• A security incident is defined as any adverse event that impacts, or can impact the availability, integrity, confidentiality, and authenticity of university data, or data pertaining to an individual. Such incidents may include, but are not limited to virus, and other malware attacks, and physical loss of a device or component.
• Competent Authority: The competent authority for the purpose of this policy is the Vice-chancellor, or in the absence, the Registrar of NLUD, or any other designated person duly authorized, in writing, by the Competent Authority.
• Confidential information: information marked as such by the Competent Authority, or User.
• Designated officer: An official designated as such by the competent authority.
• Head of the centre: An official designated as such by the competent authority.
• ICT: It refers to all Information Communication Technology facilities, equipment, systems, and services owned, provided, or used by the University.
• IT department: the person(s), or department designated by the competent authority to deal with IT resources, and services.
• Personal information: means any information about an individual who is identifiable by such information.
• Purchase Committee: Means Committee constituted by the Competent Authority for the purpose of procurements.
• Resources: It includes, but is not limited to computational resources, e.g., computers, networks (wired and wireless), servers, software systems, off-campus network access, the gateway used for world wide web, email, university portal, file tracking system, and others.
• The University: The term ‘University’ for the purpose of this policy stands for National Law University Delhi (NLUD)
• Third party contractor: Any person or entity engaged for procurements, or any goods or services related to the University.
• User: includes all users of the ICT facilities who access the ICT resources of the university, irrespective of their status of employment, or association with the university, including third party users.
• Unauthorized use: Unauthorized use may be considered to be any use of the ICT facilities, services, and infrastructure by the users without due authorization/permission of the competent authority.

This policy aims at:

• Providing guidelines and strategies for legitimate use, including collection, processing, storage, and disclosure of the information, while maintaining confidentiality and integrity of such information, in accordance with the applicable laws, existing regulations, University policies and principles.
• Ensuring that the information be used for University’s academic, research, or administrative functions, or other legally required purposes only.
• Ensuring the safety of the users, and entities (sections, branches, departments, etc.) of the university, while keeping in mind the freedom, and dignity of the individuals, to reduce the threat of crime in general.
• Ensuring the lawful, secure, and effective use of the ICT resources, infrastructure, and equipment in furtherance of the vision, and goals of the university.
• Providing guidelines with respect to the accessibility and the use of the email services in an efficient, effective, lawful, and ethical manner.
• Establishing security guidelines for formulating, modifying, storing, and using codes and passwords.

• National Law University, Delhi is committed to protecting the privacy of Personal Information, in accordance with the applicable laws.
• This policy applies to any information including that collected through visits to the University website (http://www.nludelhi.ac.in); information gathered through the University logins; CCTV feeds, and other information/communications that follows from these activities.
• The University may authorize access to certain types of information including CCTV footage based only on a legal request made by an authority who has powers to make a legitimate demand, such as legal action (E.g. in response to court orders, or legal instruments that require/authorize disclosure), or in the interest of safety and security of individuals, or the community, or as required by law.
• The University’s website may provide links to other websites. In case the User leaves the NLUD website, (www.nludelhi.ac.in) they will be visiting sites that are beyond the control of NLUD. These other websites may send their own cookies to Users, collect data, or solicit Personal Information. This policy does not extend to any external links.
• The information collected by the University will be within its control and in a manner consistent with applicable laws, existing regulations, University policies, and principles which guide such collection. The collection, use, disclosure, or storage of information will be restricted to that which reasonably serves the legitimate needs of University’s academic, research, or administrative functions, or other legally required purposes.
• The university shall only use Personal Information for the purpose(s) for which it was collected, and no longer than is required, for the purposes, for which the information was originally collected.
• The individual concerned has the right to review the information provided to the University, and to ask for inaccurate, or deficient information to be corrected.
• Personal Information of individuals shall not be disclosed by the University, except in accordance with the provisions of existing laws and/or University policies.
• In the interest of student safety and security; crime prevention, and community policing initiatives; and the UGC norms, surveillance cameras may be installed in the University premises. Such technologies will be used to meet the objective of protecting persons and property, while avoiding unnecessary intrusions upon academic freedom, or individual civil liberties including privacy, freedom of expression, and freedom of assembly.
• Any information collected through the use of surveillance equipment is considered the University’s property and/or records. The Vice-Chancellor/Registrar or their designee is authorized to determine the specific personnel in the University who shall have access to the video surveillance equipment and recordings.
• Disclosure of information obtained from video surveillance to law enforcement agencies or any designate of the Vice Chancellor/Registrar for resolving internal complaints, will be subject to the approval of the Vice Chancellor/Registrar.
• Subject to technical feasibility, security camera recordings will be retained for a minimum period of 14 days. However, recordings from surveillance equipment may be retained longer under the circumstances listed below:
  1. 1. Upon receiving authorization from the Competent Authority in writing where such a retention reasonably appears necessary to protect the interest of the stake holders,
     2. Upon receiving credible notification by law enforcement authorities for an alleged illegal activity that has occurred, is occurring, or is imminent.

• The ICT infrastructure and Resources should be used only for the legitimate purposes carried out by the Users.
• The University Intranet, and Internet access should not be used for unauthorized commercial activities, personal advertisements, or promotions (“unauthorised use”).
• The downloading of text, audio, and video files using University infrastructure and services is to be done for academic purposes only.
• It shall be the responsibility of the Users to maintain Confidential Information, including password used by them.
• Only authorized Users, or devices can be connected to the University intranet/ internet.
• Any device belonging to the University, such as network cables, network boxes, podiums, mikes, projectors, biometric systems, sound systems, CCTV Cameras, wireless etc. should not be used for unauthorized use.
• In case an IT infrastructure equipment is damaged by a User, then an appropriate fine may be imposed upon the User (or an identical equipment of the same description, may be provided in replacement), and a warning may be issued.
• The Users shall exercise due care and caution while accessing blocked websites. Only the IT Department will be authorized to change the access on a suo moto basis or upon receiving a request from the users.
• Only the IT Department is authorized to issue, and provide a unique IP address to every computing device wherever required, and possible.
• The assignment and allocation of unique IP addresses should be carried out, and if possible the identity of the unit/block/building should also be represented in these allocations.
• The users should use only licenced, and authorized software for the university systems and ICT equipment, and it must be ensured that such software/hardware is compatible with the ICT infrastructure of the university.
• The IT department shall be responsible for the compliance of the terms of software licenses, including allocation to the permissible number of devices.
• Software installation shall be carried out by the IT Department where required.
• Moving of computers, systems and components from one location to another must be done with due intimation, and approval of the IT Department, in order to allow the IT Department to maintain records.
• The IT Department should investigate any hardware or software failure, as soon as it becomes aware of such a failure, and should take appropriate steps to rectify it at the earliest opportunity.
• IT Department may backup the university data at regular intervals, using appropriate means, and in the process should keep the safety, privacy, dignity, and rights of the users in mind.
• IT Department should facilitate the users, and ensure that the university data are protected by active, and effective antivirus software(s).
• The users may contact the IT Department for assistance software and hardware updated.
• Each user should be provided with usernames and passwords by the IT Department to access the ICT facilities in an individually identifiable manner.
• The IT Department may be instructed by the competent authority to allow the simultaneous use of a specified number of devices by the individual users, university officials, centres, and departments.
• IT Department should undertake efficient bandwidth distribution and management over different users of the university.

• Only the email services provided by the University shall be used for official communications by staff, employees, faculty member, and students including employees and staff of different centres of NLUD.
• Use of the University email service amounts to the User’s agreement to be governed by this policy.
• It is recommended for Users working in areas dealing with sensitive and confidential data to use 2-Step Verification (also known as two-factor authentication)/ OTP for secure authentication.
• It is recommended that University officials on long deputation/ stationed abroad and handling sensitive or confidential data should use 2-Step Verification (also known as two-factor authentication)/ OTP for accessing email services.
• Users shall ensure that the latest operating system, anti-virus, and application patches are available on all the devices.
• Based on the request of the respective centres, the IT Department will create two IDs, one based on the designation, and the other based on the name. Designation-based ID’s are recommended for officers dealing with the public. Use of alphanumeric characters as part of the email id is recommended for Users.
• By default, the address ‘[email protected]‘ will be assigned by the IT Department to the users. University officers who resign, or superannuate will be allowed to continue the use of the official email ID for 12 months after the end of their service.
• Due care should be taken when typing email addresses to ensure that it reaches the intended recipient.
• Bulk emails by students with multiple intended recipients (e.g., faculty/staff/students) shall be routed through the office of the Registrar.
• Creation, and exchange of emails that could be categorized as offensive, harassing, or obscene must be avoided.
• It is acknowledged that individuals, for the purpose of official work/legitimate research, may be required to receive/send content which may, in normal course, be considered as offensive, harassing, or obscene. Such transfer for official work or legitimate research will not amount to a breach of the policy.
• Creation and exchange of advertisements, solicitations, and other unofficial, unsolicited email (such as spam messages, or campaign emails) should be avoided.
• Transmission of emails involving language derogatory to religion, caste, ethnicity, gender, sexual orientation must be avoided.
• Any case of inappropriate use of email accounts shall be considered a violation of the policy and may result in deactivation of the account after consultation with the Vice Chancellor/ Registrar.
• The ‘reply all’ and the use of ‘distribution lists’ should be used with caution to reduce the risk of sending emails to the people who are unrelated to the subject of such emails.
• Taking backups at regular intervals is the responsibility of the User.
• Users must not open attachments, or click on links in emails received from unsolicited/untrusted sources.
• NLUD may define and implement storage quotas for both employee, as well as, student email accounts. Users are responsible for regular deletion of email which is not of use to save storage space. Users will be notified via email when they are approaching the end of their storage limit. Once the storage limit is exhausted, one final email will be sent to the User, notifying them to reduce the storage below the sanctioned limit. After exhaustion of the storage limit, Users will not receive any further emails until the storage is reduced below the storage limit.
• It shall be within the rights of the IT Department to deactivate or remove any feature of the email service if it is deemed a threat and can lead to a compromise of the service after approval of the Vice Chancellor/ Registrar. Any security incident noticed or identified by a User must immediately be brought to the notice of the IT Department.
• In case of threat to the security of the service, the email id being used to impact the service may be suspended or deactivated immediately by the IT Department after approval of the Vice Chancellor/ Registrar. The concerned User and the Head of the Centre shall be informed of the security threat and the deactivation.
• The email ID provided to students shall remain active until three months from the date of convocation of graduating students. On request, a distinct alumni ID may be created and provided to the alumni. All rules applicable under this policy to NLUD students shall apply to NLUD alumni.

• It is recommended that all passwords be changed every four months. However, the IT Department must change passwords under its direct control at least quarterly, and other users should change their passwords biannually.
• Email, and other communication apps like WhatsApp should not be used for the transmission of any passwords. Further, it is recommended that the passwords should not be written down, or stored on the computer or a storage device.
• Every User should be aware of how to select strong passwords.
• Personal and university passwords should not be common, and the same password should not be used for different access needs.
• In case of the breach of a password, the user should intimate the IT Department immediately, who in turn take immediate and appropriate action.
• Following points should be kept in mind to create a strong password:
• Inclusion of both upper- and lower-case letters (e.g., a-A)
• Inclusion of a combination of letters, numbers, and special characters.
• There should be at least eight alphanumeric characters.
• It is recommended that personally identifiable information like names, and birthdays should be avoided.

In case of a breach of this policy, the matter shall be referred to the Competent Authority for appropriate action within seven days. The competent authority may take steps to ensure the safety and security of ICT equipment, services, and facilities including appropriate action against the concerned user, including, but not limited to the confiscation and/or deletion of ICT resources.