TUGAS SISTEM KEAMANAN KOMPUTER T.A.

2013-2014 PERBANDINGAN KEBIJAKAN-KEBIJAKAN TEKNOLOGI INFORMASI DI STANFORD UNIVERSITY DAN MASSACHUSETTS INSTITUTE OF TECHNOLOGY

Edwardo Sadabasa 1182012

UNIVERSITAS ADVENT INDONESIA Jln. Kol. Masturi No.288 Parongpong, Bandung Jawa Barat

Setiap perusahaan atau instansi memiliki kebijakan tersendiri terkait dengan Teknologi Informasi. Saat ini saya akan membahas dua Universitas ternama di dunia yaitu Stanford University dan Massachusetts Institute of Technology. Yang akan dibahas adalah kebijakan IT mereka (IT policy) khususnya dalam penggunaan jaringan dan sistem. Berikut adalah kebijakan (policy) dari MIT :

MITnet Rules of Use

Overview
MITnet, MIT's campus-wide computer network, connects the MIT community and our guests to thousands of workstations, servers, printers, mobile devices and electronic resources of every kind located on and off campus. Network connectivity has many advantages which you will discover as you explore MITnet, and the Internet beyond. But connectivity also requires that users of the network understand their responsibilities in order to protect the integrity of the system and the privacy of other users. This section summarizes the rules that apply to all users of MITnet. We expect you to follow all these rules, and we hope you will encourage others to follow them as well. To report someone willfully violating the rules, send email to stopit@mit.edu. If you believe you are in danger, call the Campus Police immediately at x3-1212.

Summary
The listing below provides only summaries of the rules. For the full text of each rule, please see the following pages. MITnet Rules of Use Comply with Intended Use of the System 1. Don't violate the intended use of MITnet. Assure Ethical Use of the System 2. Don't let anyone know your password(s). 3. Don't violate the privacy of other users. 4. Don't misuse the intellectual property of others. 5. Don't use MITnet to harass anyone in any way. Assure Proper Use of System Resources 6. Don't misuse electronic communications and collaboration services.

MITnet Rules of Use

MITnet and other computing resources at MIT are shared among community members. The MITnet Rules of Use are intended to help members of the MIT community use MIT's computing and network facilities responsibly, safely, and efficiently, thereby maximizing the availability of these facilities to community members. Complying with them will help maximize access to these facilities, and assure that all use of them is responsible, legal, and respectful of privacy. If you have questions or wish further information about any of the MITnet policies outlined below, send email to security@mit.edu. All network users are expected to follow these rules. Violations of the rules can subject the offender to Institute disciplinary proceedings, loss of network privilidges, and, in some cases, civil or criminal prosecution. NOTE: Laws that apply in "the real world" also apply in the "virtual" networked computer world (including MITnet). Laws about libel, harassment, privacy, copyright, stealing, threats, etc. are not suspended for computer users, but apply to all members of society whatever medium they happen to be using: face-to-face, phone, or computer. Furthermore, law-enforcement officials are more computer-savvy than ever, and violations of the law in "Cyberspace" are vigorously prosecuted. Similarly, Institute policies (as described in MIT's Policies and Procedures, for example) also apply to MITnet users.

Complying With the Intended Use of the System

It is important that you understand the purpose of MITnet so that your use of the system is in compliance with that purpose. 1. Don't violate the intended use of MITnet. The purpose of MITnet is to support research, education, and MIT administrative activities, by providing access to computing resources and the opportunity for collaborative work. All use of the MIT network must be consistent with this purpose. For example:

Don't try to interfere with or alter the integrity of the system at large, by doing any of the following: o permitting another individual to use your account o impersonating other individuals in communication (particularly via forged email, texts, instant messages and social media postings) o attempting to capture or crack passwords or encryption o destroying or altering data or programs belonging to other users

Don't try to restrict or deny access to the system by legitimate users. Don't use MITnet for private financial gain. For example, users are not permitted to run a private business on MITnet. (Commercial activity is permitted, but only for business done on behalf of MIT or its organizations. Cf. Section 13.2.3 of MIT's Policies and Procedures: "MIT's computing and telecommunications facilities and services are to be used for Institute purposes only and not for the benefit of private individuals or other organizations without authorization.") Don't transmit threatening or harassing materials. (Cf. Rule 5.)

Assuring Ethical Use of the System

Along with the many opportunities that MITnet provides for members of the MIT community to share information comes the responsibility to use the system in accordance with MIT standards of honesty and personal conduct. Those standards, outlined in Section 13.2 of MIT's Policies and Procedures, call for all members of the community to act in a responsible, professional way. Appropriate use of MITnet resources includes maintaining the security of the system, protecting privacy, and conforming to applicable laws, particularly copyright and harassment laws. 2. Don't let anyone know your password(s). While you should feel free to let others know your username (this is the name by which you are known to the whole Internet user community), you should never let anyone know your account passwords. This includes even trusted friends, and computer system administrators (e.g., IS&T staff). Giving someone else your password is like giving them a signed blank check, or your charge card. You should never do this, even to "lend" your account to them temporarily. Anyone who has your password can use your account, and whatever they do that affects the system will be traced back to your username -- if your username or account is used in an abusive or otherwise inappropriate manner, you can be held responsible. In fact, there is never any reason to tell anyone your password: every MIT student, faculty member, or on-campus staff person who wants an account of his or her own can have one. And if your goal is permitting other users to read or write some of your files, there are always ways of doing this without giving away your password. For information about how to manage the security of your account, including advice on how to choose a good password, see IS&T: Security and IT Security: Passwords.

3. Don't violate the privacy of other users. The Electronic Communications Privacy Act (18 USC 2510 et seq., as amended) and other federal laws protect the privacy of users of wire and electronic communications. The facilities of MITnet encourage sharing of information. Security mechanisms for protecting information from unintended access, from within the system or from the outside, are minimal. These mechanisms, by themselves, are not sufficient for a large community in which protection of individual privacy is as important as sharing (see, for example, sections 11.2, 11.3, and 13.2 of MIT's Policies and Procedures). Users must therefore supplement the system's security mechanisms by using the system in a manner that preserves the privacy of themselves and others. As Section 11.1 of MIT's Policies and Procedures notes, "Invasions of privacy can take many forms, often inadvertent or well-intended." All users of MITnet should make sure that their actions don't violate the privacy of other users, if even unintentionally. Some specific areas to watch for include the following:

Don't try to access the files or directories of another user without clear authorization from that user. Typically, this authorization is signaled by the other user's setting file-access permissions to allow public or group reading of the files. If you are in doubt, ask the user. Don't try to intercept or otherwise monitor any network communications not explicitly intended for you. These include logins, e-mail, user-to-user dialog, and any other network traffic not explicitly intended for you. Unless you understand how to protect private information on a computer system, don't use the system to store personal information about individuals which they would not normally disseminate freely about themselves (e.g., grades, address information, etc.) Don't make any personal information about individuals publicly available without their permission. This includes both text and number data about the person (biographical information, phone numbers, etc.), as well as representations of the person (graphical images, video segments, sound bites, etc.) For instance, it is not appropriate to include a picture of someone on a World Wide Web page without that person's permission. (Depending on the source of the information or image, there may also be copyright issues involved; cf. Rule 4). Don't create any shared programs that secretly collect information about their users. Software on MITnet is subject to the same guidelines for protecting privacy as any other information-gathering project at the Institute. (This means, for example, that you may not collect information about individual users without their consent.) Don't remotely log into (or otherwise use) any workstation or computer not designated explicitly for public logins over the network -- even if the configuration of the computer permits remote access -- unless you have explicit permission from the owner and the current user of that computer to log into that machine.
5

4. Don't misuse the intellectual property of others. MIT faculty, students, and staff produce and consume a vast amount of intellectual property, much of it in digital form, as part of our education and research missions. This includes materials covered by the patent, copyright, and trademark laws, as well as license or other contractual terms. Members of the MIT community also avail themselves of a wide variety of entertainment content that is available on the Internet, most of which is protected by copyright or subject to other legal restrictions on use. All users need to insure that their use of all these protected digital materials respects the rights of the owners. Digital materials that may be covered by this rule, without limitation, are:

Data E-books Games Journals and periodicals Logos Movies Music Photographs and other graphics Software Textbooks Television programs Other forms of video content

You should assume that all materials are subject to these legal protections, and may have some restrictions on use. Ease of access, downloading, sharing, etc. should not be interpreted as a license for use and re-distribution. Of particular concern is the prevalence of peer-to-peer file sharing as a medium for the unauthorized exchange of copyrighted materials, including movies, music, games, and other software programs. As required by the Higher Education Opportunity Act, MIT has developed and implemented a written plan to effectively combat the unauthorized distribution of copyrighted materials by users of MITs network. For more information, see Copyright at MIT.

5. Don't use MITnet to harass anyone in any way. "Harassment," according to MIT's Policies and Procedures (Section 9.5), is defined as: "...any conduct, verbal or physical, on or off campus, which has the intent or effect of unreasonably interfering with an individual or group's educational or work performance at MIT or that creates an intimidating, hostile or offensive educational, work or living environment.... Harassment on the basis of race, color, gender, disability, religion, national origin, sexual orientation or age includes harassment of an individual in terms of a stereotyped group characteristic, or because of that person's identification with a particular group." The Institute's harassment policy extends to the networked world. For example, sending email or other electronic messages which unreasonably interfere with anyone's education or work at MIT may constitute harassment and is in violation of the intended use of the system. Any member of the MIT community who feels harassed is encouraged to seek assistance and resolution of the complaint. To report incidents of on-line harassment, send email to abuse@mit.edu. If you believe you are in danger, call the Campus Police immediately at x3-1212.

Assuring Proper Use of the System

MITnet's resources, as well as the resources MITnet gives you access to (e.g., computing facilities, email and calendaring services, instant messaging, wikis, the web), are powerful tools that provide maximum benefit to the entire MIT community when used reasonably and in manners consistent with the intended uses of those resources. 6. Don't misuse electronic communications and collaboration services. MIT provides electronic communications and collaboration services to members of the MIT community. These services include, but are not limited to, electronic mail, mailing lists, instant messaging, message boards, websites, wikis, blogs, social networking sites, forums, collaborative spaces, Voice over IP (VoIP) and video services. Some members of the MIT community access similar, or additional, 3rd party services on the Internet. Users of all such services have a responsibility to use these services properly and to respect the rights of others in their use of these services, and in accordance with published terms of service. Users may not use these services in violation of any applicable law. All relevant MIT policies apply to the use of these services, but in particular:
7

Any use that might contribute to the creation of a hostile academic or work environment is prohibited, Any commercial use not required for coursework, research or the conduct of MIT business is prohibited, Any non-incidental personal use such as advertisements, solicitations or promotions is prohibited [Note: some services exist on campus that have been designed for buying, selling and exchanging items within the MIT community, and those are allowed].

MIT Senior Leadership has authorized certain individuals to send electronic mail to large groups such as all Faculty, all employees, all undergraduates, Class of 2012, etc, or to the entire MIT community. These lists are not open to posts from the community at large. Contact the owners of these lists for further information. Users should understand a services policies prior to use. Service operators and providers should, to the extent feasible, publish their terms of service. Any content posted to a service that is inconsistent with these rules, as well as unsolicited mail from outside of MIT (e.g., SPAM), may be subject to automated interception, quarantine and disposal.

Setelah mengamati kebijakan dari MIT mengenai penggunaan MITnet, dapat dilihat dan disimpulkan bahwa MITnet harus digunakan untuk tujuan akademis, penelitian, pendidikan dan kegiatan administratif saja. Setiap pengguna tidak boleh melanggar tujuan penggunaan MITnet. Begitu juga dengan privasi, setiap pengguna harus dapat menjaga kerahasiaan data pribadi mereka (account credentials dll) dan juga tidak melanggar privasi orang lain. Setiap pelanggaran akan berakibat hilangnya hak akses, karantina dan hukuman lain. Melihat secara keseluruhan kebijakan ini menitikberatkan pada privasi dari setiap individu (property, account, dll). Peraturan berlaku bagi siapa saja yang menggunakan MITnet. Berikut ini adalah kebijakan dari Stanford University :

STANFORD UNIVERSITY 6.2.1 Computer and Network Usage Policy

Last updated on: 08/30/2012 Formerly Known As Policy Number: 62 This policy covers the appropriate use of all information resources including computers, networks, and the information contained therein. Authority: Approved by the President. Applicability: Applies to all University students, faculty and staff, and all others using computer and communication technologies, including the University's network, whether personally or University owned, which access, transmit or store University or student information. Policy Statement: Use of Stanford's network and computer resources should support the basic missions of the University in teaching, learning and research. Users of Stanford network and computer resources ("users") are responsible to properly use and protect information resources and to respect the rights of others. This policy provides guidelines for the appropriate use of information resources.

1. Definitions
As used in this policy: a. "Information resources" are all computer and communication devices and other technologies which access, store or transmit University or student information. b. "Information" includes both University and student information.

2. Policies
a. General Policy Users of University information resources must protect (i) their online identity from use
10

by another individual, (ii) the integrity of computer-based information resources, and (iii) the privacy of electronic information. In addition, users must refrain from seeking to gain unauthorized access, honor all copyrights and licenses and respect the rights of other information resources. b. Access Users must refrain from seeking to gain unauthorized access to information resources or enabling unauthorized access. Attempts to gain unauthorized access to a system or to another person's information are a violation of University policy and may also violate applicable law, potentially subjecting the user to both civil and criminal liability. However, authorized system administrators may access information resources, but only for a legitimate operational purpose and only the minimum access required to accomplish this legitimate operational purpose. (1) Prohibition against Sharing User IDs and Passwords Sharing an online identity (user ID and/or password) violates University policy. (2) Information Belonging to Others Users must not intentionally seek or provide information on, obtain copies of, or modify data files, programs, passwords or other digital materials belonging to other users, without the specific permission of those other users. (3) Abuse of Computing Privileges Users of University information resources must not access computers, computer software, computer data or information, or networks without proper authorization, or intentionally enable others to do so, regardless of whether the computer, software, data, information, or network in question is owned by the University. For example, abuse of the networks to which the University belongs or the computers at other sites connected to those networks will be treated as an abuse of University computing privileges. c. Usage The University is a non-profit, tax-exempt organization and, as such, is subject to specific federal, state and local laws regarding sources of income, political activities, use of property and similar matters. It also is a contractor with government and other entities and thus must assure proper use of property under its control and allocation of overhead and similar costs. Use of the University's information resources must comply with University policies and legal obligations (including licenses and contracts), and all federal and state laws. (1) Prohibited Use Users must not send, view or download fraudulent, harassing, obscene (i.e., pornographic), threatening, or other messages or material that are a violation of applicable law or University policy. In particular, contributing to the creation of a hostile academic or work environment is prohibited. (2) Copyrights and Licenses Users must not violate copyright law and must respect licenses to copyrighted materials. For the avoidance of doubt, unlawful file-sharing using the University's information resources is a violation of this policy.
11

(3) Social Media Users must respect the purpose of and abide by the terms of use of online media forums, including social networking websites, mailing lists, chat rooms and blogs. (4) Political Use University information resources must not be used for partisan political activities where prohibited by federal, state or other applicable laws, and may be used for other political activities only when in compliance with federal, state and other laws and in compliance with applicable University policies. (5) Personal Use University information resources should not be used for activities unrelated to appropriate University functions, except in a purely incidental manner. (6) Commercial Use University information resources should not be used for commercial purposes, including advertisements, solicitations, promotions or other commercial messages, except as permitted under University policy. Any such permitted commercial use should be properly related to University activities, take into account proper cost allocations for government and other overhead determinations, and provide for appropriate reimbursement to the University for taxes and other costs the University may incur by reason of the commercial use. The University's Chief Financial Officer and Vice President for Business Affairs will determine permitted commercial uses. (7) Use of University Information Users must abide by applicable data storage and transmission policies, including Admin Guide 6.3.1 (Information Security). Consult the University Privacy Officer (privacyofficer@stanford.edu) for more information. d. Integrity of Information Resources Users must respect the integrity of information and information resources. (1) Modification or Removal of Information or Information Resources Unless they have proper authorization, users must not attempt to modify or remove information or information resources that are owned or used by others. (2) Other Prohibited Activities Users must not encroach, disrupt or otherwise interfere with access or use of the University's information or information resources. For the avoidance of doubt, without express permission, users must not give away University information or send bulk unsolicited email. In addition, users must not engage in other activities that damage, vandalize or otherwise compromise the integrity of University information or information resources. (3) Academic Pursuits The University recognizes the value of legitimate research projects undertaken by faculty and students under faculty supervision. The University may restrict such activities in order to protect University and individual information and information resources, but in doing so will take into account legitimate academic pursuits. e. Locally Defined and External Conditions of Use Individual units within the University may define "conditions of use" for information
12

resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines restrictions, and/or enforcement mechanisms. Where such conditions of use exist, the individual units are responsible for publicizing and enforcing both the conditions of use and this policy. Where use of external networks is involved, policies governing such use also are applicable and must be followed. f. Access for Legal and University Processes Under some circumstances, as a result of investigations, subpoenas or lawsuits, the University may be required by law to provide electronic or other records, or information related to those records or relating to use of information resources, ("information records") to third parties. Additionally, the University may in its reasonable discretion review information records, e.g., for the proper functioning of the University, in connection with investigations, or to protect the safety of individuals or the Stanford community. The University may also permit reasonable access to data to third-party service providers in order to provide, maintain or improve services to the University. Accordingly, users of University information resources do not have a reasonable expectation of privacy when using the University's information resources.

3. Oversight of Information Resources

Responsibility for, and management and operation of, information resources is delegated to the head of a specific subdivision of the University governance structure ("department"), such as a Dean, Department Chair, Administrative Department head, or Principal Investigator ("lead"). This person will be responsible for compliance with all University policies relating to the use of information resources owned, used or otherwise residing in their department. The lead may designate another person to manage and operate the system, but responsibility for information resources remains with the lead. This designate is the "system administrator." The system administrator is responsible for managing and operating information resources under their oversight in compliance with University and department policies, including accessing information resources necessary to maintain operation of the systems under the care of the system administrator. (See also, section 4.b; system administrators should defer to the Information Security Office for access beyond that necessary to maintain operation of the system.) a. Responsibilities The system administrator should:

Take all appropriate actions to protect the security of information and information resources. Applicable guidelines are found at http://securecomputing.stanford.edu Take precautions against theft of or damage to information resources.
13

Faithfully execute all licensing agreements applicable to information resources. Communicate this policy, and other applicable information use, security and privacy policies and procedures to their information resource users. Cooperate with Information Security Office to find and correct problems caused by the use of the system under their control.

b. Suspension of Privileges System administrators may temporarily suspend access to information resource if they believe it is necessary or appropriate to maintain the integrity of the information resources under their oversight.

4. Reporting or Investigating Violations or University Concerns

a. Reporting Violations System users will report violations of this policy to the Information Security Office, and will immediately report defects in system accounting, concerns with system security, or suspected unlawful or improper system activities to the Information Security Office during normal business hours and the Office of the General Counsel emergency afterhours phone line at other times. b. Accessing Information & Systems Inspecting and monitoring information and information resources may be required for the purposes of enforcing this policy, conducting University investigations, ensuring the safety of an individual or the University community, complying with law or ensuring proper operation of information resources. Only the University's Chief Information Security Officer (or designate) may authorize this inspection and monitoring. c. Cooperation Expected Information resource users are expected to cooperate with any investigation of policy abuse. Failure to cooperate may be grounds for cancellation of access privileges, or other disciplinary actions.

5. Consequences of Misuse of Information Resources

A user found to have violated this policy may also have violated the University Code of Conduct, the Fundamental Standard, the Student Honor Code, and/or other University policies, and will be subject to appropriate disciplinary action up to and including discharge, dismissal, expulsion, and/or legal action. The Chief Information Security Officer will refer violations to University units, i.e., Student Affairs for students, the supervisor for staff, and the Dean of the relevant School for faculty or other teaching or research personnel, if appropriate.

14

6. Cognizant Office
University's Chief Information Security Officer, or other person designated by the Vice President for Business Affairs and Chief Financial Officer, shall be the primary contact for the interpretation, monitoring and enforcement of this policy.

7. Related Policies
a. Student DisciplineSee Student Life/Codes of Conduct/Fundamental Standard/Honor Code b. Staff DisciplineSee Guide Memo 2.1.16: Addressing Conduct & Performance Issues c. Faculty DisciplineSee the Statement on Faculty Discipline in the Faculty Handbook d. Patents and CopyrightsSee Research Policy Handbook 9.1 and 9.2; see also the Stanford University Copyright Reminder e. Partisan Political ActivitiesSee Guide Memo 1.5.1: Political Activities f. Ownership of DocumentsSee Research Policy Handbook 9.2, and Guide Memo 1.5.5: Ownership of Documents g. Incidental Personal UseSee Research Policy Handbook 4.1, and Guide Memo 1.5.2: Staff Policy on Conflict of Commitment and Interest h. Security of InformationSee Guide Memo 6.6.1 (Information Security Incident Response) i. Privacy and Security of Health Information (HIPAA)See Guide Memo 1.6.2: Privacy and Security of Health Information j. Data Classification, Access and Transmittal and Storage GuidelinesSee http://dataclass.stanford.edu.

15

Peraturan/kebijakan di Stanford University tidak berbeda jauh dengan kebijakan di MIT. Namunn peraturan ini mencakup semua pengguna dan bahkan para pekerja dan juga admin-admin. Yang menjadi inti dari kebijakan di Stanford ini adalah setiap pengguna wajib menjaga kerahasiaan data pribadi mereka dan menghargai privasi orang lain dengan tidak melanggar hak-hak mereka. Disini dicakup juga tanggung jawab seorang system administrator, juga penggunaan/pengutipan resource atau sumber-sumber milik orang lain. Stanford juga memiliki Kantor Keamanan Informasi yang adalah pengatur keamanan. Setiap bentuk pelanggaran akan berakibat pada tindakan disiplin seperti pengeluaran, pemecatan, pengusiran dan tindakan hukum. Dari kedua instansi ini dapat disimpulkan bahwa peraturan peraturan yang dibuat ditujukan untuk menjaga privasi diri sendiri dan menghormati privasi orang lain. Juga dalam menggunakan layanan yang disediakan agar tidak lari tujuan utama adanya layanan tersebut bagi siapa saja yang menggunakannya.

16