of the IT Resources. User files may be examined under the direction of NP management should NP in its absolute discretion decide that the security of the IT Resources is in any way threatened.


9.4

In the event of a malware infection, users shall immediately disconnect their infected system from both wired and wireless network, and contact CC Helpdesk or ITSecurityManager@np.edu.sg to initiate appropriate follow up actions.


9.5

In addition, users shall retrieve all removable storage media from locked cabinets and subject them to the necessary investigation, cleaning and recovery process.


9.6

Users shall not knowingly connect a desktop system infected by malware onto the campus network.

 
10 RIGHTS OF THE POLYTECHNIC


10.1

The Polytechnic shall have the right to access and disclose any information stored on corporate personal computers and peripheral devices.


10.2

The Polytechnic shall have the right to access and disclose any email messages composed, sent or received using NP Email Systems.


10.3

The Polytechnic shall have the right to control, monitor and disclose information stored on corporate personal computers, peripheral devices, users’ Internet access activities and email.


10.4

The access and disclosure of email messages shall be authorised by Principal, and shall be conducted under strict control and supervision.

 
11 FAILURE TO COMPLY

11.1

The Polytechnic reserves the right to take disciplinary proceedings against the offending user in the event that he/she conducts himself/herself in any manner considered to be irresponsible or is abusive of the computing facilities accorded to him/her.


11.2

Users
1 who fail to comply with this Acceptable Use Policy and other relevant Terms and Conditions of Use shall be subjected to penalties imposed. The penalties may include, but not limited to, withdrawal of computing services and/or termination of service, or dismissal from course of study.

 
GLOSSARY
1 Users – All Staff, associates and students of NP who has been authorised to access NP’s IT Resources.
2 Associates – Any third party staff who are not directly employed by NP or business partner who requires access to campus IT Resources to fulfil their contractual or other obligations to NP. Examples: Vendor staff, visiting or guest lecturers, International Fellows, etc.
3 IT Resources - The computing facilities, systems and infrastructure, information and data, and the personnel involved in the provision and maintenance of the services, applications and infrastructure.
4 Personal Computers – Any computing device designed for individual use, such as Desktop PCs, Notebook PCs or smart phones that is used to store, process or access NP’s Resources.
5 Authorised Software – Software which is licensed, legally acquired and approved by NP for use. These include Freeware, Shareware and Open Source Software.
Last updated:
Best viewed at 1024 x 768 resolution with Internet Explorer 7+ & Mozilla Firefox 11+.
Copyright © Ngee Ann Polytechnic. All rights reserved.
535, Clementi Road, S599489.
Telephone: (+65) 6466 6555
Rate this website