IT Acceptable Usage

_IT ACCEPTABLE USAGE
||||

PURPOSE

The purpose of this IT Acceptable Usage Notice is to enable _SIEGUS® to:

a. Ensure its IT facilities are used lawfully; safely; reasonably; and in a manner that raises no unnecessary risks or security threats for the organisation;

b. Ensure it meets its obligations with regard to cybersecurity and Janet Security Policy;

c. Provide a framework to facilitate the proper and extensive use of Information Technology in the interests of learning, teaching and research, including business and community engagement partnerships.

SCOPE
||||

This notice applies to: Anyone using _SIEGUS® IT facilities including, but not limited to, staff, students, researchers, academics, affiliates, collaborators and partners.

All use of _SIEGUS® IT facilities regardless of the ownership of the device used for that access (e.g. _SIEGUS® owned devices; personally owned devices; devices belonging to other organisations).

DEFINITIONS
||||

_SIEGUS® IT facilities include, but are not limited to, hardware; software; data; networks; telephony; services provided by licensed third parties; online cloud services; and _SIEGUS® IT credentials. The term '_SIEGUS® IT facilities' refers to all IT facilities, whether they are provided, or arranged, by _SIEGUS® Digital Services; other _SIEGUS® IT Professionals; or anyone else authorised by _SIEGUS®.

COMMITMENTS
||||

It is the responsibility of all users of _SIEGUS® IT facilities to read, understand and comply with this notice and any relevant additional notices related to their activities.

For staff (including employees, honoraries and collaborators) this includes other relevant information security and data protection notices.

Digital Services and _SIEGUS® IT Professionals are responsible for the interpretation and application of this notice on behalf of _SIEGUS® and in line with wider organisation guidelines. Users must comply with any reasonable written or verbal instructions issued by Digital Services or _SIEGUS® IT Professionals in support of this notice. If you feel that any such instructions are unreasonable or are not in support of this notice, you may make a complaint under the relevant procedures.

PROTECTING INFORMATION
||||

a. Take all reasonable steps to protect any information they have access to in accordance with the law (Data Protection Act) and the _SIEGUS® confidentiality, GDPR and privacy guidelines.

b. Ensure they are aware of the appropriate procedures for handling any Restricted or Highly Restricted _SIEGUS® information to which they have access; and share this information only in accordance with the _SIEGUS® confidentiality, GDPR and privacy guidelines.

c. Not attempt to access, delete, modify or disclose information belonging to other people without their permission, or the explicit approval of the Director of IT Operations (or nominee) or Information Assurance Manager (or nominee).

AUTHENTICATION, CREDENTIALS AND IDENTITY
||||

Users of _SIEGUS® IT facilities must:

a. Take all reasonable precautions to safeguard their password(s) and any other IT credentials issued to them; not disclose their password(s) to anyone (including IT support staff); and not allow anyone else to use their IT credentials.

b. Not attempt to obtain or use anyone else’s IT credentials.

c. Not impersonate someone else or otherwise disguise their identity when using the _SIEGUS® IT facilities, except where this is approved for legitimate system functionality.

d. Only use the access provided to _SIEGUS® IT facilities for the purposes for which the access was granted.

e. Provide unique information sent to them via an independent method such as an authenticator application, SMS message to a pre-registered mobile device or a similar alternative method supported by the organisation, in addition to their username and password, when accessing systems where the organisation requires users to authenticate their identity through Multi-Factor Authentication (MFA).

ACCEPTABLE USAGE
||||

a. _SIEGUS® provides IT facilities primarily for operational purposes in support of the work of the organisation.

b. _SIEGUS® also provides IT facilities to staff and third-parties to enhance their wider experience at the organisation.

c. IT facilities must be used responsibly, in accordance with the law and not in a way that brings the organisation into disrepute.

d. Users of _SIEGUS® IT facilities, remain subject to all relevant laws and guidelines. Additionally, when accessing services from another legal jurisdiction, users must abide by all relevant local laws, as well as those applicable to the location of the service.

e. You must abide by the notices and terms & conditions applicable to any other organisation whose services you access e.g. when accessing other institution’s IT facilities as part of research collaboration.

f. When using _SIEGUS® IT facilities from another institution, you are subject to _SIEGUS® guidelines AND those of the institution where you are accessing services.

g. Users of _SIEGUS® IT facilities must adhere to all relevant licence conditions when using software procured or provided by the organisation.

h. A reasonable level of personal use of _SIEGUS® IT facilities is permitted, but it must not interfere with _SIEGUS® business; the performance of _SIEGUS® duties; or expose the organisation to additional risk.

i. Personal use of _SIEGUS® IT facilities is a privilege that may be withdrawn by the organisation at any point, if such use is not in accordance with this notice.

j. In the event that there is a genuine academic need to carry out an activity that might breach acceptable use, such as research involving sensitive or extreme materials, approval must be obtained in advance via the appropriate _SIEGUS® process, e.g. _SIEGUS® Ethics process.

BEHAVIOUR
||||

The conduct of staff and third-parties when using _SIEGUS® IT facilities should always be in line with both the organisation’s Human Capital and Equality, Diversity and Inclusion notices and their values.

In addition, _SIEGUS® has a statutory duty under Section 26(1) of the Counter-Terrorism and Security Act 2015, known as the 'Prevent' duty, to have due regard to and aid the process of preventing people from being drawn into and supporting terrorism. It is part of the Government’s counter-terrorism strategy with the aim of reducing the threat to the UK.

When using _SIEGUS® IT facilities users must not:

a. Create, download, store or circulate extremism-related material with the intention of supporting or spreading terrorism. The organisation reserves the right to block or monitor access to such material.

b. Undertake any illegal activity or use the IT facilities in a way that interferes with others’ valid use of them.

c. Create, download, store or circulate unlawful material; material that is indecent, offensive, threatening or discriminatory.

d. Create, circulate, or display material that deliberately and unlawfully discriminates, or encourages deliberate and unlawful discrimination, on the grounds of race, ethnicity, gender, sexual orientation, marital status, age, disability, political or religious beliefs.

e. Create, circulate or display defamatory material.

f. Obtain, circulate or store material where this would breach the intellectual property rights or copyright of another party. This includes downloading and sharing music, video and image files without proper authority.

g. Contravene the guideline of a third-party company with which the Organisation holds a contract for IT services.

h. Create or circulate material with the intent to defraud.

i. Access, or attempt to access, _SIEGUS® systems and information for which permission has not been granted.

j. Cause annoyance or inconvenience, e.g. sending spam (unsolicited bulk email), forging addresses, or using _SIEGUS® mailing lists other than for legitimate purposes related to _SIEGUS® activities.

k. Share information for which _SIEGUS® is responsible when not authorised to do so.

l. Intentionally interfere with the normal operation of the network. For example, spreading computer malware or viruses; or undertaking activity causing sustained high volume network traffic that substantially hinders others in their use of the network.

m. Undertake any activity that jeopardises the security, integrity, performance or reliability of electronic devices, computer equipment, software, data and other stored information. This includes undertaking any unauthorised penetration testing, vulnerability scanning, monitoring or interception of network traffic.

n. Attempt to disrupt or circumvent IT security measures such as removing or reconfiguring anti-malware protection; removing disk encryption; connecting to third party VPN services; installing and using any application that interferes with _SIEGUS® multi-factor authentication (MFA).

o. Participate in any other activity that could bring the organisation into disrepute.

MONITORING
||||

The organisation records and monitors the use of its IT facilities for various purposes including:

a. Security: detecting, preventing and investigating inappropriate access to, or use of, IT systems or data;

b. Operational: fault investigations; performance and capacity planning; and service upgrades;

c. Compliance investigations: checks against _SIEGUS® notices and regulatory requirements (including HR and Employee Disciplinary investigations);

d. Law enforcement: requests or requirements for information from law enforcement agencies.

APPLICATION
||||

Non-compliance with this notice or associated procedures is an infringement of _SIEGUS® regulations and will be investigated in accordance with:

a. _SIEGUS® Code Of Ethics Notice

b. _SIEGUS® Equality, Diversity and Inclusion Notice

c. _SIEGUS® Safeguarding Notice

FURTHER INFORMATION

This IT Acceptable Usage Notice is underpinned by the _SIEGUS® Confidentiality, GDPR and Privacy Notice; sub-notices and various supporting IT guidance.