IT Acceptable Use and Security Policy

Overview

The University of Adelaide seeks to provide its staff, students, titleholders and visitors with secure and timely access to IT equipment and the online services and resources necessary for undertaking their work and study. Consequently the University is highly reliant on information that is gathered, stored, processed and delivered by computers and their associated communications facilities. The purpose of this Policy is to give a clear statement to all users of University IT facilities and services of their responsibilities, including what constitutes acceptable and unacceptable use; to manage the provision and modification of access to online services; and to express the commitment of the University to providing and maintaining a secure, effective and reliable IT infrastructure to support the University's operations.

Scope and Application

This Policy applies to all users of University IT facilities and services, whether the facilities are managed by Technology Services (TS), by other organisational units within the University, or by third-party providers, and whether the user is an account holder or not (for instance, a user of the public terminals in the University Libraries).

Policy Principles

1. Acceptable and Unacceptable Use of IT Facilities and Services

a) University IT facilities and services are provided for use in the academic, administrative, commercial and community activities of the University. Some reasonable non-commercial personal use may be allowed, but as a privilege and not a right, and if that privilege is abused it will be treated as a breach of this Policy.

b) Use of University IT facilities and services must not jeopardise the fair, safe and productive IT environment of the University community, nor the University's operations, assets and reputation.

c) University IT facilities and services must not be used unlawfully or for an unlawful purpose.

d) Specific user responsibilities are set out in section 4 of this Policy.

2. Access and Accounts

a) All University staff and titleholders are entitled to access to University IT facilities and services, at a level appropriate to their position and role, via a unique password protected account.

b) All University students are entitled to access to University IT facilities and services, at a level appropriate to their enrolment, via a unique password protected account.

c) Some IT facilities provided for public community use do not require a unique account to enable access.

d) Visitors to the University may be provided with access to University IT facilities and services where the use of those facilities and services is necessary for them to undertake their role within the University. Visitor access via a unique password protected account must be authorised on a case-by-case basis by the Head of the School or Branch where the visitor will be working.

e) The University may provide access to University IT facilities and services to approved third parties. Access for personnel or students of an approved third party must be authorised in accordance with procedures agreed between the University and that third party.

f) The University may impose quotas on the use of University IT facilities and services (including print, file storage, email and internet download) and will revise them as necessary. Where quotas exist, account holders are expected to comply with them. If an account holder exceeds any of their quotas, they may be personally charged for the cost of their use and/or temporarily prevented from using the affected IT facility.

g) When account holders no longer have a relationship with the University or are no longer authorised to have access to University IT facilities and services, their accounts will be disabled for a set period, and then deleted.

h) Account holders may have their IT access suspended immediately where there is a suspected breach of University policy.

i) Account holders who have multiple relationships with the University (such as an account holder who is both student and staff member) who cease only one of their relationships will only have the access related to the terminating relationship removed.

3. Security of IT Facilities and Services

a) The University will take all reasonable steps to protect its IT facilities and services from unauthorised and unacceptable use.

b) Heads of School and Branch Heads are responsible for the implementation and management of this Policy in relation to IT facilities managed by their area.

c) To preserve the University's standard operating environment and ensure compliance with licensing obligations, users of University IT facilities and services may only modify the standard configuration of any of the University's IT facilities and services, after first gaining approval from TS. Users must never install or use unlicensed or malicious software on University IT facilities and must not connect unapproved networking devices to the University's IT infrastructure.

d) Users of University IT facilities and services must not circumvent the University's authorised internet connections or subvert its IT security measures.

e) All University IT hardware, especially portable devices, must be kept secured at all times against damage, misuse, loss or theft. In addition, hardware and software containing sensitive information or data must be protected with appropriate security measures such as passwords and encryption.

f) University IT hardware that becomes obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal.

g) All account holders must;

i. not use their access to University IT facilities and services to gain any inappropriate personal, academic or other advantage,

ii. not manipulate University data without authorisation, and

iii. maintain the confidentiality of any personal or confidential information accessed via University IT facilities and services.

4. User Responsibilities

a) It is a condition of use of University IT facilities and services that this Policy, particularly the principles of acceptable and unacceptable use, and its associated Procedures must be complied with. A summary of key policy obligations is contained in the IT Do's and Don'ts. Account holders are also expected to adhere to the University's IT Best Practice Standards.

b) All account holders are responsible for all activity initiated from their account, must only access University IT facilities and services using their own account, and must ensure that their passwords are securely stored.

c) Users of University IT facilities or services provided by a third-party provider on the University's behalf must comply with any terms and conditions issued by that third-party provider.

d) Users of University IT facilities and services must not create, send, store, upload, access, use, solicit, publish or link to;

i. Offensive, obscene, profane or indecent images or material (other than for properly authorised, supervised and lawful education or research purposes, in which case an appropriate warning must be given).

ii. Material likely to cause annoyance, inconvenience or distress to some individuals or cultures.

iii. Discriminating or sexually harassing material or messages that create an intimidating or hostile work or study environment for others.

iv. Defamatory material or material that makes misrepresentations or could otherwise be construed as misleading.

v. Material that infringes the intellectual property (including copyright) of another person or organisation.

vi. Malicious software such as viruses, worms or address-harvesting software.

e) University IT facilities and services must not be used in the conduct of personal business or unauthorised commercial activities.

f) University IT facilities and services must not be used for any illegal activity such as sending chain letters, breaching the SPAM Act 2003, or attacking other computer systems.

g) Staff must include the appropriate sections of the University's official signature and disclaimer on all email messages sent.

h) Electronic materials must never be forwarded without the express or implied permission of the material's creator.

i) Peer-to-peer software must only be used for lawful purposes authorised by Branch Heads or Heads of School.

j) Any observed security weakness in, or threat to, University IT facilities and services and any known or suspected breach of this Policy and its associated Procedures must be reported as soon as practicable to the Technology Service Desk.

k) Where use of University IT facilities and services would ordinarily breach this Policy, but the use forms a legitimate part of the user's employment, education or research at the University, an exemption may be granted from compliance with this Policy by the Director, Infrastructure (Property and Technology) or the Vice-President (Services and Resources).

5. University Responsibilities and Monitoring of IT Facilities

a) The University will manage account holders' accounts, maintain a secure IT environment and keep users of University IT facilities and services informed of their user responsibilities and expected best practice standards.

b) The University reserves the right to investigate any and all aspects of its electronic information systems if it is suspected that any user of University IT facilities and services is acting unlawfully or violating this Policy or any other University Policy.

c) The University reserves the right to monitor, log, collect and analyse the activities of account holders in their usage of IT facilities and services

d) TS may take any action it considers necessary to remedy immediate threats to the IT infrastructure or security, including suspending authorised accounts and/or disconnecting or disabling relevant IT facilities or other equipment, with or without prior notice.

e) The University reserves the right to carry out security audits on University IT facilities and services.

f) The University reserves the right to block or filter any network traffic that potentially breaches this policy or is potentially illegal.

6. Consequences of non compliance

a) Minor breaches of this Policy will be addressed by sending emails to users requesting that they desist from the breaching behaviour, as specified in the IT Security Procedures.

b) Ongoing or serious breaches of this Policy or related IT Policies by staff or students will be addressed by the relevant disciplinary procedures. Breaches by titleholders will be addressed under the Conferral of Honorary Roles Policy. Where breaches are committed by visitor account holders, appropriate action may be taken as determined by the relevant Head of School or Branch Head.

c) If a breach of this Policy, including Procedures, appears to constitute an offence under State or Commonwealth law, the University may (and in some cases is obliged to) refer the suspected breach to the appropriate law enforcement agencies.

d) Accounts may be suspended upon approval by the appropriate delegation holder.

Delegations of Authority

Key	Authority Category	Authority	Delegation Holder	Limits
Services and Resources	Information Technology	Authority to approve exceptions to this Policy	Vice President Services & Resources Director, Infrastructure (Property and Technology)
Services and Resources	Information Technology	Authority to grant visitor access to the University IT facilities and services	Executive Managers Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to authorise the creation of generic, casual, and external visitor accounts	Executive Managers Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to authorise a change to the level of access for staff, titleholder or visitor account	Executive Managers Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to authorise all-student emails	VC & President or DVC & VP (Academic)
Services and Resources	Information Technology	Authority to authorise all-staff emails	VC & President, DVCs and VPs Director, Human Resources
Services and Resources	Information Technology	Authority to request examination of an account holder's use of IT Facilities	Executive Managers Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to approve Peer to Peer software for lawful purposes	Executive Managers Heads of Schools Branch Heads
Services and Resources	Information Technology	Authority to order the immediate suspension or termination of a staff, title-holder or visitor account	VC & President, DVCs and VPs Director, Human Resources	If account holder is also a student, approval of General Manager, Student Services is also required
Services and Resources	Information Technology	Authority to order the immediate suspension or termination of a student account	DVCs and VPs General Manager, Student Services	If account holder is also a staff member or title-holder, approval of Director, Human Resources is also required
Services and Resources	Information Technology	Authority to immediately suspend or disconnect any account or IT Facility based on an immediate threat to the University's IT infrastructure or security	Executive Managers Director, Infrastructure (Property and Technology) Manager, Production Services, TS Team Leader, IT Risk Management, TS
Services and Resources	Information Technology	Authority to approve changes to the stand alone procedures related to this Policy.	Vice President (Services & Resources)

**GLOSSARY:

Account holder means a person who has been provided with a password protected account by the University to access University IT facilities and services.

Executive Managers means the Deputy Vice-Chancellors, Vice President(s), Pro Vice-Chancellors, Executive Deans, Director Human Resources or a person acting in these positions as defined in the University of Adelaide Enterprise Agreement 2010-2013.

University IT facilities and services means any:

(a) computing or communications device or infrastructure

(b) computer or communications program or software

(c) service that provides access to the internet or information in electronic format

(d) computer network, website or online forum, including social media

that is owned, managed, hosted or provided by the University (or a third-party provider on the University's behalf).

Please use the following URL instead of linking to individual documents:
https://www.adelaide.edu.au/policies/2783