IT Acceptable Use Policy
The purpose of this IT Acceptable Use Policy (AUP) is to enable University of Leicester to:
- Ensure its IT facilities are used lawfully; safely; reasonably; and in a manner that raises no unnecessary risks or security threats for the university;
- Ensure it meets its obligations with regard to Janet Acceptable Use Policy and Janet Security Policy;
- Provide a framework to facilitate the proper and extensive use of Information Technology in the interests of learning, teaching and research, including business and community engagement partnerships.
This policy applies to:
- Anyone using University IT facilities including, but not limited to, staff, students, researchers, academics, affiliates, collaborators and partners.
- All use of University IT facilities regardless of the ownership of the device used for that access (e.g. University owned devices; personally owned devices; devices belonging to other organisations).
- University IT facilities include, but are not limited to, hardware; software; data; networks; telephony; services provided by licensed third parties; online cloud services; and University IT credentials.
- The term University IT facilities refers to all IT facilities, whether they are provided, or arranged, by Digital Services; other University IT Professionals; or anyone else authorised by the University.
4. Responsibilities - Policy
- It is the responsibility of all users of the University’s IT facilities to read, understand and comply with this policy and any relevant additional policies related to their activities.
- For students, this includes student regulations;
- For staff (including employees, honoraries and collaborators) it includes other relevant information security and data protection policies.
- Digital Services and University IT Professionals are responsible for the interpretation and enforcement of this policy on behalf of the University and in line with wider University policy.
- Users must comply with any reasonable written or verbal instructions issued by Digital Services or University IT Professionals in support of this policy.
- If you feel that any such instructions are unreasonable or are not in support of this policy, you may make a complaint under the relevant staff or student procedures.
5. Responsibilities - Protecting information
- a. Take all reasonable steps to protect any information they have access to in accordance with the law (Data Protection Act) and the University’s information security and data protection policies.
- b. Ensure they are aware of the appropriate procedures for handling any Restricted or Highly Restricted University information to which they have access; and share this information only in accordance with the University’s data protection policy.
- c. Not attempt to access, delete, modify or disclose information belonging to other people without their permission, or the explicit approval of the Director of IT Operations (or nominee) or Information Assurance Manager (or nominee).
6. Responsibilities - Credentials, authentication and identity
Users of University IT facilities must:
- a. Take all reasonable precautions to safeguard their password(s) and any other IT credentials issued to them; not disclose their password(s) to anyone (including IT support staff); and not allow anyone else to use their IT credentials.
- b. Not attempt to obtain or use anyone else’s IT credentials.
- c. Not impersonate someone else or otherwise disguise their identity when using the University IT facilities, except where this is approved and legitimate system functionality
- d. Only use the access provided to the University IT facilities for the purposes for which the access was granted.
- e. Provide unique information sent to them via an independent method such as an authenticator application, SMS message to a pre-registered mobile device or a similar alternative method supported by the University, in addition to their username and password, when accessing systems where the University requires users to authenticate their identity through Multi-Factor Authentication (MFA).
7. Acceptable use
- a. The University provides IT facilities primarily for academic and operational purposes to support learning and teaching, research, enterprise and the other work of the University.
- b. The University also provides IT facilities to students to enhance their wider experience at the University.
- c. Whilst the principles of academic freedom will be fully respected, IT facilities must be used responsibly, in accordance with the law and not in a way that brings the University into disrepute.
- d. Users of the University’s IT facilities, remain subject to all relevant laws and policies. Additionally, when accessing services from another legal jurisdiction, users must abide by all relevant local laws, as well as those applicable to the location of the service.
- e. You must abide by the policies and terms & conditions applicable to any other organisation whose services you access e.g. when accessing other institution’s IT facilities as part of research collaboration.
- f. When using University IT facilities from another institution e.g. via eduroam, you are subject to both the University of Leicester’s policies and those of the institution where you are accessing services.
- g. Users of the University’s IT facilities must adhere to all relevant licence conditions when using software procured or provided by the University.
- h. A reasonable level of personal use of University IT facilities is permitted, but it must not interfere with University business; the performance of University duties; or expose the University to additional risk.
- i. Personal use of University IT facilities is a privilege that may be withdrawn by the University at any point, if such use is not in accordance with this policy.
- j. In the event that there is a genuine academic need to carry out an activity that might breach acceptable use, such as research involving sensitive or extreme materials, approval must be obtained in advance via the appropriate University process, e.g. University Ethics process.
The conduct of staff and students when using the University’s IT facilities should always be in line with the University’s Dignity and Respect Framework and its values.
In addition, the University has a statutory duty under Section 26(1) of the Counter-Terrorism and Security Act 2015, known as the Prevent duty, to have due regard to and aid the process of preventing people from being drawn into and supporting terrorism. It is part of the Government’s counter-terrorism strategy with the aim of reducing the threat to the UK.
When using University IT facilities users must not:
- a. Create, download, store or transmit extremism-related material with the intention of supporting or spreading terrorism. The University reserves the right to block or monitor access to such material.
- b. Undertake any illegal activity or use the IT facilities in a way that interferes with others’ valid use of them.
- c. Create, download, store or transmit unlawful material; material that is indecent, offensive, threatening or discriminatory.
- d. Create, transmit, or display material that deliberately and unlawfully discriminates, or encourages deliberate and unlawful discrimination, on the grounds of race, ethnicity, gender, sexual orientation, marital status, age, disability, political or religious beliefs.
- e. Create, transmit or display defamatory material.
- f. Obtain, transmit or store material where this would breach the intellectual property rights or copyright of another party. This includes downloading and sharing music, video and image files without proper authority.
- g. Contravene the policy of a third-party company with which the University holds a contract for IT services.
- h. Create or transmit material with the intent to defraud.
- i. Access, or attempt to access, University systems and information for which permission has not been granted.
- j. Cause annoyance or inconvenience, e.g. sending spam (unsolicited bulk email), forging addresses, or using University mailing lists other than for legitimate purposes related to University activities.
- k. Share information for which the University is responsible when not authorised to do so.
- l. Intentionally interfere with the normal operation of the network. For example, spreading computer malware or viruses; or undertaking activity causing sustained high volume network traffic that substantially hinders others in their use of the network.
- m. Undertake any activity that jeopardises the security, integrity, performance or reliability of electronic devices, computer equipment, software, data and other stored information. This includes undertaking any unauthorised penetration testing, vulnerability scanning, monitoring or interception of network traffic.
- n. Attempt to disrupt or circumvent IT security measures such as removing or reconfiguring anti-malware protection; removing disk encryption; connecting to third party VPN services; installing and using any application that interferes with University Multi-factor Authentication (MFA).
- o. Participate in any other activity that could bring the University into disrepute.
The University records and monitors the use of its IT facilities for various purposes including:
- a. Security: detecting, preventing and investigating inappropriate access to, or use of, IT systems or data;
- b. Operational: fault investigations; performance and capacity planning; and service upgrades;
- c. Compliance investigations: checks against University policies and regulatory requirements (including HR and Student Disciplinary investigations);
- d. Law enforcement: requests or requirements for information from law enforcement agencies.
10. Implementation and Enforcement of Policy
Non-compliance with this policy or associated procedures is an infringement of University of Leicester’s regulations and will be investigated in accordance with:
- Senate Regulation 11: Regulations governing student conduct and discipline (students)
- Discipline - Ordinance (staff) (login required)
This IT Acceptable Use Policy is underpinned by the University’s Information Security Policy; Sub-Policies and various supporting IT policies and guidance.
|Draft prepared for Cyber Security Forum.
|Draft updated following Cyber Security Forum feedback and prepared for Information Compliance Board
|Approved Information Compliance Board