IT Acceptable Use and Security Policy

Overview

The University of Adelaide seeks to provide its staff, students, titleholders and visitors with secure and timely access to the online services and resources necessary for undertaking their work and study. Consequently the University is highly reliant on information that is gathered, stored, processed and delivered by computers and their associated communications facilities. The purpose of this Policy is to give a clear statement to all users of University IT facilities of their responsibilities, including what constitutes acceptable and unacceptable use; to manage the provision and modification of access to online services; and to express the commitment of the University to providing and maintaining a secure, effective and reliable IT infrastructure to support the University's operations.

Scope and Application

This Policy applies to all users of University IT facilities, whether the facilities are managed by Information Technology Services (ITS), by other organisational units within the University, or by third-party providers, and whether the user is a University IT account holder or not (for instance, a user of the public terminals in the University Libraries).

Policy Principles

1. Acceptable and Unacceptable Use of IT Facilities

a) University IT facilities are provided for use in the academic, administrative, commercial and community activities of the University.

b) University IT facilities are not provided for personal use. Some reasonable non-commercial personal use may be allowed, but as a privilege and not a right, and if that privilege is abused it will be treated as a breach of this Policy.

c) Use of University IT facilities must not jeopardise the fair, safe and productive IT environment of the University community, nor the University's operations, assets and reputation.

d) University IT facilities must not be used unlawfully or for an unlawful purpose.

e) Specific user responsibilities are set out in section 4 of this Policy.

2. Access and Accounts

a) All individuals who require access to University IT facilities and services for the conduct of the University's activities must be properly identified, by means of a unique account verified by an authentication mechanism.

b) All University staff and titleholders are entitled to access to University IT facilities, at a level appropriate to their position and role, via a unique account.

c) All University students are entitled to access to University IT facilities, at a level appropriate to their enrolment, via a unique account.

d) Some IT facilities provided for public community use do not require a unique account to enable access.

e) Visitors to the University (including contractors) are entitled to access to University IT facilities where the use of those facilities is necessary for them to undertake their University-related role. Visitor access must be authorised on a case-by-case basis by the Head of School or Branch Head where the visitor will be working.

f) The University may impose quotas on the use of University IT facilities (including print, file storage, email and internet download) and will revise them as necessary. Where quotas exist, account holders are expected to comply with them. If an account holder exceeds any of their quotas, they may be personally charged for the cost of their use and/or temporarily prevented from using the affected IT facility.

g) When account holders no longer have a relationship with the University, their accounts will be disabled for a set period, and then deleted.

h) Account holders may have their IT access suspended immediately where there is a suspected breach of University policy.

i) Account holders who have multiple relationships with the University (such as an account holder who is both student and staff) who cease only one of their relationships will only have the access related to the terminating relationship removed.

3. Security of IT Facilities

a) The University will take all reasonable steps to protect its IT facilities and data from unauthorised and unacceptable use to ensure that accurate and complete information is accessible only to authorised users.

b) Heads of School and Branch Heads are responsible for the implementation and management of this Policy in relation to IT facilities managed by their area.

c) To preserve the University's standard operating environment and ensure compliance with licensing obligations, users of University IT facilities may only modify the standard configuration of any of the University's IT facilities, after first gaining approval from ITS. Users must never install or use unlicensed or malicious software on University IT facilities and must not connect unapproved networking devices to the University's IT infrastructure.

d) Users of University IT facilities must not circumvent the University's authorised internet connections or subvert its IT security measures.

e) All University IT facilities, especially portable ones, must be kept secured at all times against damage, misuse, loss or theft. In addition, sensitive information or data must be protected with appropriate security measures such as passwords and encryption.

f) All contractors engaged in work on University IT facilities and infrastructure must be contracted in writing for the work, through which they must agree to be bound by this Policy and its associated Procedures, agree to maintain confidentiality, and to handover University owned documentation on completion of their contracts.

g) University IT facilities that become obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal.

h) People working in Information Technology Services (ITS) must not use their access to IT facilities to gain any personal, academic or other advantage, or to manipulate University data without authorisation.

4. User Responsibilities

a) It is a condition of use of University IT facilities that this Policy, particularly the principles of acceptable and unacceptable use, and its associated Procedures must be complied with. A summary of key policy obligations is contained in the IT Do's and Don'ts. University account holders are also expected to adhere to the University's IT Best Practice Standards.

b) University IT account holders are responsible for all activity initiated from their account, must only access University IT facilities using their own account, and must ensure that their passwords are securely stored.

c) Users of University IT facilities must not create, send, store, access, use, solicit, publish or link to;

i. Offensive, obscene, profane or indecent images or material (other than for properly authorised, supervised and lawful education or research purposes, in which case an appropriate warning must be given).

ii. Material likely to cause annoyance, inconvenience or distress to some individuals or cultures.

iii. Discriminating or sexually harassing material or messages that create an intimidating or hostile work or study environment for others.

iv. Defamatory material or material that makes misrepresentations or could otherwise be construed as misleading.

v. Material that infringes the intellectual property (including copyright) of another person or organisation.

vi. Malicious software such as viruses, worms or address-harvesting software.

d) University IT facilities must not be used in the conduct of a personal business or unauthorised commercial activities.

e) University IT facilities must not be used for any illegal activity such as sending chain letters, breaching the SPAM Act 2003, or attacking other computer systems.

f) Staff must include the University's official signature and disclaimer on all email messages sent.

g) Electronic materials must never be forwarded without the express or implied permission of the material's creator.

h) Peer-to-peer software must only be used for lawful purposes authorised by Branch Heads or Heads of School.

i) Any observed security weakness in, or threat to, University IT facilities and services and any known or suspected breach of this Policy and its associated Procedures must be reported as soon as practicable to the ITS Helpdesk.

j) Where use of University IT facilities would ordinarily breach this Policy, but the use forms a legitimate part of education or research, an exemption may be granted from compliance with this Policy by the Director, Infrastructure (Property and Technology) or the Vice-President (Services and Resources).

5. University Responsibilities and Monitoring of IT Facilities

a) The University will manage University IT accounts, maintain a secure IT environment and keep users of the University IT facilities informed of their user responsibilities and expected best practice standards.

b) The University reserves the right to investigate any and all aspects of its electronic information systems if it is suspected that any user of University IT facilities is acting unlawfully or violating this Policy or any other University Policy.

c) The University reserves the right to monitor, log, collect and analyse the activities of account holders in their usage of IT facilities as well as carry out security audits on University IT facilities.

d) ITS may take any action it considers necessary to remedy immediate threats to the IT infrastructure or security, including suspending authorised accounts and/or disconnecting or disabling relevant IT facilities or other equipment, with or without prior notice.

6. Consequences of non compliance

a) Minor breaches of this Policy will be addressed by sending emails to users requesting that they desist from the breaching behaviour, as specified in the IT Security Procedures.

b) Ongoing or serious breaches of this Policy or related IT Policies by staff or students will be addressed by the relevant disciplinary procedures. Breaches by titleholders will be addressed under the Conferral of Honorary Roles Policy. Where breaches are committed by visitor account holders, appropriate action may be taken as determined by the relevant Head of School or Branch Head.

c) If a breach of this Policy or associated Procedures appears to constitute an offence under State or Commonwealth law, the University may (and in some cases is obliged to) refer the suspected breach to the appropriate law enforcement agencies.

d) Requests for suspension of a staff member, titleholder, or visitor account must first be approved by the Director, Human Resources. Requests for suspension of a student account must first be approved by the General Manager, Student Services. Suspension of accounts that contain multiple roles must be approved by both Human Resources and Student Services.

Delegations of Authority

Key	Authority Category	Authority	Delegation Holder	Limits
Services and Resources	Information Technology	Authority to approve exceptions to this Policy	Vice President Services & Resources Director, Infrastructure (Property and Technology)
Services and Resources	Information Technology	Authority to grant visitor access to the University IT facilities	DVCs and VPs Executive Deans Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to authorise the creation of generic accounts	Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to order the immediate suspension or termination of a staff, title-holder or visitor account	DVCs and VPs Director, Human Resources	If account holder is also a student, approval of General Manager, Student Services is also required
Services and Resources	Information Technology	Authority to order the immediate suspension or termination of a student account	DVCs and VPs General Manager, Student Services	If account holder is also a staff member or title-holder, approval of Director, Human Resources is also required
Services and Resources	Information Technology	Authority to immediately suspend or disconnect any account or IT Facility based on an immediate threat to the IT infrastructure or security	DVCs and VPs Executive Deans Director, Infrastructure (Property and Technology) Manager, Production Support, ITS Team Leader, IT Risk Management, TS
Services and Resources	Information Technology	Authority to approve changes to the stand alone procedures related to this Policy.	Vice President (Services & Resources)

Definitions

University IT account holder means any staff, student, titleholder or visitor who has a relationship with the University of Adelaide that makes it necessary for them to access University IT facilities and online resources requiring authenticated login via a unique account provided by the University. Refer to the IT Acceptable Use and Security Policy for further information.

University IT facilities means any computer system, network, application, program, device or item of equipment (including all systems which provide an information processing service and the data to which they provide access) which is owned, managed, hosted or provided by the University (whether by Information Technology Services, another organisational unit within the University, or a third-party provider).

Please use the following URL instead of linking to individual documents:
https://www.adelaide.edu.au/policies/2783