View Current

Information and Communications Technology Acceptable Use procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure is effective from 10 January 2020.

Top of Page

Section 2 - Purpose

(2) This Procedure documents the requirements and conditions for using the University's information and communications technology (ICT) facilities, services and materials.

Top of Page

Section 3 - Scope

(3) This Procedure applies to students, staff and associates and where not already covered, to ICT facilities, services and materials owned, managed or leased by the University or as applicable by commercial or legal arrangement, including Bring your own device (BYOD).

Top of Page

Section 4 - Policy

(4) This Procedure is pursuant to the Information and Communications Technology Acceptable Use policy.

Top of Page

Section 5 - Procedure

General use and ownership

(5) Information stored on electronic and computing devices, whether owned or leased by the University, remains the sole property of the University. ICT users must ensure through legal or technical means that proprietary information is protected.

(6) Users of University ICT facilities, services and materials, have a responsibility to promptly report the theft, loss or unauthorised disclosure of Deakin proprietary information in accordance with the Information and Communications Technology Security policy.

(7) ICT users may access, use or share Deakin proprietary information only to the extent it is authorised and required to carry out activities that relate to the duties of their role.

(8) ICT users are responsible for exercising good judgment regarding the reasonableness of personal use. Users should consult their supervisor or manager if they are uncertain whether use is reasonable or not.

(9) Access to University ICT facilities, services and materials must be authenticated and comply with password guidelines set by eSolutions. Passwords must not be shared.

(10) The use of Multi-factor Authentication will be required for access by staff and associates to ICT facilities, services, applications and materials that are deemed sensitive to Deakin University by eSolutions.

(11) ICT users must lock devices (computers, tablets, mobile phones) when not in use.

(12) University web publishing and various media channels including social media have additional requirements which are set out in the Web Publishing policy and the Media policy.

(13) The privacy and integrity of information transmitted by email cannot and is not guaranteed by Deakin. These communications should not be regarded as being confidential.

(14) Deakin University reserves the right to record, delete, block, quarantine, copy, use and take possession of all ICT equipment, software, hardware, data and manuals and any communications or material passing through ICT facilities and services, and pass on the information to external organisations where legally obliged to do so.

Email

(15) All email correspondence is backed-up on a regular basis by eSolutions and is available for inspection should this be necessary.

(16) The Deakin Internal Communications team must review and approve the distribution of all broadcast email communications.

(17) Personal email services (e.g. Google Mail, Yahoo Mail) must not be used for the storage, manipulation, exchange of Deakin classified data or to undertake any Deakin business transactions without prior approval from eSolutions. Staff must not forward their Deakin email to a personal email account. Any exemptions to forward Deakin email to a personal account must be approved.

(18) Staff must not automatically forward the entire contents of their mailbox, voicemail or other communications accounts to another Deakin ICT user. Automatic forwarding of a Deakin email address may be used for a generic user account (e.g. ocdo@deakin.edu.au) and for filtered email that contains no personal information.

(19) Emails originating from within Deakin’s networks or other Internet service providers must not be sent on behalf of the University or to advertise any Deakin service without approval from eSolutions.

(20) Staff must not use their Deakin email address for private use or provide this email as a contact for personal purposes.

(21) All incoming and outgoing email will be electronically checked against a rule set to detect spam, viruses, potential threats or large size email. If a user suspects an incoming or outgoing email has been blocked inappropriately, they should contact eSolutions to investigate.

(22) Users must use extreme caution when opening e-mails received from unknown senders, which may contain malware, viruses or other malicious content. Users should report suspect emails to eSolutions via Phish Alert.

(23) ICT Users must regularly archive mailbox content to ensure they have sufficient space available. eSolutions will notify users when their mailbox is reaching capacity. Users will be unable to send or receive emails when their quota has been reached. Users requiring additional storage may submit a request to the Chief Digital Officer with the support of their Head of organisational unit.

Internet

(24) The Internet must not be used to download, purchase or trial any software without the approval of eSolutions and the staff member’s manager.

(25) When using the University’s ICT facilities and services to access and use the Internet, users must understand they represent Deakin and act in accordance with the Academic Freedom policy and Freedom of Speech policy.

(26) Authorised eSolutions staff members may deny or restrict ICT users' access to internet sites that are reasonably considered to contain inappropriate or malicious content.

File shares and data storage (staff, contractors, and HRD)

(27) The Chief Digital Officer will ensure that file shares are provided and managed for each organisational unit and upon request may approve file shares for projects or other groups.

(28) Head of organisational units will nominate a staff member to be responsible for managing the area's file share(s) and ensuring that appropriate archiving is undertaken. This staff member will be the point of contact for eSolutions for file share related matters such as disk space.

(29) Deakin internal network file storage facilities and eSolutions approved externally hosted (Cloud) storage services are provided for the storage of work and courses related material only.

(30) Use of file storage facilities (e.g. removable media) or unapproved services (Cloud Storage) to store Deakin data and/or information is not allowed unless authorised.

(31) External storage devices (e.g. USB, removable hard drives) used to store Deakin data must be encrypted. Removable storage should not be used as a primary storage facility. 

(32) ICT users must regularly archive files to ensure they have sufficient space available in their home directory. Users will be unable to save additional material when their quota is reached.

(33) Deakin staff, associates and research students must not transfer data to external parties unless authorised to do so and only by approved secure mechanisms.

Enterprise applications

(34) The Chief Digital Officer will ensure that a standard complete set of data will be held for all enterprise applications (i.e. for use in production, user acceptance testing, and development environments), plus one additional data set, where required, for project work.

(35) Where additional data sets need to be held, the Business owner of the enterprise application must submit a request to the Chief Digital Officer setting out the rationale and confirm that funding and resourcing is available.

(36) Business owners of each enterprise application, on the advice of eSolutions, will implement appropriate archiving processes.

Mobile devices

(37) Deakin may provide mobile device/s to staff and associates to use in the course of their duties.

(38) Staff must return any mobile devices to their Managers on termination of their employment in accordance with the Leaving Deakin procedure. Charges incurred as a result of non-return of devices will be paid for by the organisational unit.

(39) When a staff member moves to a new organisational unit, their new Head of organisational unit may approve the continued use of the device and, if so, must provide updated billing information to eSolutions.

(40) Staff must report lost or stolen mobile devices to eSolutions and their Head of organisational unit or nominee.

(41) Data will be remotely wiped from a University mobile device if:

  1. the mobile device is lost or stolen;
  2. users terminate employment with Deakin; or
  3. eSolutions detects malware or a breach of University policy.

Monitoring and access

(42) Authorised eSolutions staff will monitor ICT facilities, services and materials, including but not limited to:

  1. protecting the integrity and security of the system
  2. checking network traffic and detect intrusions
  3. auditing the ICT assets of the University
  4. aggregating activity and usage patterns
  5. investigating and repairing system malfunctions
  6. policy and procedure compliance.

(43) Authorised eSolutions staff can action a request by an ICT user to repair or restore an individual ICT user's own data. The user may be asked to provide appropriate identification.

(44) Authorised eSolutions staff can action a request by an information owner, or nominee, to repair or restore corporate data managed by their business area.

(45) Staff members may request that another person's personal information and identifying data is monitored or accessed in the following circumstances:

  1. Where access is necessary to prevent the business of the University being obstructed or delayed by the foreseen absence of an ICT user and the request is supported by the Head of organisational unit.
  2. To investigate a breach or suspected breach of legislation or Deakin University policy initiated by Internal Audit.

(46) Requests to monitor or access another ICT user's data must be made in writing to the Chief Digital Officer or nominee setting out the reason(s) for the request. The Chief Digital Officer or nominee may:

  1. Approve the request and authorise a staff member to action the request with or without notice to the ICT user whose data is to be monitored or accessed.
  2. Deny the request. The Chief Digital Officer will advise the requester in writing of the reasons for their decision.

(47) The Chief Digital Officer will provide the results from the monitoring or access request only to the person who made the request. These results must only be used by that person in connection with the reason(s) for the request.

Absence of staff members

(48) If a staff member has a planned absence from the University they must ensure that data and information required to conduct the business of the University is accessible and that notification facilities, such as telephone and email out-of-office messages are in place. When a staff member has an unplanned absence, if practical, the staff member should put notifications in place from home or by contacting the IT Service Desk.

(49) Where a staff member has not acted in accordance with clause 48 their manager will attempt to contact them and reach agreement about reasonable alternative arrangements. If the staff member cannot be contacted and/or reasonable alternative arrangements cannot be agreed the manager will escalate the matter to the Head of organisational unit.

(50) If the Head of organisational unit is satisfied that reasonable efforts have been made to agree upon alternative arrangements and that the business of the University will be obstructed or delayed by the lack of access to the staff member’s data they may recommend that the Manager submit a request to the Chief Digital Officer to access the staff member’s data in accordance with clause 46. If the request is approved by the Chief Digital Officer the manager must only access the data on a need-to-know basis only and that is necessary to conduct the business of the University. The Manager must keep a record of all data accessed and provide this to the staff member as soon as possible.

ICT facilities access

(51) The Chief Digital Officer or nominee may authorise staff and associates to access ICT physical facilities. Staff and associates granted access to ICT physical facilities must follow the guidelines set by eSolutions.

Unacceptable use

(52) Unacceptable use includes but is not limited to:

  1. Engaging in any activity that is in breach of the University’s policies or procedures, or illegal under local, state, federal or international law.
  2. Accessing data, network, a server or an account for any purpose other than conducting Deakin business is considered a security breach, even if access is part of the user’s normal job/duty.
  3. Circumventing user authentication or security of any host, network or account.
  4. Port scanning or security scanning is not allowed unless prior approval from eSolutions is obtained.
  5. Executing any form of network spoofing and monitoring which will intercept data not intended for the user’s host, unless this activity is a part of the user’s normal job/duty.
  6. Introducing honeypots, honeynets, or malware on the Deakin network unless authorised by eSolutions.
  7. Interfering with or denying service to any user, servers, subnets, and any other ICT services.
  8. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means locally or via the Internet/Intranet/Extranet.
  9. Sending unsolicited email messages, including sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  10. Acquisition and/or use of cloud–based and third party ICT services without approval from eSolutions.
  11. Use of externally hosted ICT services for work purposes unless the use is approved by eSolutions.
  12. Use of Deakin Internet access facilities for management of personal affairs which adversely impact employee productivity and work performance, or the network performance; and does not contravene other sections of this Procedure.
  13. Making fraudulent offers of products, items, or services originating from any Deakin account.
  14. Effecting security incident(s) in a manner that negatively impacts Deakin University or its staff, students or associates. Providing information about, or lists of, Deakin users to parties outside Deakin.

Exemptions

(53) Any exemptions to the Information and Communications Technology Acceptable Use policy and this Procedure must be approved by the Chief Digital Officer or nominee. When determining an exemption, the Chief Digital Officer or nominee will consider whether the proposed use is necessary to undertake legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services, researcher may require access to particular websites for research projects).

Breaches

(54) ICT users must immediately report any suspected or perceived breach of the Information and Communications Technology Acceptable Use policyInformation and Communications Technology Security policy and Information and Communications Technology Acceptable Use procedure to eSolutions.

(55) Where there is an allegation of non-compliance and the Chief Digital Officer considers it necessary to act immediately to preserve the peace or to protect University staff, students or property, the Chief Digital Officer may:

  1. remove or disable access to potentially offensive material, as a result of violations of the Information and Communications Technology policies or procedure.
  2. restrict or remove an ICT user's access to the University's ICT facilities, services and materials pending further investigation, disciplinary and/or judicial action
  3. refer
    1. non-compliance by students in accordance with Regulation 4.1(1) - General Misconduct and Student General Misconduct procedure
    2. non-compliance by staff in accordance with the Staff Discipline policy; and/or
    3. legislative non-compliance by students, staff and other University ICT users to DeakinLegal.

(56) The Chief Digital Officer will inform the ICT user of any action in writing within ten (10) working days of the action being taken.

Top of Page

Section 6 - Definitions

(57) For the purpose of this Procedure:

  1. Data: individual facts or items of content, including symbolic representations that may form the basis of information (e.g. a date, a name, a number).
  2. Enterprise Application: any centrally-managed software application used throughout the University, required to undertake the functions and activities of University business.
  3. File Share: centrally provided disk space for organisational units, projects and other groups to facilitate storage, sharing and protection of electronic material associated with work activities.
  4. Home Directory: centrally provided disk space for ICT users to store and protect study or incidental work-related electronic material.
  5. Information: as defined in the Information and Communications Technology Acceptable Use policy.
  6. Information and Communication Technology (ICT) Facilities, Services and Materials: as defined in the Information and Communications Technology Acceptable Use policy.
  7. Information and Communications Technology (ICT) User: as defined in the Information and Communications Technology Acceptable Use policy.
  8. Physical Facilities: all physical spaces (e.g. data centres, machine rooms, network or communication closets) managed by the Deakin eSolutions.
  9. Spam: Spam is unsolicited (unwanted) digital communication often in the form of emails that typically attempts to sell you something. The spammer has no intention of spreading malware or stealing sensitive information which is what happens in the case of phishing. Further information can be found in the Cybersecurity blog.