TVU Acceptable Use Policy.doc by zhangyun

VIEWS: 8 PAGES: 21

									IT ACCEPTABLE USE POLICY




       March 2007




            Responsibility of:
            Approval date:
            Review date:
            Approved by:
            Consultation via:    JMSCC
 Thames Valley University                                                                                                IT Acceptable Use Policy




Contents

 Sections 1-7 set out the policy and the Appendices set out the guidelines

 DEFINITIONS........................................................................................................................................ 3
 1      INTRODUCTION .......................................................................................................................... 4
 2      PURPOSE ....................................................................................................................................... 4
 3      IT ACCEPTABLE USE POLICY ................................................................................................ 5
     STANDARDS OF ACCEPTABLE USE ........................................................................................................ 5
     PREVENTING THE SPREAD OF MALICIOUS SOFTWARE ............................................................................ 8
     PERSONAL USE ...................................................................................................................................... 8
 4      MONITORING POLICY .............................................................................................................. 9
 5      POSSIBLE ACTIONS FOLLOWING POLICY BREACH ..................................................... 10
 6      INVESTIGATION OF COMPLAINTS ..................................................................................... 10
 APPENDIX A ....................................................................................................................................... 12
     GUIDELINES FOR THE USE OF IT SERVICES ......................................................................................... 12
 APPENDIX B ........................................................................................................................................ 18
     GUIDELINES ON SPAM, VIRUSES AND MALICIOUS SOFTWARE............................................................... 18
 APPENDIX C ....................................................................................................................................... 21
     POSSIBLE LEGAL CONSEQUENCES OF MISUSE OF THE EMAIL SERVICE .................................................. 21




 TVU:IT Acceptable Use Policy                                         Page 2                                                         Mar 2007
Thames Valley University                                      IT Acceptable Use Policy



Definitions


“Approved Users” means all staff and students of Thames Valley University

and any other persons granted access to IT Resources in accordance with the

Third-Party Access Policy.



“IT Resources” means any hardware, software or services made available by

the University to the Approved Users for access to Information Technology,

e.g. personal computers, network and email accounts, access to the Internet,

Intranet and other online resources.



“IT Activities” means making use of the University‟s IT Resources.



“University‟s Network” means the University‟s IT Resources plus the

physical, logical and human infrastructure which supports the University‟s IT

Resources



“IMLF” means the Information Management Legal Framework which provides

the legal context of this and other similar policies



“JANET” (Joint Academic NETwork) is the network that connects the UK‟s
education and research organisations to each other, as well as to the rest of
the world through links to the global Internet.




TVU:IT Acceptable Use Policy          Page 3                           Mar 2007
Thames Valley University                                          IT Acceptable Use Policy



1        Introduction

1.1      This policy has been developed to:

             comply with the Information Management Legal Framework (IMLF);
             ensure that use of the IT Resources complies with University‟s
              regulatory framework;
             inform Approved Users that IT Activities may be subject to
              monitoring arrangements; and
             provide Approved Users with a set of guidelines for appropriate use
              and handling of IT Resources.

1.2      This policy applies to all Approved Users with the exception of Trade
         Union officers and Trade Union Safety representatives acting in their
         official capacity in accordance with the terms of the joint agreements
         and statute. Trade Union Officers and Trade Union Safety
         representatives still remain bound by the IMLF and the JANET
         Acceptable Use Policy (AUP)
         http://www.ukerna.ac.uk/services/publications/policy/aup.html


2        Purpose

2.1      This policy aims to:

             provide guidance on the use and handling of the University‟s IT
              Resources;
             ensure that Approved Users are aware of the legal consequences
              attached to inappropriate use of these facilities;
             establish a framework within which all Approved Users can self-
              regulate their use of the University‟s IT Resources;
             advise Approved Users that their usage of IT Resources may be
              monitored; and
             set out the actions that the University will take, in support of the
              existing student and staff regulatory framework, to investigate
              complaints received from both internal and external sources, about
              any unacceptable use of IT Resources.

         In applying this policy, the University will have regard to the need to
         ensure that staff have freedom within the law to question and test
         received wisdom and to put forward new ideas and controversial or
         unpopular opinions. The University will also have regard to the need to
         ensure that such freedom is exercised in a way which does not unduly
         infringe on the legitimate rights and interests of others.




TVU:IT Acceptable Use Policy           Page 4                              Mar 2007
Thames Valley University                                           IT Acceptable Use Policy



3        IT Acceptable Use Policy

3.1      This policy is applicable to all IT Activities of Approved Users of the
         University‟s Network

3.2      IT Resources are made available to Approved Users in order to
         facilitate the teaching, learning, research, and business activities of the
         University. This policy complements and supports TVU‟s Email Usage
         and Monitoring Policy and Internet Usage and Monitoring Policy.
         Furthermore, use of any IT Resources that involves communication
         outside the boundaries of the University‟s Network is also governed by
         the JANET Acceptable Use Policy (AUP).

3.3      The following standards of Acceptable Use do not override the lawful
         rights and obligations of Approved Users as defined in statute and the
         University‟s policies e.g. Child Protection Policy, Public Interest
         Disclosure Policy, Data Protection Policy and related Acts.


Standards of Acceptable Use

3.4      Access to the University‟s Network will only be granted to duly
         authenticated users through a unique and secure user name and
         password combination.

3.5      The user name and password issued to Approved Users by the
         University must be kept confidential at all times.

3.6      Passwords must be changed when Approved Users are prompted to
         do so by the University‟s IT systems. Passwords can also be changed
         any other time by the user.

3.7      Approved Users must not attempt to evade, disable, or "crack"
         passwords or other security provisions.

3.8      Approved Users must ensure that the security of the University‟s
         Network and the privacy of their own data are safeguarded by logging
         out or „locking‟ desktop or laptop computers when not in use.

3.9      Approved Users must use resources efficiently and accept limitations
         or restrictions on computing resources - such as storage space, time
         limits, or amount of resources consumed - when asked to do so by
         systems administrators.

3.10     The University provides resources such as desktop and laptop PCs,
         printers, PDAs and other hardware for use in connection with teaching,
         learning, research, and business activities of the University, as well as
         a reasonable amount of personal use (see Personal Use section
         below). These resources are provided by the University on the basis
         that Approved Users agree to the following:


TVU:IT Acceptable Use Policy           Page 5                               Mar 2007
Thames Valley University                                            IT Acceptable Use Policy

             Desktop PCs, printers, scanners and monitors can only be moved
              from their original location by IT Support staff;
             PC configuration, e.g. renaming, disabling anti-virus scanning, etc,
              can only be carried out by IT Support staff; and
             Connecting and disconnecting cables and other items (e.g. USB
              keys/pen drives) should only be carried out by following the
              appropriate guidelines, set out in Appendix A.

3.11     The use of portable storage devices such as USB sticks, USB hard
         disks, floppy and CD/DVD drives is encouraged but users must comply
         with the following points:

             When backups of TVU-related data is made on these devices, the
              University‟s Data Protection Policy must be strictly adhered to
             Approved Users are responsible for safeguarding the integrity and
              confidentiality of any University data stored in portable devices. See
              Appendix A for guidelines

3.12     Using a web camera connected to a desktop or laptop PC requires
         prior approval because of possible Data Protection breaches. See
         Appendix A for guidelines.

3.13     The use of digital cameras or other mobile devices for downloading,
         editing or emailing of personal images is permitted as long as:

             The Email Usage and Monitoring Policy is complied with
             The Internet Usage and Monitoring Policy is complied with
             The activity is carried out in accordance with the spirit of the
              Personal Use guidelines below.

3.14     The use of MP3 players or other mobile devices for
         uploading/downloading of music or any other audio files must comply
         with the Internet Usage and Monitoring Policy. Approved Users must
         be able to prove that they have the permission of the copyright owners
         of any music track or audio recording (e.g. purchase receipt).

3.15     Laptops and PDAs can only be connected to the University‟s Network
         by Approved Users if these users are properly authenticated as
         legitimate users of the network. The University‟s Wireless Network
         should be the preferred method of connection. See Appendix A for
         appropriate guidelines.

3.16     Laptop computers that are the property of the University must be
         periodically brought in and handed over to IT Support so that Windows
         Updates are received and installed and Anti-Virus definitions checked
         and updated. The recall schedule will be set by IT Support.

3.17     Installation of software on desktop or laptop PCs must be carried out
         by members of the IT Support team. Appendix A provides the legal and
         technical justification for this restriction.

3.18     IT Resources are not to be used for:

TVU:IT Acceptable Use Policy             Page 6                              Mar 2007
Thames Valley University                                               IT Acceptable Use Policy



         a)        sending:
                          unsolicited commercial or advertising material, chain
                           letters, or other junk mail of any kind, to Approved Users,
                           other users, or organisations connected to other
                           networks; and
                          materials that infringe the copyright of another person or
                           business, including intellectual property rights.

         b)        deliberate unauthorised:
                          provision of confidential material concerning the activities
                           of Thames Valley University to a third party;
                          access to services and facilities accessible via the JANET
                           network; and
                          access to University services and facilities by third
                           parties.

         c)        activities that:
                          unreasonably waste staff effort or IT Resources;
                          unreasonably serve to deny service to Approved Users or
                           other users;
                          corrupt or destroy Approved Users‟ or other users‟ data;
                          disrupt the work of Approved Users or other users; and
                          violate the privacy of Approved Users or other users.

         d)        creating or sending of material that is or could be considered to
                   be:
                          offensive, obscene or containing indecent images, data,
                           or other material, or any data capable of being resolved
                           into obscene or indecent images or material (other than
                           for properly supervised and lawful research purposes);
                          abusive or threatening to others, or serving to harass or
                           bully others;
                          either discriminatory or encourages discrimination on
                           racial or ethnic grounds, or on grounds of gender, age,
                           sexual orientation, marital status, disability, political or
                           religious beliefs;
                          defamatory;
                          false claims of a deceptive nature;
                          „flaming‟ i.e. the use of impolite terms or language,
                           including offensive or condescending terms;
                          designed or likely to cause offence or needless anxiety;
                           and
                          bringing the University into disrepute.

              e) creating and sending messages:
                          anonymously, i.e. without clear identification of the
                           sender; and
                          using an identity other than your own.

TVU:IT Acceptable Use Policy               Page 7                               Mar 2007
Thames Valley University                                            IT Acceptable Use Policy



3.19     Please refer to the guidelines set out in Appendix A.

Preventing the spread of malicious software

3.20     Each Approved User is required to take positive action to guard against
         the spread of malicious software e.g. computer viruses, „trojans‟,
         „worms‟ or „spyware‟.

3.21     In particular, Approved Users:
                  must ensure, where possible, that an effective anti-virus system
                   is operating on any computer which they use to access the IT
                   Resources. It will be a breach of this policy to disable, uninstall
                   or prevent the automatic updates of the anti-virus software
                   installed on University computers;
                  must not transmit by email any file attachments which they know
                   to be infected with a virus or other malicious software; and
                  must not open email file attachments received from unsolicited
                   or untrusted sources.

3.22     For further details about malicious software and how to avoid it please
         refer to the guidelines set out in Appendix B.

Personal Use

3.23     The main purpose for the provision by the University of IT Resources is
         for use in connection with teaching, learning, research, and business
         activities of the University.

3.24     However, the University permits personal use of its IT Resources by
         Approved Users, subject to the following limitations:

         a) a level of use that is reasonable and not detrimental to the main
            purpose of the University‟s Network;
         b) University-provided email addresses must not be used by Approved
            Users to register on websites that are not connected with teaching,
            learning, research, and business activities of the University, e.g.
            online auction, gambling or similar websites;
         c) priority must be given to use of resources for the main purpose for
            which they are provided;
         d) personal use must not be of a commercial nature;
         e) personal use must not be of a nature that competes with the
            University‟s business;
         f) personal use must not be connected with any use or application
            that conflicts with an employee‟s obligations to Thames Valley
            University as their employer; and
         g) personal use must not be connected to any purpose or application
            that conflicts with the University‟s rules, regulations, policies and
            procedures including this policy.

3.25     In relation to the personal use of IT Resources, if Approved Users are
         in any doubt about what constitutes acceptable and appropriate use,

TVU:IT Acceptable Use Policy             Page 8                              Mar 2007
Thames Valley University                                          IT Acceptable Use Policy

         they should seek the advice and guidance, in the case of members of
         staff, of their Line Manager, and in the case of students, of their
         Programme Tutor.

3.26     Due to the insecure nature of electronic communication, the University
         does not accept any liability for damage or loss of whatever nature
         caused by the use of IT Services for personal purposes. This exclusion
         does not apply where personal injury or death is caused by the
         University‟s negligence.

3.27     Any emails (with or without attachments) that are transmitted using the
         University‟s email system, remain the property of the University.
         Similarly, any file stored on University‟s File Servers remains the
         property of the University. However, this clause refers to the electronic
         form of emails or files while they reside within the University‟s systems
         and does not affect the author‟s ownership, copyright or intellectual
         property rights.

4        Monitoring Policy

4.1      Thames Valley University will maintain appropriate monitoring
         arrangements in relation to all IT Activities.

4.2      Automated monitoring arrangements will operate routinely, with the
         express aim of monitoring compliance with the provisions of the
         University‟s Email Usage Policy, Internet Usage Policy and the IT
         Acceptable Use Policy and for the purposes outlined above as
         permitted by The Telecommunications (Lawful Business Practice)
         (Interception of Communications) Regulations 2000.


4.3      The content of emails and/or files stored on the University‟s
         network servers will only be checked if specifically authorised in
         accordance with the terms of this policy (Appendix A, section 9).
         Circumstances which may necessitate this include:

                  unexpected or prolonged absence of a member of the University
                   where not dealing with his or her email in a timely manner
                   adversely affects the running of the University.
                  fulfilling a legal requirement e.g. a Subject Access Request
                   under the Data Protection Act.
                  a formal investigation of a breach of this or other University
                   policies


4.4      These arrangements may include, but are not limited to, checking
         content, denying transmission and in some instances recording of
         email messages or other electronic communications for the purpose of:
             preventing or detecting crime as required by law;
             investigating or detecting a breach of the Email Usage Policy;
             investigating or detecting a breach of the IT Acceptable Use Policy;
             ensuring the effective operation of the University‟s Network; and
TVU:IT Acceptable Use Policy            Page 9                             Mar 2007
Thames Valley University                                          IT Acceptable Use Policy

             complying with the IMLF.

4.5      Any request for the disclosure of information collected as above should
         be made through the Data Protection Officer and will be dealt with
         according to the University‟s Data Protection and Freedom of
         Information Policies.


5        Possible Actions following Policy Breach

6.1      Allegations of breaches of the IT Acceptable Use Policy will be
         investigated, as appropriate, in accordance with the provisions of the
         University‟s disciplinary and grievance procedures, as applicable to all
         staff and students.

6.2      When any breach of this policy presents an imminent threat to other
         users or to the University's IT Resources, Systems Administrators may
         take whatever steps are necessary to isolate the threat, without notice
         if circumstances so require. This may include changing passwords,
         locking files, disabling computers, or disconnecting specific devices or
         entire sub-networks from University or national voice and data
         networks. Systems Administrators will restore connectivity and
         functionality as soon as possible after they identify and neutralise the
         threat.

6.3      The University reserves the right to withdraw users‟ access rights to IT
         Resources in the following circumstances:

             While investigating a suspected breach of this or other policies;
             As part of the published disciplinary procedures;
             In order to maintain the operational integrity of the IT Resources
              provided; or
             At the reasonable request of a Senior Manager of the University.

6.4      Staff who consider they have suffered unjustified detriment through the
         monitoring arrangements being inappropriately applied have the right
         invoke the University‟s Grievance Policy and procedures. Likewise,
         students have the right to complain in accordance with the Students
         Complaints Procedure.

6.5      In the case of proven breaches of this policy by Approved Users who
         are not students or staff, action may be taken under the Third-Party
         Access Policy which is under development.

6.6      Please refer to the guidelines set out in Appendix C for other possible
         legal consequences of misuse of the email service


6        Investigation of Complaints

7.1      The University will investigate complaints received from both internal
         and external sources, about any unacceptable use of IT Resources. In

TVU:IT Acceptable Use Policy           Page 10                             Mar 2007
Thames Valley University                                         IT Acceptable Use Policy

         support of this process a technical investigation may take place, e.g. to
         determine the source of an offending email message or to locate files
         of an offending or inappropriate content.

7.2      The University may choose not to investigate anonymous or verbal
         complaints.

7.3      In the case of a suspected criminal offence, the involvement of external
         authorities will not prevent the University from taking appropriate action
         in accordance with the University‟s regulatory framework.

7.4      In relation to IT Activities, any alleged breaches of professional codes
         may also be dealt with using the University‟s disciplinary procedures
         notwithstanding any action by a professional body.




TVU:IT Acceptable Use Policy          Page 11                             Mar 2007
Thames Valley University         IT Acceptable Use Policy                 Appendix A




Appendix A
Guidelines for the Use of IT Services

1        Connecting / Disconnecting cables and devices
         The only devices you would be expected to connect/disconnect to/from
         your PC are headphones and USB „Flash‟ drives. The majority of
         University computers provide appropriate sockets („ports‟) on the front
         panel. If you wish to connect a USB device and the only USB port your
         PC is provided with is at the back, you must request a USB extension
         cable from IT Support.

         Disconnecting cables from the back of your PC (mains power,
         keyboard, network etc) poses a serious Health & Safety issue and
         must be carried out by qualified IT Support staff. Furthermore, frequent
         connection/disconnection of cables can often damage the sockets as
         well as affect their electrical properties (oxidisation).

2        Use of Portable Storage Devices
         Small storage devices are inexpensive, ubiquitous, easy to use - and
         easy to lose. For business IT departments, that constitutes a potentially
         serious security problem. A £10 USB Flash drive casually misplaced in
         a restaurant, a texi or airport lounge may contain sensitive data that
         can expose the University to Data Protection Act, HEFCE or QAA
         breaches.

         Furthermore, portable storage devices become conduits for viruses
         and other malware. A visitor left alone in a conference room with an
         unguarded PC needs only a few moments to upload malware or a
         Trojan horse into the University network. An employee takes work-
         related files home, infects them with a virus on his or her home
         computer, then uploads them to an office PC.

         Modern USB storage devices often come with an encryption facility,
         whereby the contents are meaningless to anyone who is not in
         possession of a decryption „key‟ (a special password that is set by
         you). More advanced devices are equipped with fingerprint recognition
         technology as a means of authentication. The University recommends
         that only secure devices that encrypt their files are used by Approved
         Users.

3        Desktop Video Conferencing



TVU:IT Acceptable Use Policy          Page 12                          Mar 2007
Thames Valley University          IT Acceptable Use Policy                  Appendix A




4        TVU Wireless Network
         The wireless service is provided predominantly for academic work.
         Personal use is permitted according to the terms of this policy. Anyone
         playing games or downloading large files will be asked to refrain from
         such usage and could have their connection terminated. Although you
         will be using your own computer you are still bound by University
         regulations.

         The University‟s Wireless Service is only available to authenticated
         users. Unless the users‟ credentials (user name and password) identify
         them as Approved Users, no connection will be permitted.

         The system in place also ensures that your laptop is loaded with up-to-
         date Anti-Virus software and definitions as well as all relevant Windows
         security patches. It will automatically update your laptop before
         allowing it to connect to the network.

         Connecting to the University‟s network through the Wireless Service
         only offers Internet-based services such as browsing or web email. You
         will not be able to access shared files, network applications or printers.

5        Good Housekeeping

6        File Sharing
         The majority of Internet activity involves browsing the web and using
         email. More recently, downloading of software, music or video clips has
         become extremely popular with little or no regard to, or understanding
         of, the legality of these activities. Furthermore, technologies have been
         developed to facilitate the sharing of files amongst connected users
         worldwide. This is known as „file sharing‟ or „Peer-to-Peer Networking‟
         (P2P).

         P2P is responsible for propagating malicious software and network
         threats such as viruses, worms and trojans; it can monopolise vast
         amounts of the University‟s available bandwidth, thus impairing access
         to services that students and staff are entitled to; finally, the
         downloading of copyrighted files (music, video, software and images)
         breaches intellectual rights and copyright laws. The consequences of
         the latter can be catastrophic for the University as it is its file systems
         and network infrastructure that are used for these illegal activities.

         In general, the installation and use of P2P software is prohibited
         across the University.

7        Software downloading and installation
         Downloading and installing software off the Internet is not just a P2P
         activity. Thousands of websites advertise free, shareware or clearly
         illegal („pirated‟ or „cracked‟) software. Moreover, software is passed
         around on CDs, DVDs or email attachments.


TVU:IT Acceptable Use Policy           Page 13                           Mar 2007
Thames Valley University            IT Acceptable Use Policy                     Appendix A




         The University student computers have been configured in a manner
         that prevents students from either installing software or changing the
         computer configuration.

         The installation by end users of illegal software (i.e. commercial
         software for which a licence has not been purchased) on University
         computers, is prohibited.

         While the justification for this is clear in the case of illegal software, it is
         not often understood why other kinds should not be installed. The
         installation by non-LIS staff of any other kind of software on University
         computers is strongly discouraged. The University, through Learning
         and Information Services, carefully vets and tests software requests to
         ensure that compatibility with our systems and networks is maintained.
         It is not uncommon for software to be installed successfully, only to
         discover later that core elements of other key software have been
         overwritten, disabled or made to malfunction.

         New, untested software is trialled by LIS in a controlled environment
         and is only given a clean bill of health when no damaging side-effects
         are identified. Software to be avoided includes toolbars, news „tickers‟
         and screen savers as they can often carry spyware „payloads‟, disrupt
         essential system processes such as anti-virus or have such excessive
         processing demands on the system that the whole computer is
         rendered unusable, slow and unstable.

         „Shareware‟ is another misunderstood topic: Shareware is NOT free
         software. The shareware authors give you a licence to use their
         product either for a limited period of time or on the understanding that
         you will act honestly and purchase or uninstall (WinZip is the most
         abused piece of shareware around!).

         If a need for a particular piece of shareware is identified by a faculty or
         department, LIS should be asked by an authorised budget holder to
         test and evaluate it. It is important that somebody with budgetary
         authority makes the request as there will inevitably be cost implications
         involved.

         There is also a proliferation of „hacking‟ tools or virus-writing toolkits on
         the Internet. Needless to say that the installation of these would
         constitute a serious breach of this policy and of the University‟s
         Information Security Policy.

8        Remote Access
        Remote access software allows a user to access and control one PC
         through another. Typical software packages or services that enable this
         facility include Microsoft‟s Remote Desktop, PC Anywhere, DameWare,
         VNC, LogMeIn, GoToMyPC and others.



TVU:IT Acceptable Use Policy             Page 14                              Mar 2007
Thames Valley University         IT Acceptable Use Policy                  Appendix A




         The last two are subscription services that use a web browser interface
         to connect to a PC you have authority to use. While the University has
         no issue with a user accessing their home PC from TVU premises this
         way, it prohibits access to University IT Resources from a remote
         location unless a justification has been made and appropriate authority
         has been obtained.

        Secure access to the University‟s network from home can also be
         achieved by establishing a Virtual Private Network (VPN). Such access
         will be piloted to small groups of staff, subject to agreed terms and
         conditions as well as adherence to all relevant TVU policies and
         procedures.

         LIS will ensure, as far as possible, that any services that are made
         available to staff through VPN will not compromise confidentiality,
         security or Data Protection requirements.

9        Windows and Anti Virus Updates
         All computers that are connected to the University network are set up
         to check for the latest Windows, Anti-Virus and Anti-SpyWare updates
         (Apple Macs only check for the last two). It is imperative that these
         updates take place as they reduce the risk of vulnerabilities being
         exploited or software bugs impairing the functioning of particular
         packages.

         Some of these updates require that the computer be re-started („re-
         booted‟). All users are advised to allow their computer to restart (as
         they will be invariably notified) after they have saved any important
         work they were carrying out at the time. A computer that is not
         updated is a serious security risk for the whole network.

10       Confidentiality, Security and the Internet
        The Internet is inherently insecure. Assume that any data you transmit
         over the Internet can be intercepted and viewed. Furthermore, your
         Internet activities can be monitored by third parties, and private data
         can be captured and used maliciously.
        Do not enter any personal details, including usernames and
         passwords, on online pages, unless you are absolutely sure that the
         host website is trustworthy. It is advisable to enter private details on
         web pages that are protected through encryption. Such a secure
         webpage can be identified through the padlock icon that, on Internet
         Explorer, appears at the bottom right of the browser window. Other
         web browsers may display the padlock (or similar) icon elsewhere.
         Another telltale is that the website address will now begin with “https”
         rather than “http”.

        Identity theft (i.e. someone using your online details for their own
         purposes) is a growing concern. Commonly this is done through
         “phishing”. Wikipedia, defines “phishing” as “… a criminal activity
         using social engineering techniques. Phishers attempt to fraudulently


TVU:IT Acceptable Use Policy          Page 15                           Mar 2007
Thames Valley University          IT Acceptable Use Policy                  Appendix A




         acquire sensitive information, such as passwords and credit card
         details, by masquerading as a trustworthy person or business in an
         electronic communication. Phishing is typically carried out using email
         or an instant message, although phone contact has been used as
         well…”.
         Examples of phishing emails include those purporting to come from
         your bank, your supermarket, ebay, paypal and other online payment
         methods, etc.

         Avoid clicking any links in an email. It is best to open a new browser
         and type the web address of the company that supposedly sent you the
         email. That way you will not be redirected to a phisher‟s website.

11       Instant Messaging

             Instant messaging is just as, if not more, insecure as other methods
              of communicating and transacting over the Internet.
             The use of Instant Messaging is allowed by the University‟s IT
              Systems, particularly in relation to TVU‟s multi-national student
              population, as it can provide a convenient means of immediate
              communication with friends, family, fellow students and research
              collaborators.
             All TVU guidelines, policies and procedures apply equally to Instant
              Messaging

12       Relevant Legislation
         Human Rights Act 1998
         This provides for the concept of privacy – giving a „right to respect for
         private and family life, home and correspondence.‟ The provision is
         directly enforceable against public sector employers, and all courts
         must now interpret existing legislation in relation to the Human Rights
         Act.

         Regulation of Investigatory Powers Act 2000
         This Act covers the extent to which organisations can monitor or record
         communications at the point at which they enter or are being sent
         within the employer‟s telecommunications system, and applies to public
         and private communication networks.

         Data Protection Act 1998
         Individuals have a right, within certain limits, to have a copy of any
         personal data the University holds about them. Personal data includes
         any expression of opinion about an individual, whether held on paper
         or electronically. The individual‟s right of access may extend to material
         held in an individual‟s email mailboxes, or on the server.




TVU:IT Acceptable Use Policy           Page 16                           Mar 2007
Thames Valley University          IT Acceptable Use Policy                  Appendix A




         Freedom of Information Act 2000
         The University has only 20 working days to supply information
         requested under this Act. The Information Commissioner has made it
         clear that he will interpret the 20 working days as beginning the day
         after the request is made. In other words, a freedom of information
         request made by email will be deemed to have been received by the
         University without it even having been opened. The request may also
         cover material contained in emails in an individual‟s mailbox.

         Copyright law
         The Copyright, Designs and Patents Act 1988 (as amended) gives the
         same protection to digital and electronic publications as it does to
         printed books and other forms of publication.

         Obscene Publications Act 1959, Protection of Children Act 1988
         and Criminal Justice Act 1988
         These acts are concerned with material that might be criminal, cause
         harm to young persons or be otherwise unlawful. Circulating text or
         images via email might subject an individual to criminal charges.

         Privacy and Electronic Communications (EC Directive)
         Regulations 2003
         This covers unsolicited direct marketing activity by telephone, by fax,
         and by email.

         Malicious Communications Act 1988
         This act deals with the offence of sending letters etc with intent to
         cause distress or anxiety and states:
         “It is an offence to send an indecent, offensive or threatening letter,
         electronic communication or other article to another person.”

    The above list of regulations is not exhaustive.




TVU:IT Acceptable Use Policy           Page 17                           Mar 2007
Thames Valley University        IT Acceptable Use Policy                Appendix B




Appendix B
Guidelines on spam, viruses and malicious software

Avoiding spam
„Spam‟ or Junk Mail is the scourge of email systems the world over. Spam is
'unsolicited advertising email' and there is a lot of it about. To avoid getting
spam don't acknowledge it in any way. If the spammer doesn't know you exist
your address becomes less valuable and less used:

        Delete spam without reading or replying to it.
        Don‟t click on unsubscribe links in a spam email as they are fake and
         they simply prove that your email address is live.
        Don‟t open spam email, as a read receipt would indicate that your
         email address is live.

Take care how you post your email address. Spammers can automatically
harvest addresses from News Groups or web sites and send you unsolicited
email. Make sure you always have a „disposable‟ email address available
when you join forums, news groups or mailing lists whose pedigree is not
entirely known. You may find that your mailbox is filled with spam within days
of creating it.
If you absolutely have to publish your email address within a forum posting,
you can make it machine-unreadable to thwart the spammers‟ automated
harvesting robots! For instance, a human can decipher John-dot-Smith-AT-
tvu-dot-ac-dot-uk but a robot won‟t even spot it‟s an email address as it lacks
the basic characteristics of an email.
Should your email address be used by a spammer, it will also find its way into
vast databases of email addresses and may be sold to other spammers.

The University has put in place a junk mail filter that stops most spam from
reaching your mailbox. As the rules that determine whether an email is spam
or not are not fool-proof, such emails are not deleted but put in quarantine.
You are notified regularly that you have emails in quarantine so that you can
inspect them – occasionally, you may have to retrieve a message that was
misclassified.




TVU:IT Acceptable Use Policy         Page 18                          Mar 2007
Thames Valley University          IT Acceptable Use Policy                   Appendix B




Viruses, Worms, Trojans and other dangers
Viruses, Worms and Trojans are malicious programs that can attack your
computer or the complete University network without the user‟s knowledge.
They are distinctly different, although they are all sometimes referred to as
„Viruses‟. Webopedia (http://www.webopedia.com) offers some pretty clear
definitions:
         A computer virus attaches itself to a program or file so it can spread
         from one computer to another, leaving infections as it travels. Much like
         human viruses, computer viruses can range in severity; some viruses
         cause only mildly annoying effects while others can damage your
         hardware, software, or files.
         Almost all viruses are attached to an executable file, which means the
         virus may exist on your computer but it cannot infect your computer
         unless you run or open the malicious program. It is important to note
         that a virus cannot be spread without a human action, (such as running
         an infected program) to keep it going. People continue the spread of a
         computer virus, mostly unknowingly, by sharing infecting files or
         sending e-mails with viruses as attachments in the e-mail.
         A worm is similar to a virus by its design, and is considered to be a
         sub-class of a virus. Worms spread from computer to computer, but
         unlike a virus, it has the ability to travel without any help from a person.
         A worm takes advantage of file or information transport features on
         your system, which allows it to travel unaided.

         The biggest danger with a worm is its ability to replicate itself on your
         system, so rather than your computer sending out a single worm, it
         could send out hundreds or thousands of copies of itself, creating a
         huge devastating effect. One example would be for a worm to send a
         copy of itself to everyone listed in your e-mail address book. Then, the
         worm replicates and sends itself out to everyone listed in each of the
         receiver's address book, and the manifest continues on down the line.

         Due to the copying nature of a worm and its ability to travel across
         networks the end result in most cases is that the worm consumes too
         much system memory (or network bandwidth), causing Web servers,
         network servers, and individual computers to stop responding. In more
         recent worm attacks such as the much talked about Blaster Worm, the
         worm has been designed to tunnel into your system and allow
         malicious users to control your computer remotely.

         A Trojan Horse is full of as much trickery as the mythological Trojan
         Horse it was named after. The Trojan Horse, at first glance will appear
         to be useful software but will actually do damage once installed or run
         on your computer. Those on the receiving end of a Trojan Horse are
         usually tricked into opening them because they appear to be receiving
         legitimate software or files from a legitimate source.

         When a Trojan is activated on your computer, the results can vary.
         Some Trojans are designed to be more annoying than malicious (like


TVU:IT Acceptable Use Policy           Page 19                            Mar 2007
Thames Valley University          IT Acceptable Use Policy                 Appendix B




         changing your desktop, adding silly active desktop icons) or they can
         cause serious damage by deleting files and destroying information on
         your system.

         Trojans are also known to create a „backdoor‟ on your computer that
         gives malicious users access to your system, possibly allowing
         confidential or personal information to be compromised. Unlike viruses
         and worms, Trojans do not reproduce by infecting other files nor do
         they self-replicate.

    While in the early days of personal computing viruses spread through
    innocent-looking software that a friend gave you on a floppy disk, these
    days browsing the Internet or reading your email can expose your
    computer to immense dangers. Some basic precautions you can take
    include:

        Do not open unsolicited attachments - they are likely to be viruses.
        Never respond to emails asking you for your account details (of any
         kind) - these are Internet scams.
        Never reply to 'get rich quick' emails, these will ask for 'money up front'
         and are Internet scams.
        Don't forward (or mail round) virus warnings - many of these are
         Internet hoaxes and real ones will not be believed.
        Don't forward begging letters - many of these are scams and real ones
         won't be believed.
        Don't mass mail lists of Internet jokes - these clog up the email systems
         and may cause offence.
        Don‟t install browser toolbars, wallpapers, or cute screensavers
         whatever their origin (internet, email, magazine cover CDs etc.) It is
         likely that they come with a Spyware Trojan that, at best, will monitor
         your browsing habits and inform its masters what ads to target you
         with, and at worst, they can capture anything you type on your
         computer, including credit card information or other personal details.
         Even the most innocent of these can interfere with standard software
         and cause unnecessary and time-wasting IT support calls.




TVU:IT Acceptable Use Policy           Page 20                           Mar 2007
Thames Valley University        IT Acceptable Use Policy                  Appendix C




Appendix C
Possible legal consequences of misuse of the email service

In a growing number of cases involving the civil or criminal law, email
messages (deleted or otherwise) are produced as evidence in a permanent
written form. There are a number of areas of law which apply to the use of
email and which could incur liability for individuals or the University.

These include the following:

    a) Intellectual property. Anyone who uses email to send or receive any
       materials that infringes the intellectual property rights of a third party
       may be liable to that third party if such use is not authorised by them.
    b) Obscenity: a criminal offence may be committed if a person publishes,
       accesses or downloads any material which is pornographic,
       excessively violent or which comes under the provisions of the
       Obscene Publications Acts. Similarly the Protection of Children Acts
       makes it an offence to publish, access, download or distribute obscene
       material involving a child.
    c) Defamation/Libel: as a form of publication, the Internet is within the
       scope of legislation relating to libel where a statement or opinion is
       published which adversely affects the reputation of a person, group of
       people or an organisation. Legal responsibility for the transmission of
       any defamatory, obscene or rude remarks which discredit an
       identifiable individual or organisation will rest mainly with the sender of
       the email and may lead to substantial financial penalties being
       imposed.
    d) Data Protection: processing information (including photographs)
       which contains personal data about individuals, requires the express
       written consent of those individuals.
    e) Discrimination: any material disseminated which is discriminatory or
       encourages discrimination may be unlawful under the Sex
       Discrimination Act 1975, the Race Relations Act 1976, the Disability
       Discrimination Act 1995 or the Employment Equality (Age) Regulations
       2006 where it involves discrimination on the grounds of sex, age, race
       or disability.

The above is only designed to be a brief outline of some of the legal
consequences of misuse of email facilities and was last updated in October
2006.




TVU:IT Acceptable Use Policy         Page 21                           Mar 2007

								
To top