1. Purpose

This IT Policy is to provide comprehensive guidelines to ensure the proper and secure use of the IT Computing Infrastructure within the Shoklo Malaria Research Unit and The Borderland Health Foundation. This policy covers all computer hardware/software systems and all IT infrastructure resources that the relevant Enterprise provides. This includes, but is not limited to, all endpoint devices, cabling, computers, email, hardware, internet services, network printers, servers, software, and wired/wireless networks.

Violations of this IT Policy may pose serious risk to the Enterprise’s operations and therefore any breach will be treated as a serious offense.

2. Responsibility

This IT Policy applies to all enterprise employees, enterprise staff, contractors, guests or anyone who uses or accesses any component of the IT Computing Infrastructure.

Department Heads and Line Managers are responsible for ensuring their departments adhere to this IT Policy.

3. Definitions

  • Computer(s): Laptop and desktop computers, Apple Mac computers, mobiles/phones, tablets or any other IT capable endpoint device.

  • Enterprise: SMRU/TBHF.

  • Enterprise Network: Refers to private wired LAN network outlets and Wi-Fi SSIDs. Only enterprise owned and managed computer systems, network infrastructure hardware, and IT hardware resources may connect to this network.

  • Guest Network: The guest network refers to guest designated wired LAN (Local Area Network) network outlets and guest designated Wi-Fi SSIDs. Only contractors, guests, long/short term visitors or non-enterprise owned/managed computers may connect to this network.

  • IT: Information Technology

  • IT Computing Infrastructure: Wired and wireless networks, server systems, server resources, laptop and desktop computers, endpoint devices, IT hardware, software, IT cabling, internet services, email, and printing services that the Enterprise owns, manages or provides.

  • IT Department: Information Technology team members who provide IT support.

  • MORU: Mahidol-Oxford Tropical Medicine Research Unit

  • Network Device(s): Switch, wireless access point, IoT (Internet of Things), router, monitoring system or any other IT capable network device.

  • SMRU: Shoklo Malaria Research Unit.

  • TBHF: The Borderland Health Foundation.

  • User(s): Enterprise employees, enterprise staff, contractors, guests, long/short term visitors or anyone who uses or accesses computer services supplied by the Enterprise.

4. Policies

4.1. Expenditures for IT Computing Infrastructure

All IT expenditures need to follow the SMRU Procurement Policy or the TBHF Procurement Policy.

In addition all IT expenditures relating to any component of the IT Computing Infrastructure requires pre-approval by the IT Department Head before payment or purchase commitment. This is to ensure that all IT related purchases have completed a due diligence process which confirms the purchase is fit for purpose in the context of the Enterprise.

4.2. Computers

  • The security and safekeeping of computers used both inside and outside enterprise offices are the responsibility of the owner (person assigned to the computer).

  • The owner must sign the Receipt of Property Acknowledgement form at the time the IT Department delivers their computer and accessories.

    • As a part of this checklist the IT Department provides training that covers enterprise standards on data storage, data backups, email archiving, and password policies.

  • The owner must sign the Receipt of Property Acknowledgement form at the time they return their computer and accessories.

  • All users are responsible for the proper use, care and cleanliness of their computer(s).

  • Users must always restart their computer as soon as possible when the operating systems prompts to restart (due to operating system updates or software updates).

  • Default settings for users are to login as standard users, not as administrators. In exceptional cases administrator permission may be granted if:

    • Reasonable justification is provided to the IT Department and the IT Department Head approves this justification.

    • If approved then the user must sign the Local Administrator Account Agreement.

  • At all times while in possession of administrator permission the user must continue to use their normal user account for daily user activities (daily login, daily computer usage, etc.) and only elevate to the local administrator account for specific tasks that require permission elevation.

  • Problems with any computer must be reported to the IT Department as soon as possible.

  • The IT Department Head will set baseline specifications for enterprise computers.

    • Requirements that exceed baseline specifications will be reviewed by the IT Department Head who will confirm if the higher specification is in fact required or not.

  • The IT Department will maintain a computer asset inventory for the life cycle of the computer. To assist with this:

    • Every computer will be assigned to an owner (enterprise staff or contractor).

  • Staff are not permitted to own more than one (1) computer unless there is an exceptional circumstance which must then be approved by both the department manager and the IT Department Head.

  • The replacement, redistribution, and/or relocation of existing computers must have the approval of the IT Department Head.

  • The retirement/disposal/transfer of ownership of a computer is determined by the following:

    • The IT Department Head must agree to the retirement/disposal/transfer of ownership of the computer even if any/all below points are met:

      • If the hardware is more than 5 years old and there is not a valid use for this hardware within the Enterprise then the hardware may be retired, disposed of or given away as is.

      • If the hardware is broken and the cost to repair it is significant (compared to today’s purchase price of new similar hardware) then the hardware may be retired, disposed of or given away as is. These cases will be handled on a case by case basis and requires approval of the IT Department Head.

  • The IT Department Head maintains a small inventory of spare laptops. Availability is on a first come first served basis.

  • Enterprise staff who borrow a spare laptop must sign a IT Devices Borrow form and take responsibility for the borrowed laptop.

4.3. Guest Network

  • The Guest network is for untrusted computers (the Enterprise does not own or manage).

  • Enterprise staff, contractors, guests, and long/short term visitors that are using untrusted devices may only connect to the Guest network.

  • Consists of wired LAN outlets and Wi-Fi SSIDs (wireless networks).

    • If a Guest network wired LAN outlet is provided then it will be clearly labelled as Guest.

    • Specific Wi-Fi SSIDs are for Guest network computers. These SSIDs are restricted and either the computer must be registered with the IT Department or a Wi-Fi ticket must be obtained from the IT Department.

4.4. Enterprise Network

  • The enterprise network is for trusted computers (enterprise owned and managed).

  • No computer or network device is allowed to connect to the enterprise network without first discussing and obtaining approval from the IT Department.

  • A computer that is not enterprise owned but is managed by the IT Department is considered a trusted device and may use the enterprise network.

  • Consists of wired LAN outlets and Wi-Fi SSIDs (wireless networks).

    • Wired LAN outlets are for trusted computers. These outlets are restricted and the computer must be registered with the IT Department before it may be used.

    • Certain Wi-Fi SSIDs are for trusted computers. These SSIDs are restricted and the computer must be registered with the IT Department before it may be used.

  • Personal computers or network devices, guest computers or long/short term visitor computers that are not joined to the SMRU/TBHF domain and/or are not managed by the IT Department may not connect to the enterprise network.

    • If there is an exceptional circumstance then it must be approved by both the department manager and the IT Department Head.

  • If an untrusted device is approved to connect to the enterprise network then these steps must be completed (in this order) before connecting:

    • The IT Department determines that a specific task cannot be completed on the Guest network and that a connection to the enterprise network is the only option.

    • The IT Department confirms the antivirus software on the untrusted device is 100% up to date and has passed a full virus free scan. If any viruses were found then the device must be cleaned until the device passes a full virus free scan.

    • The IT Department confirms that the device has all current operating system / firmware updates. If any updates are missing then the device must be updated accordingly.

    • The IT Department confirms that the computer owner accepts loss of local administrator permission.

  • In an exceptional circumstance local administrator access may be granted. These circumstances are covered elsewhere in this IT Policy.

  • If any above items cannot be completed then the untrusted device may NOT be connected to the enterprise network.

4.5. Software & Software Applications

  • All software requirements for the Enterprise must be well defined and then approved by the IT Department Head prior to purchase or implementation.

    • Requirements for new software or upgrades must be discussed in advance with the IT Department Head so that specifications may be assessed.

  • The approval, installation, configuration and support of all enterprise software are the responsibility of the IT Department.

  • Users are strictly prohibited from installing any software without prior authorisation from the IT Department. This includes, but is not limited to legal software, illegal/cracked software, games, screensavers, miscellaneous programs downloaded from the Internet, etc.

  • Unlicensed, illegal, cracked or pirated software must not be installed by anyone onto any enterprise computer system or resource. The Enterprise will treat installation of this type of illegal software as a serious breach of this IT Policy.

  • Software licence inventories will be maintained by the IT Department to ensure compliance with legislation.

  • Software installation media will be kept by the IT Department. Software media will not be given to users for installation outside enterprise premises unless authorized by the IT Department Head in which case the Software Media Request Form must be completed.

  • Software installation/activation/serial keys will not be given to users for installation. If necessary the IT Department will use AnyDesk/TeamViewer to remote control a user’s computer in order to enter the key.

4.6. Data/Electronic Information

  • All information/data held on the IT Computing Infrastructure is deemed the property of the Enterprise.

  • The Enterprise retains the right to access and view information/data stored on any component of the IT Computing Infrastructure. This right is exercised only if necessary in pursuit of required IT system maintenance / migrations / upgrades or solely through the IT Department Head on instruction from a member of the Directorate.

  • Users are not permitted to store personal multimedia data (mp3, mp4, mpg, mkv, avi, jpg, tiff, bmp, png, etc.) on enterprise servers.

    • If a user’s computer has spare storage space on a non-operating system drive (e.g., Windows D:\ drive) then a folder name D:\Data-Personal may be created and personal data may be stored here. This folder will never be backed up to enterprise servers.

  • Users are not permitted to store software application installation files on enterprise servers. This includes setup.exe applications downloaded from the Internet or copies of software CDs. If you require software application installation file storage then contact the IT Department who will assist in storing these types of files.

  • All USB external hard drives or memory sticks must be encrypted with BitLocker or FileVault (operating system dependant).

    • Users must maintain their own password or recovery key but may also share with the IT Department who will store it in the IT Department secure password repository.

  • The IT Department is responsible for ensuring an effective back-up solution for server-held data/information.

4.7. Data Storage and Data Backups on Computers

  • Enterprise computer users are responsible for their locally stored data and must ensure they regularly back up their data to an enterprise owned External Hard Disk Drive.

    • The IT Department will provide user training on how to back up to the enterprise owned External Hard Disk Drive.

  • The current solution is simple but not automated. Historically, automated backups have resulted in data loss due to backup problems that users did not notice (backup logs were not carefully/consistently reviewed).

  • The current solution requires running (double click) a script that quickly shows backup results so that users quickly see success or failure of their backup.

  • Desktop computer users should avoid storing data on local hard drives (C:\, D:\) and instead should store directly on enterprise servers where it is automatically protected by redundant hard drives and nightly backups.

  • Data must be organised as per the IT Department standards so that backups only include work related data (no personal data should ever be backed up to enterprise servers or an enterprise owned External Hard Disk Drive).

  • Storage quotas are implemented on enterprise servers.

    • When a user reaches their storage quota the IT Department will review their data to ensure all data is work related.

    • Non-work related data must be moved or deleted.

    • If work related data is larger than the storage quota the IT Department will assist to determine how much data may be archived (user still needs the data for reference; data that is never/infrequently being changed).

    • Once data is archived but is still larger than the storage quota the IT Department Head will review and determine if the storage quota may be increased.

4.8. Anti-malware Protection

  • The IT Department is responsible for the implementation of an effective anti-malware security strategy. All computers must have up to date anti-malware protection.

  • Linux and Unix are currently exempted from this policy and do not require antivirus software. These computers are either restricted to guest networks or are servers that are strictly managed by the IT Department and only used for the very specific service running on it.

  • The installation, configuration, and updating of anti-malware software on all Windows computers is the responsibility of the IT Department.

  • Remote users and users of portable computer systems and resources will be responsible in assisting in updating and upgrading antivirus software as advised by the IT Department.

  • All users must virus scan all external media (USB hard drive, memory sticks, memory cards, etc.) before use. The IT Department will provide assistance and training where required.

  • On detection of a virus, computer users must immediately notify the IT Department who will provide assistance to clean the virus and confirm no damage has been done to the computer.

    • The IT Department will also provide face to face training for virus and malware prevention every time a user has a virus infection.

  • Under no circumstances may users attempt to disable or interfere with the anti-malware software running on enterprise computers.

4.9. System Usage

  • Users must ensure their computers are inaccessible if they are away from their desk even for a moment. Use one of these methods:

    • Using operating system lock feature that requires password input to access the computer again (e.g. on Windows 'windows key + L').

    • Invoke password protected screensaver to lock the screen.

    • Logout of the operating system.

    • Shutdown the computer.

  • Users are strictly prohibited from using any methods for hacking internal enterprise systems or external public systems. This includes, but is not limited to, packet sniffing, password sniffing or password hacking.

4.10. Enterprise Email

  • The enterprise email system is a core application. It is strictly prohibited to use enterprise email for illegal, political, business or commercial purposes unrelated to the Enterprise.

  • Sending or receiving illegal or inappropriate material through the enterprise email system is strictly prohibited. If any user has problems receiving unsolicited illegal or inappropriate material then the user must inform the IT Department who will assist to filter out and reject these emails.

  • Limited personal use of email is permitted. Personal (approximate) use is sending/receiving email not larger than 2.0 MB to/from more than a few recipients a few times per week.

  • The Enterprise retains the right to limit mailbox sizes.

  • Global distribution lists must only be used when absolutely necessary.

    • Do not reply all to email received from a distribution list unless appropriate.

  • Users are expected to periodically archive their mailbox to ensure their mailbox size limit is not reached and to assist in maintaining an efficient email infrastructure. Users should utilise the archiving and/or personal folder store facilities within the email system in accordance with IT Department recommendations.

  • The Enterprise retains the right to access and view all emails sent and received by the email system. This right is exercised only if necessary in pursuit of required IT system maintenance/migrations/upgrades or solely through the IT Department Head on instruction from a member of the Directorate.

4.11. Enterprise Internet

  • Access to the enterprise internet is provided for work related business purposes. Users are strictly prohibited from using the enterprise internet services for illegal, political, business or commercial purposes unrelated to the Enterprise.

  • Users are strictly prohibited from using the enterprise internet services to access pornographic sites, hack sites, pirate software sites or any other sites serving illegal or improper content.

  • All Peer-to-Peer (P2P) or BitTorrent software is strictly prohibited from being installed on any computer system or resource and from being used on any enterprise provided internet service or connection.

  • Users are prohibited from using or subscribing to chat rooms, dating agencies or other on-line subscription Internet sites unless the site strictly pertains to work related duties.

  • Users are prohibited from using the enterprise internet services to access movies and series that are not work related.

  • Limited personal use of the Internet is permitted.

    • Personal use does not include downloading or uploading large files (2MB or greater) that are not work related.

    • Personal use does not include downloading or uploading ANY multimedia files (mp3, mp4, mpg, avi, etc.) or ANY software applications that are not work related.

  • The Enterprise retains the right to monitor internet usage by users. This right is exercised solely through the IT Department Head and, where relating to a specific member of the Enterprise, and only on instructions from a member of the Directorate.

  • Abuse of Internet access will be dealt with severity relative to the seriousness of the abuse. Minor abuse will lead to removal of the privilege of access from an individual’s computer.

4.12. User Accounts

  • All new Active Directory user accounts must be initiated through the Head of Human Resources (HR), the Administration Manager or the Chief Operating Officer (COO).

    • See Appendix A for criteria for approval of new user accounts.

  • New user account requests must be entered into the Domain and Email Account Form by the Head of HR.

    • In exceptional cases the IT Department Head may enter the initial details into the Domain and Email Account Form.

  • Either a default level of permissions will be applied to the account or the Head of HR will advise an existing account to copy.

    • The default permissions provide basic access to enterprise file servers, unit distribution groups.

    • If copying an existing account the Head of HR will determine as accurately as possible if any additional group memberships should be added or if any group memberships should be removed.

  • All Active Directory user account lockout policy is:

    • Account lockout duration = 30 minutes

    • Account lockout threshold = 10 invalid logon attempts

    • Reset account lockout counter after = 30 minutes

4.13. Leavers

  • When HR is notified that a user is leaving (leaver) the Domain and Email Account Form is updated with departure details.

    • Then HR sends an email to the leaver as per Appendix B.

  • When the IT Deparment receives the Domain and Email Account Form notification:

    • The IT Department will set the leavers AD account(s) to expire on their last day of work.

    • The IT Department will contact the leaver and arrange the return of all computer, software, and network devices (as applicable). The Domain and Email Account Form and the Receipt of Property Acknowledgement will be updated with the arrangements.

  • If no request for extension is made then during a user account cleanup cycle (IT Department’s monthly process) the leavers' data and email will be archived to an enterprise server as needed, the user account(s) are deleted, and the Domain and Email Account Form is updated with this information.

  • If a request for extension is requested:

    • See Appendix C for criteria for approval of account extension.

    • If extension is approved then the account(s) expire date is changed as per the new last day and the Domain and Email Account Form is updated accordingly. The process under (Leavers / When the IT Department receives the Domain and Email Account Form notification) starts again.

    • If the extension is not approved then the process under (Leavers / When the IT Department receives the Domain and Email Account Form notification) continues as normal.

  • Quarterly reviews of all accounts in the Active Directory will be undertaken and any account that is determined to be no longer necessary will be deleted. Checks will be made with HR and Department Heads / Line Managers as required before accounts are deleted. Data and email will be archived to an enterprise server.

4.14. Passwords

  • The Enterprise uses Microsoft native AD password policies.

  • All users must follow the password policy. Trying to work around or manipulate the password policy is strictly prohibited.

  • Users must change their passwords when prompted by the system. The system password policy is:

    • Enforce password history = 24 passwords remembered

    • Maximum password age = 365 days

    • Minimum password age = 0 days

    • Minimum password length = 16 characters

    • Password must meet complexity requirements = Enabled

    • Store passwords using reversible encryption = Disabled

    • User must change password at first logon.

    • Complexity requirements. Must include characters in three of these four classes:

      • Lowercase letters: a-z

      • Uppercase letters: A-Z

      • Digits: 0-9

      • Non-alphanumeric characters (special characters): ~!@#$%^&*_-+=`|\(){}[]:;"<>',.?/

  • Users are responsible for the security of their passwords and shall not write anywhere the password is easily discoverable (sticky note on computer/monitor, label on computer/monitor, etc.).

  • Passwords must not be shared with anyone or divulged to anyone, not even with colleagues.

  • Problems with passwords must be immediately reported to the IT Department.

4.15. Management of IT Computing Infrastructure

  • The installation, management, administration and maintenance of the IT Computing Infrastructure is the responsibility of the IT Department.

  • Physical or remote access to the IT Computing Infrastructure for management, administration or maintenance purposes is restricted to authorised IT staff.

  • Administrative access to enterprise servers requires an IT Department team member to have appropriate industry standard certifications for the services running on the relevant server and/or proven knowledge/experience.

    • For Microsoft Windows servers the minimum certification is either MCSE (Microsoft Certified Systems Engineer or similar).

    • Proven/knowledge experience equates to the IT Department Head working with the IT Department team member for at least 6 months in order to determine what, if any, administrative access is appropriate.

    • Delegation of specific permissions, instead of granting full administrator permission, is the preferred method where possible.

  • The IT Department Head and the IT Department must approve delegated permissions and/or administrative permissions to any component of the IT Computing Infrastructure.

4.16. Health, Safety & IT Legislation

  • Health and safety with regards to computers are to be managed within the context of Health & Safety Policies.

4.17. TRAINING

  • The IT Department will advise on computer related training issues as required.

  • It is the responsibility of Department Heads to ensure appropriate computer training for their staff is identified and successfully completed.

4.18. Contravention of the IT Policy

  • Violations of this IT Policy or any act of deliberate sabotage to enterprise computer systems may be considered a disciplinary offence.

5. Appendix A

5.1. New Account Request

In general an email address and/or system access will only be provided for users if they hold an employment contract with a related entity (e.g. SMRU/TBHF). Access is limited for security and cost reasons (license fee and maintenance). As an employee, each user contractually acknowledges specific responsibilities and is legally entitled to represent the organization through the expected duties of their position.

Any exceptions must have the express approval of the Administration Manager / Chief Operating Officer (COO) and the IT Department Head. The following exceptional criteria include:

  • An email account can be provided if the individual can only carry out their work by representing themselves as SMRU/TBHF as they are communicating with 3rd parties.

    • This may be supported by an Honorary visiting research fellowship (HVRF) or visiting professorship.

    • As an employee/student from the University of Oxford or MORU (usually dual contracts) they need to demonstrate the need for email.

    • A consultant who as part of their role has to regularly email unit members with internal enterprise related information (e.g. Media & Communications Manager or Training Manager).

    • The individual works seasonally and requires continuity of email.

  • For system access the individual may require specific access, as part of their contractual work, to files and information held within the enterprise server infrastructure (and their work cannot be done without this internal system access).

    • This may be supported by an Honorary visiting research fellowship (HVRF) or visiting professorship.

    • As an employee/student from the University of Oxford or MORU (usually dual contracts) they need to demonstrate the need for internal system access.

    • A consultant who as part of their role has to regularly read and/or modify data on internal systems in which case they need to demonstrate this need.

    • The individual works seasonally and requires to regularly read and/or modify data on internal systems in which case they need to demonstrate this need.

6. Appendix B

Please also note that your enterprise network and e-mail account will be terminated on your last day of work. In case that you need to continue using your account beyond this date, please refer to the Account Management policy below for your action.

6.1. Leaver Continued Access Approval process

  1. Leaver to discuss the request with their line manager and determine a length of time that access should be continued for.

  2. Leaver to discuss, with their line manager, the return date of all enterprise owned computer hardware/software.

  3. At least two (2) weeks before their last day the leaver sends an email to the Administration Manager / Chief Operating Officer (COO) stating:

    • approval from line manager has been obtained.

    • the reason for continued access.

    • the length of time access should continue for.

    • the reason for retention of enterprise owned hardware/software.

    • the length of time for retention of enterprise owned hardware/software.

  4. The Administration Manager / Chief Operating Officer (COO) replies to the email either approving or denying the request with a cc: to the IT Department Head.

  5. If the request was approved then the IT Department Head will edit the leavers AD (Active Directory) account settings for the account to expire based on the length of time that was approved and the leavers Domain and Email Account Form is updated to indicate the account will be disabled on the new extended date.

  6. If the request was denied then the default leaver process will take care of the account (being the account is set to expire on the last day of the leavers employment).

7. Appendix C

7.1. Extension of Account Request

Following the end of the contract employees are expected to return assets and their system access and email are removed. In exceptional circumstances access can be extended for a specified time period to allow the return of assets or handover of responsibilities.

For non-enterprise employees continuing a collaboration the expectation is that they would use their own email address representing their entity.

If a person does not have an enterprise employment contract, honorary visiting research fellowship (HVRF) or is a visiting professor then we would need to add specific and justifiable criteria that make it clear why an exception is provided.

  • Reasons they require continuation of their shoklo-unt.com email + length of time required.

    • Details about the need to communicate with external parties as a representative of the Enterprise.

    • Details about the need to maintain existing email address to finalize publication or other works.

    • Details about the need to regularity communicate with all internal staff.

  • Reasons they require access to internal systems at the Enterprise + length of time required.

    • Details about the need to collaborate with internal staff using data stored on internal systems.

    • List what internal systems are needed and why this system access is still required.

    • Is this access required only while in enterprise offices or via VPN?

8. Related Documentation

Available forms are located in the T:\IT\Public\Forms folder.

  • Receipt of Property Acknowledgement V1.0.pdf

  • Domain and Email Account Form V1.0.pdf

  • Local Administrator Account Agreement V1.0.pdf

  • Software Request Form V1.0.pdf