Informatics Policies
  
 Editor's Note
 PC Room Automation
 with pGina
 Climate Changes of the
 Eyes
 Human-Computer
 Interaction Research
 and Application
 Laboratory -1 (in
 Turkish)
 What is PKI? -3
 IT Policies
 CISN Archive
 Send Feedback
  
     
 

The arrangements done by the managing powers of the country for IT industry can by no means catch up with the development and changes of the industry. For this reason, the need for documents explaining the specific situations of institutions and displaying the attitude of these institutions upon such states arises.

In its application "policies" may be defined as the rules of the game. Informatics Policies define the rules and regulations users must abide by, in IT services. With the entity of such convention, the attitude of the institution when supplying services are asserted.

The policies of informatics is not a single document but an entity composed of documents at different levels. It is a structure supported by sub-policies, standards and guidelines.

Policies and Ethics

Policies and ethics are two interwoven concepts. When policy scripts are prepared, circumstances where the users should justify within their moral values are encountered. Moral values designate the users stand point within the restrictions provided.

For instance, the use of the office computer to buy a birthday present for the daughter (online shopping), when the fact that the computer was provided by the university for academic activities and research is considered, may not seem to be in accordance with the primary usage purposes. However, the situation can be tolerated when the consequence of time loss for the establishment is considered in case the alternative action is taken and the person goes out to buy the present during working hours. Even though the terms "primary usage" and "secondary usage" in informatics resources are employed for asserting the related policies, whether and when the usage is primary or secondary is related with the moral values of the user.

Policies, Standards, Guidelines

The terms "policy", "guidelines", and "standards" are frequently used within the policies terminology. However there is ambiguity regarding these expressions, in that the differences are not very clear. We can, therefore, start by accepting the below definitions:

Policies: It is the document indicating the specific mandatory rules or regulations to be followed (For example, the document of "Acceptable Usage Policies").

Standards: It is the lot of rules specific to either a system or process and which has to be observed by everyone. (The Operating System installation standards). General Principles and Rules documents are set up with this aim. (e.g. Local e-mail services/servers operational rules, Desktop operating system installation rules, etc.)

Guidelines: It is the lot of rules proposed to be followed for a specific system or process. Guideline or Baseline type of documents are set up with this aim. (e.g. Windows XP desktop usage guidelines etc.)

A worthwhile set of policies should refer to standards and guidelines. That is why in the process of devising policies, care should be practiced to make gradual use of policies, standards and guidelines.

How to cosign to writing?

Documents of policies may be written without notice to the management but can not be put into effect. Once the implementation of the policies determined is started the set rules must not be "broken" and there should be "no exceptions" since these rules directly effect all the users of the university. For this reason if possible, these documents must be authorized by the decision making, executive body of the university and if the need arises by the departments/units, getting their approval one by one.

At the first stage, the work of similar institutions can be investigated, their campus structure, network architecture, operative style can be analyzed. At the second stage, the values and outlook of the institution and the applications till then are determined. During this stage services supplied, capabilities provided, current functioning should be considered. At the third stage, policy structures specific to the institution can be analyzed and the texts can be written specific to the institution. At the last stage, the document is analyzed by the administration in hierarchy, the needed amendments are done and then approved by the executive body (committee) and it is announced. Application stage is explained at the next section.

While writing things of concern, in summary are: clear cut use of language, definitions to be made, accordance with the university regulations, indicating the authority and responsibility in parallel with the organizational chart of the institution, implementation and or sanctions to be designated within the means of the institution. During scripting the general policies documents must be relied upon the supportive documents mentioned above.

How to Implement?

Once the set policies are approved by the university administration the implementation stage is to set the framework of relations with the unit responsible to conduct and administer the policies (in our case the Computer Center - CC) and the peripheral units (in our case the departments, units, and the centers etc. in the university) who are going to adopt and follow these policies. This subject is explained under the "Coordinator Mechanism" heading.

For clauses designated in the policies document and the supportive documents to be applicable, they should be kept updated and the change announcements must not be neglected.

Coordinator Mechanism

In METU computer coordinators are defined to be the persons who are responsible for the smooth operation of the computers available to users and for the IT services, the departments or units provide independent from the central IT unit (CC). They do not work for the central IT unit, and they are generally assigned from among the assistants to buffer between the department and the CC. Only with such mechanism it becomes possible to implement the principles and regulations stated with the policies document and the supportive documents.

Antivirus Applications

Technical and social measures are taken in METU campus especially against viruses that may spread on the web.

On the technical front, work is conducted on the server systems and the network switches to prevent the spread of viruses on the web and with e-mail. On the central e-mail server open source coded Clam-AV antivirus filter is being used. The IP addresses are detected by the traffic they cause and the viruses caught by the central virus filter, and their access is blocked until the problem is solved by the computer coordinators when access is permitted again. Efforts to prevent the spread of viruses are conducted by ensuring that desktop Windows installations are done using updated installation CDs provided by the CC.

Raising awareness of the users and providing them with the appropriate tools is the social aspect of the measures against viruses. At the departments where there is a lot of virus traffic, face to face sessions are conducted.

Measures to Inhibit SPAM:

On the central e-mail server open source coded Bogofilter Spam Filter is being used to filter SPAM. Clam-AV antivirus filter. Spam e-mail is not directly rejected but diverted to a separate e-mail box (SPAMBOX) and these folders are deleted at certain intervals.

P2P

The P2P applications, initiated by Napster in 1999, is considered to be a problem area since it causes metaphorical changes in the web structure. There are two objection points to P2P usage; cause of heavy traffic on the network, and illegal share of content.

Before going into these, it is necessary to clear out a misconception about the P2P issue. The idea that P2P usage is falling down due to the sanctions brought about by companies to protect copyright deals is not the truth. There may have been a reduction on a certain line however, because users have started to use different lines, the total traffic and the number of P2P users on the web is increasing. There has been users that switched from Napster to Kazaa and Kazaa to DC++ or the BitTorrent lines but there is no decrease in the number of users or the overloading of traffic regarding P2P usage.

Besides, P2P usage is limited to the sharing of MP3 and film files is also falsified. Some versions of Linux installation and package programs are being shared by means of P2P software.

Finally, it is also far from the truth to claim heavy traffic of P2P stems from heavy use of a small number of users. All users bring about traffic on the web.

To visualize the heavy traffic created, one has to look into the structure of P2P software. First generation P2P software, Napster for example, used to store file names at a central structure. The seeker used to search for a file on the central server and then download from the server keeping the file.

The second generation P2P software used to operate, free from a central structure. In this case the search was performed on all the computers and from among those which have the file and the most suitable web connection the file searched was downloaded. As a result, many searches were loitering all around the web.

The third generation P2P software consists of super nodes and normal nodes. Searches come from normal nodes and are inquired on the computers connected to super nodes and the file is downloaded from computers that have the file and the suitable connection.

With software like Bittorent etc. it has become possible to download files in small chunks from different sources instead of a single source.

The effect of such structures on the web traffic becomes apparent during mutual transfers. With numerous connections to the same file, the same file is being transferred many times on the web.

The second issue of objection to P2P is the illegal content of the matter. There is the possibility of infringement of copyright laws of files being shared. There are two considerations to bear in mind on this issue: The first is that the purpose of such software is not to help share files with copyrights. Hence, similar to the case of Betamax, usage of these programs can not legally be prohibited. The second consideration is that, as a result of the universities becoming service providers (e.g. regarding the personal computers of the students and staff in the dormitories and the lodgings) their stand point has been to turn a blind eye to the companies especially in the US. If a user violates copyright laws using "her/his own computer" using the IP number provided by the university, and if the university receives a notice for that user from the company, the university claims to be responsible of notifying the user and advocates that the university has no legal obligation besides notifying the user.

However, if the violation of copyrights is conducted on a university asset computer, then the university can only be responsible for setting the software to be used on that computer or asking the user sign an appropriate document informing the user of her/his responsibility in this regard.

Although companies, in the early 1990s, held the service providers responsible for copyright violations, after 1993 they have started to become inclined to go after violators rather than the service providers. The universities, however, should seek advice from Legal Consultancy before delivering court orders or applying measures, which are the duties of jurisdictions and law enforcement units, for users who breach copyright acts.

It has been projected that with the advent of Informatics Technologies, use of P2P will not decrease and will, in fact, increase. When analyzed within a socio economic point of view the fact that the total benefit of web structures is proportional to the square of the members of the web, indicates an increasing trend for P2P usage.

What Does METU do?

At this point METU produces two basic solutions: measures taken due to the intensity of traffic on the web, and the measures taken within the framework of the complaints received about copyrights from companies. It has been indicated in the documents of METU Informatics Resources Usage Policies (IRUP) that measures may be imposed against intense traffic and violation of copyright acts. In this manner access of IP addresses with excessive traffic is blocked. However, this is not seen effective since intensive traffic does not necessarily indicate the use of P2P or violation of copyright laws by using P2P. In accordance with the complaints received from companies the users are informed of the situation and an explanation is required, indicating the relevant clauses of IRUP. Meanwhile the legitimacy of the complaints from companies are discussed with the Legal Consultancy.

(*) The case by MGM, the film producer, against SONY in 1984 upon the production and sale of BETAMAX formatted video cassette duplicators. The case resulted in favor of SONY since the sole purpose of the process of duplication of cassettes is not unlicensed duplication.

İbrahim Çalışır

 
     
  - TOP -