IT Acceptable Use Guidelines
- » Application
- » Purpose
- » Introduction
- » Appropriate and responsible use
- » Reporting suspected incidents
- » Securing your data
- » Service provider responsibilities
- » Unit/service specific guidelines
- » User responsibilities - examples
- » Definitions
- » Key relevant documents
- » Document management and control
The Acceptable Use of (IT) Policy and these supporting guidelines apply to all members of the University community whether at the University or elsewhere, and refer to all IT resources.
The University provides Information Technology (IT) resources to a large and varied group of people. In accordance with the IT Acceptable Use Policy, all users have the responsibility to use these resources in an effective, efficient, ethical, and legal manner.
Ethical and legal standards that apply to IT resources are based on the standards of common sense and courtesy that apply to any shared resource. The community depends upon the University's spirit of mutual respect and cooperation to resolve differences and problems that may arise.
The University provides IT resources with the stipulation that IT users act as good citizens and that they contribute to creating and maintaining an open community of responsible users.
Appropriate and responsible use
IT resources should be used in a way that is consistent with the University's teaching,earning, public service, research, and administrative objectives. Use should also be consistent with the specific objectives of projects or tasks for which use was authorised.
Examples of unacceptable use of IT resources:
The IT Acceptable Use policy covers identity misrepresentation. In brief, you may not:
- assume another person's identity or role through deception or without authorisation
- login, communicate, or act under the guise, name, identification, email address, or signature of another person without authorisation
- communicate under the guise of an organisation, entity, or unit that you do not have the authority to represent
Reporting suspected incidents
You should report a suspected security incident to the Staff Service Centre: firstname.lastname@example.org Tel : +64 9 923 6000.
To resolve security incidents, service providers may work with other University offices including;
Securing your data
IT services provide and preserve security of files, account numbers, authorisation codes, and passwords. However, security can be breached through actions or causes beyond the service provider's reasonable control. You should always safeguard your personal and confidential data, passwords, and authorisation codes by:
- using the free excellent commercial anti-virus software provided to the University community
- keeping your operating systems up-to-date
- taking full advantage of file security mechanisms built into the computing systems
- choosing passwords wisely and changing them periodically
- following established security policies and procedures to control access and use of administrative data
Service provider responsibilities
Considering the needs of all IT users, University service providers have the responsibility to offer services in the most efficient, reliable, and secure manner. At certain times, carrying out these responsibilities may require special actions or intervention by the service provider's staff. In such circumstances, they are bound by the policies governing their actions. At all other times, service provider staff have no special rights above and beyond those of other IT users. They are required to follow the same policies and conditions of use that all IT users must follow. Every effort shall be made to ensure that persons in positions of trust do not misuse computing resources and data or take advantage of their positions to access information not required in the performance of their duties.
Service providers are not responsible for policing IT user activity. However, if they become aware of a security incident they should initiate an investigation. To forestall an immediate threat to the security of a system or its IT users, service providers may suspend access of those involved in a suspected breach while the incident is being investigated. They may also take other actions to preserve the state of data and other information relevant to the investigation.
Service providers must act in accordance with University policies governing user privacy. Prior to examining e-mail and other private file content, they must attempt to seek the IT user's permission. If this is not possible, service providers must obtain authorisation from a higher administrative authority working in conjunction with the University's Legal Counsel to examine any content that may jeopardise the:
Unit/service specific guidelines
Some units or services within the University, including Information and Technology Services (ITS), maintain additional IT standards and guidelines. IT users to whom those additional IT standards and guidelines apply must also comply with those requirements.
The University also maintains or provides connections to external service providers that have established acceptable use standards. You are solely responsible for understanding and adhering to those standards. Should you breach any policy of an external network, the University cannot and will not extend any protection to you.
User responsibilities - examples
By using IT resources, you accept the following responsibilities;
For example, you may not:
- intentionally seek information on, obtain copies of, or modify e-mail, files, tapes, or passwords belonging to other users or the University
- represent others, unless authorised to do so explicitly by those IT users
- divulge sensitive personal data to which you have access concerning staff, or students without explicit authorisation to do so
You must comply with all laws and University policies regarding harassment on the basis of race, sex, colour, religion, creed, national origin, ancestry, age, marital status, disability, gender identity, or gender expression. The University is committed to supporting fair and respectful treatment of all members of the University and the wider community.
For example, you may not:
- use file-sharing programs to obtain copyrighted material such as music, DVDs, and other protected items without permission of the copyright holder
- make copies of a licensed computer program to avoid paying additional license fees or to share with other users
Respect the intended use of IT resources
For example, you may:
- use only those IT resources (username and password, funds, transactions, data, processes, etc.) assigned to you by service providers, unit heads, or project directors for the purposes specified
- not access, use, or divulge such resources unless explicitly authorised to do so by the appropriate authority
- not use University resources assigned to you or others for profit-making or fund-raising activities unless explicitly authorised to do so by the appropriate authority
- not use University resources to campaign for or against a ballot initiative or a candidate running for office or to conduct a political campaign
- not create an e-mail group with the intent of sending out what would generally be regarded as spam, unless the creator has received permission from the members of the new group
- may not advertise or solicit for commercial events or endeavours
Respect the intended use of systems including e-mail, online chats, and blogs
For example, you may not send:
- forged e-mail,
- e-mail that threatens or harasses other users,
- unsolicited mass e-mail not related to the purpose(s) of the addressed directory group(s) or
- promotional e-mail for commercial or profit-making purposes.
Respect the integrity of the system or network
You may not intentionally develop or use programs, transactions, data, or processes that harass other users, infiltrate the system, or damage or alter the software or data components of a system. Alterations to any system, network software, or data component may be made only under specific instructions from authorised unit heads, project directors, or management staff.
Respect the payment structure of a computing or networking system
The following definitions apply to this document:
IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it
IT user means any individual member of the University community using IT resources
Legal counsel refers to the legal advisors of the University and of Uniservices
Unit(s) refers to an organisational grouping across the University and includes a faculty, or research centre or service division
UniServices manages the University's intellectual property and is responsible for all research-based consultancy partnerships and commercialisation
University means the University of Auckland and includes all subsidiaries
University community includes all staff members (whether permanent, temporary or part time), honorary staff, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices
Document management and control
Owned by: CIO
Prepared by: IT Risk Manager
Date approved: January 2017
Review date: January 2020