IT ACCEPTABLE USE POLICY
This policy has been approved by the Executive Committee and any amendments to it require the Committee's approval.
- Last approval: Executive Committee, 23-April-2008
- Last review: 21 July 2009, no changes required
- 3 June 2011 - addition of forced password changes for some users, approved by Executive.
As a user of IT services of the University you have a right to use its computing services; that right places responsibilities on you as a user which are outlined below. If you misuse University computing facilities in a way that constitutes a breach or disregard of the following policy, consequences associate with that breach and you may be in breach of other University Regulations.
Ignorance of this policy (or those that it directs you to), and the responsibilities it places on you, is not an excuse in any situation where it is assessed that you have breached the policy and its requirements.
- Students are directed to this policy during their registration each year and are required to acknowledge their agreed adherence to and compliance with the policy.
- Staff are advised of this policy during their induction and of the University’s requirement for them to adhere to the conditions therein.
A specific policy governing the use of telephones, email and the internet by staff is available on the HR website and should be read in conjunction with this IT Acceptable Use Policy.
For the purposes of this policy the term “computing services” refers to any IT resource made available to you, any of the network borne services, applications or software products that you are provided access to and the network/data transport infrastructure that you use to access any of the services (including access to the Internet). Students and staff who connect their own IT to the University’s network and the services available are particularly reminded that such use requires compliance to this policy.
The User Accounts policy provides details regarding eligibility for a Computing Services User Account.
Access to all systems and services is controlled by a central computing account and password. Students are allocated their User ID and initial password automatically as part of their registration with the University.
New staff paid through payroll are similarly automatically set up with a User ID and initial password. The procedures for any other category of personnel wishing to use the University’s computing facilities are described in the User Accounts policy.
- Issuance and continued use of your User Account is conditional on your compliance with this policy.
- User ID’s and passwords are not to be shared. Those who use another person’s user credentials and those who share such credentials with others will be in breach of this policy.
- Initial default passwords issued to any user must be changed immediately following notification of account set up. Passwords should be routinely changed (every 3 months is recommended) and should be changed immediately if the user believes or suspects that their account has been compromised.
- Users with access to significant sensitive data will be requested to change their password at least annually. Failure to change the password will ultimately lead to the account being locked. This follows recommendations from both external and internal auditors.
- Help and guidance in managing your account is provided on the Computing Services web site (Your Account section).
- Your use of the University’s computing services must at all times comply with the law.
- Your use of the University’s computing services must not interfere with any others’ use of these facilities and services.
- You are not entitled to use a computer that you have not been authorised to use.
- You must not access any program or data which has not been specifically authorised for your use.
- You must not use or copy any data or program belonging to other users without their express and specific permission.
- You must not alter computer material belonging to another user without the users permission.
- You must not use University computing services to harass, defame, libel, slander, intimidate, impersonate or otherwise abuse another person.
- You must not use University computing services for the creation, collection, storage, downloading or displaying of any offensive, obscene, indecent or menacing images, data or material capable of being resolved into such. (There may be certain legitimate exceptions for academic purposes which would require the fullest disclosure and special authorisations)
- You must not use the University’s computing services to conduct any form of commercial activity without express permission.
- You must not use the University’s computing services to disseminate mass (unsolicited) mailings.
- You must not install, use or distribute software for which you do not have a licence.
- In general, use of University “computing services” should be for your study, research, teaching or the administrative purposes of the University. Modest use of the facilities and services for personal use is accepted so long as such activity does not contravene the conditions of this policy.
- Use of “computing services” for commercial work may be governed by software licence constraints and users should verify that the intended use is permissible under the terms of those licences with their local IT Support Staff or with Computing Services. Users must familiarise themselves and comply with the University’s Software Management Policy.
The University campus network connects to the Internet via the SWERN Regional and JANET National networks. All hosts on the campus network have potential access to the Internet and must be registered with Computing Services so that they can be allocated correct network addresses and host names. Non registered hosts will be denied access to the Internet. Guidance and advice regarding this requirement is provided under the Host Connection and IP Address Allocation policies on the Computing Services web site.
Web 2.0 services offer attractive and useful applications services (Blogs, wikis, office systems, social bookmarking and social networking) to mention but a few. Use of such services however must comply with this policy. Before using such services – or expecting others to do so – it would be sensible to appreciate the issues that pertain to them.
- They may offer ready access to the latest, flexible technology.
- The social aspects of many services are enhanced by very widespread usage – there is no point in the University attempting to replicate del.icio.us or Facebook.
- Registration, account creation and access is normally very quick and cheap if not free.
- They offer routes to research collaboration or to peer group interaction.
- It is easy to be tempted to produce, and submit, content to such sites that you might later regret.
- What content or comments you do submit becomes potentially available across the world.
- Such content may have a longer life span than you might have imagined and could be accessed by a wide audience, including potential employers.
- Although such sites are external to the University, the way in which you use them, or the content that you submit to them might still lead you into trouble with the University and its policies and regulations.
Always read and consider the terms and conditions for any service you register with and ensure that you understand the implications of the service conditions. Further details are available in the Computer Use Guidelines – the Route to Good IT Citizenship.
Remote access to the campus network is possible via the Internet, Virtual Private Network (VPN) or via direct dial to the University's dial-in Remote Access Server (RAS). Remote access from external networks or across the Internet must be made via secure methods only. Further information and guidance is available on the Computing Services web site (Remote Access Server and VPN).
Connections via VPN or RAS are considered direct connections to the campus network. As such, using the VPN service, dialing into the RAS, or generally accessing services remotely, subjects the user to the same conditions, requirements and responsibilities of this policy.
All connection attempts are logged.
Activities regarding network transactions may be monitored and logged and kept for an appropriate amount of time. Logs are taken for reasons of security, diagnostic and account/audit reasons. Logs are available only to authorised systems personnel and kept for no longer than necessary and in line with current data protection guidelines.
Such records and information are sometimes required - under law - by external agencies and authorities. Computing Services will comply with such requests when formally submitted.
ResNet stands for the Residential Network service. This service, run by Computing Services, provides ethernet connections to University accommodation blocks, both on and off-Campus. The connections provide access to facilities and services on the Campus network, plus restricted access to services on the Internet at large.
All rooms of student accommodation provide access to the ResNet service. ResNet provides access to the following services:
- University email accounts and the outgoing mail servers.
- Campus web pages
- Printing to the Library printers.
- Personal filespace on the University Filestore.
- Computing Services “computation servers” via telnet, ssh and X
- The world wide web
- External mail servers for receiving mail only
- Usenet News via the Computing Services news server.
- Freewire services for television, radio and Voice over IP telephony.
Computing Services reserves the right to permit or block services not specifically listed above for the purposes of security, bandwidth and traffic management, legal reasons or to protect the University and its reputation.
Personal equipment connected to ResNet must comply with certain standards (10baseT or 100baseTX) and the only protocol family supported by Computing Services is TCP/IP.
Users of ResNet must not run:
- DHCP servers
- DNS Servers
- Routing Protocols (such as OSPF, RIP etc)
- Network Discovery Protocols
- Internet Connection Sharing
- Port Scanners
Neither are they permitted to:
- Attempt DDNS dynamic Name Server Updates.
- Set up network fileshares that are writable without a password.
- Re-distribute ResNet access to others, nor any University resource made available to them.
- Configure any device attached to ResNet with any IP address not specifically allocated to them.
- Connect any form of Wireless Access point to ResNet, nor configure any computer with wireless capability such that ResNet can be accessed wirelessly.
- Download or distribute copyright material in breach of any licence conditions.
- Run Peer to Peer applications that distribute copyright material.
Any personal computer connected to the ResNet service must have up to date anti virus software installed at all times. Sophos anti virus software is available to all staff and students whilst members of the University.
Given this provision, there is no excuse for a personal computer connected to ResNet to be out of date for any Sophos version or update.
Virus risk management is an important priority and any personal computer not adequately protected under this provision will have its access to ResNet disabled - until it is quarantined, inoculated and made safe.
Incidents which are determined to be in contravention of this policy will be assessed for their severity. Investigating such incidents may require the collection and evaluation of user related activity and evidence.
It is not possible to provide an exhaustive list of potential ways in which a user may contravene this policy but in general such breaches will be categorised into one of three levels of severity and each level of breach will carry with it a possible range of sanctions, consequences and/or penalties.
The Computer Use Guidelines – the Route to Good IT Citizenship provide useful advice and considerations that should guide and inform your use of University of Bath computing resources. This guidance should keep you safe and ensure that you do not breach this Acceptable Use Policy.
This level of breach will attract a verbal warning which will be held recorded for 12 months. In general this category will relate to behaviour or misuse of computer facilities that can be characterised as disruptive or a nuisance. Examples of this level of non compliance would include:
- Taking food and/or drink into IT facilities where they are forbidden.
- Playing computer games on University provided IT
- Sending nuisance (non-offensive) email
- Behaving in a disruptive manner.
Not all first offences will automatically be categorised at this level since some may be of a significance or impact that elevates them to one of the higher levels of severity.
This level of breach will attract more substantial sanctions and/or penalties. These include:
- Directors of Studies will be informed of the nature and consequence of the offence.
- A fine of up to £150 may be levied.
- Access to computing facilities and services may be withdrawn (account suspension) until any imposed fine is paid.
Examples of this level of non-compliance would include:
- Repeated minor breaches within the above detailed 12 month period.
- Unauthorised access through the use of another user’s credentials (username and password) or using a computer in an unauthorised area.
- Assisting or encouraging unauthorised access.
- Sending abusive, harassing, offensive or intimidating email.
- Maligning, defaming, slandering or libeling another person.
- Misuse of software or software licence infringement.
- Copyright infringement.
- Interference with workstation or computer configuration.
This level of breach will attract more stringent sanctions, penalties and consequences than those above, and access to computing facilities and services may be withdrawn (account suspension) until the disciplinary process and its outcomes have been concluded. Possible sanctions include:
- Notification to Director of Studies
- A fine of up to £250.
- Withdrawal of access to computing facilities and services.
- For the most serious cases, referral via the University Secretary to the Vice-Chancellor under the formal disciplinary procedures.
Examples of this level of breach would include:
- Repeated moderate breaches.
- Theft, vandalism or willful damage of/to IT facilities, services and resources.
- Forging email. i.e. masquerading as another person.
- Loading, viewing, storing or distributing pornographic or other offensive material.
- Unauthorised copying, storage or distribution of software.
- Any action, whilst using University computing services and facilities deemed likely to bring the University into disrepute.
- Attempting unauthorised access to a remote system.
- Attempting to jeopardise, damage circumvent or destroy IT systems security at either the University of Bath or at any other site.
- Attempting to modify, damage or destroy another authorised users data
- Disruption of network communication capability or integrity through denial of service attacks, port scanning, monitoring, packet spoofing or network flooding activities.
An investigation will be carried out, in confidence, by Computing Services staff under the direction of the Director of Computing Services. For staff, that investigative report will be passed to the member of staff’s Head of Department, to be considered within the University’s disciplinary procedures. For students, if a verbal warning is appropriate, this will be given by the Director of Computing Services. If the breach is more serious, the report will be passed to the Head of Student Services to be considered under the preliminary student disciplinary procedures. Each set of disciplinary procedures provide for an appeal stage.
This policy strongly encourages all users to familiarise themselves with the requirements, conditions and responsibilities of other related internal and external policy and legislative material that will inform their use of the University’s IT services. These related sources are:
- University of Bath Regulations
- University of Bath IT Security Policy
- University Email Policy
- Computing Services User Accounts Policy
- Computing Services Host Connection Policy
- Computing Services IP Address Policy
- Computing Services Computer Systems Monitoring & Scanning Policy
- Computing Services VPN Guidance
- Computing Services Remote Access Server Guidelines
- Use of Telephones, Email and the Internet by Staff (to be available shortly)
- JANET Acceptable Use Policy
Several related laws and their relevance in a university context are succinctly described in the Web Publishing Legal Requirements. There is also considerable University guidance regarding Data Protection and Freedom of Information.