1. Purpose
advertisement
Code: Title: Date: Approval: QA411 End User Policy 06/01/2014 University Management Team (UMT) 1. Purpose To ensure continuity of our University and to minimise damage from incidents, it is essential that we embed a minimum set of security standards to protect the University. This policy is developed to protect NUI Galway from all threats, whether internal or external, deliberate or accidental. In support of its mission of teaching and research, NUI Galway provides access to computing resources for students and staff of the University. Access to the University's computing facilities is a privilege granted to members of the University which can be withdrawn. The University reserves the right to limit, restrict or extend computing privileges and access to its information resources. The policy is designed to ensure resources are utilised in an effective, efficient, ethical and lawful manner. 2. Description This policy applies to: - All Staff, and Students who have access to University IT Systems - All contractors, vendors or others (including 3rd parties), who have access to University IT Systems. It is the personal responsibility of each individual to read this and related security policies and be familiar with its contents. It is the responsibility of Academic Heads, and managers to ensure all staff using the IT systems are aware of and understand their responsibilities in this policy. 3. Definitions This document details information security rules and responsibilities for all users of NUI Galway IT systems and as end-user of these systems. Additional requirements specific to Asset Owners and administrators are not detailed in this policy. “Must”, or the terms "required" or "shall", refer to an absolute requirement of the policy. “Must not” or "shall not", refer to statements which are an absolute prohibition of the policy. “Should” or "recommended" refer to a statement that should be applied. In certain circumstances, there may be a valid reason to ignore a particular item. In this case the full implications must be understood and carefully weighed before choosing a different course. “Should not” or "not recommended" mean the specified behaviour should not be performed. There may exist valid reasons in particular circumstances when the particular behaviour is acceptable, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label. P a g e 1 of 3 4. Requirements 1. University IT resources are the property of NUI Galway and are to be used for legitimate purposes only. As an end-user of these systems, you must also understand that these IT resources may also offer an opportunity for unauthorised or unlawful activity (either intentional or unintentional), which is explicitly forbidden. You must not seek to gain unauthorised access to either the University resources or any other organisation and you must not allow unauthorised access to the University’s systems. Note that you do not have the authority to grant access to NUI Galway IT systems. 2. NUI Galway information must be classified and handled in line with the University data classification and handling policies. Where encryption is mandated, this must comply with the University encryption policy. This applies to information processed on both University owned and privately owned devices. For more information refer to the encryption policy. Extra vigilance and care must be taken when handling of personal information in line with the data protection policy. 3. As an end-user, you are responsible for all actions undertaken using your user login, and will be held accountable for any misuse. You must not use another person’s password or user account, even if they have left the university. You must follow the university password policy and never give any of your account passwords to someone else to use. You must never request login details or passwords from other users but must only use the account which has been issued to you. 4. Never transmit or store any illegal or inappropriate materials on your PC, laptop, mobile phone or shared drive (inappropriate material includes potentially illegal, defamatory, abusive, blasphemous, obscene, profane, racist, sectarian or pornographic words, pictures, or any materials which may cause offence or annoyance to any reasonable person). 5. Software and/or information provided by NUI Galway may only be used as part of your duties as a member of NUI Galway or for educational purposes related to your activities at NUI Galway. You must abide by all the licensing agreements for software entered into by the University with other parties, and not infringe any copyright of documentation or software. Thus any software, data or information which is not provided or generated by the user personally and which may become available through the use of University computing or communications resources shall not be copied or used without permission of NUI Galway, or the owner of the software, data or information. If such permission is sought from owner of the software, data or information, then NUI Galway must be informed that you are making such a request. 6. If you observe a security incident or weakness, you should report it as soon as possible. You must not take advantage of a security incident or weakness in any system and you must not facilitate another to do so. Attempts should be made to avoid taking actions which may contaminate any evidence or audit trail associated with activity. Incidents should be reported as quickly as possible to NUI Galway Information Solutions and Services (ISS) Service Desk, and to your Head of School or Unit. If you suspect that unauthorised access to personal data has taken place then you must report the incident in accordance with the NUI Galway Data Protection Policy. 7. In order to protect NUI Galway resources from internal and external threats whether deliberate or accidental, and to ensure compliance with regulatory and/or legal requirements, your use of all IT resources and information passing through or stored on IT resources is subject to monitoring. You should be aware that there are tools in place to monitor the content of all incoming and outgoing emails and online activity and have no expectation of privacy while using the IT resources of NUI Galway. P a g e 2 of 3 8. Remote access to the University networks and systems is only permitted using an approved remote access mechanism and in line with the remote access policy. 9. You must not deactivate or disengage any protection mechanisms installed on IT resources (personal firewalls, antivirus software, administration account, etc.) 10. You must ensure appropriate anti-virus protection is active on all devices connecting to the university IT resources in line with the anti-virus and malware protection policy. 11. It is your responsibility to read and be familiar with the contents of this policy. If you violate any of these policies, you may be denied access to University Information and IT Systems and may also be subject to other disciplinary action. 5. Responsibilities Name ICT Security Committee Chair Director ISS University Management Team All End-users (refer to end-user policies) Internal and external audit ISS Service Desk Responsibility Policy Owner Revisions and updates to the policy Approval of the Policy Responsible for implementation of the policy. Monitoring and reporting compliance with the policy Tracking of calls related to Security Incidents 6. Related Documents QA400 Data Protection Policy QA401 Data Handling QA402 Data Classification QA404 Password Policy QA406 Remote Access Policy QA408 Logical Access Policy QA409 Encryption Policy QA410 Anti-virus and Malware Protection Policy P a g e 3 of 3
