Acceptable Use of Computer & Network Policy
| Policy name | Acceptable Use of Computer & Network Policy |
| Policy number | ICT002 |
| Date approved | 26 June 2024 |
| Approving body | Cairnmillar Council |
| Responsible officer | General Manager |
| Implementation officer | Senior Systems Administrator |
| Next review date | June 2029 |
| Related Policies |
|
| Related forms and documents |
|
1. Purpose of this Policy
The purpose of this policy is to outline the requirements for the respectful, safe, reliable and secure use of information technology resources provided by the Cairnmillar Institute (‘the Institute’). These rules exist to protect and preserve the privilege of use for students and staff and to ensure they have access to reliable and robust IT resources that are safe from unauthorized or malicious use.
2. Scope
This policy is effective and applies to all systems and users, including those using privately owned computers (where staff have opted for a BYOD) or systems to access Institute Computer and Network Resources. This policy represents the minimum requirements that must be in place.
3. Policy
3.1. General Principles
3.1.1. Use of the computer and network resources of the Institute shall be consistent with the treatment, education, and research mission, and consistent with this policy.
3.1.2. Eligible individuals are provided access in order to support their education, instruction, duties as employees, official business with the Institute and other Institute sanctioned activities. Individuals shall not share with or transfer to others their accounts, including but not limited to user IDs, passwords, or other mechanisms that allow them to gain access to Institute information technology resources.
- Files and data must not be shared or taken external to the Cairnmillar environment except where it is required for the business activities such as:
- Government or other reporting requirements
- Research or similar sanctioned collaborative activities
- Clinical reporting
- Transfer of client information to other practices as requested by the client.
3.1.3. The Institute reserves the right to limit access to its networks when applicable system or Institute policies or codes, contractual obligations, or relevant laws are violated.
3.1.4. Privately owned computers that house material which violates the Institute’s policies are subject to network disconnection without notice. Where possible, in this event the Institute’s data will be wiped from the device.
3.1.5. The Institute reserves the right to access and review all aspects of its computing systems and networks, including individual login sessions, email accounts, and account files, to investigate performance or system problems, investigate information security incidents, or upon reasonable cause to determine if a user is violating the policy or regulation.
3.1.6. Other organisational units are free to supplement this policy with additional guidelines, provided such guidelines are consistent with the Institute policy.
3.2. Acceptable Use
All individuals who access, use, or otherwise engage the Institute’s computer and network resources are required to:
3.2.1.Respect the rights of all individuals, including other users.
3.2.2. Only use or modify Institute’s computer and network resources for Authorised Purposes, and not in breach of relevant laws or contractual obligations.
3.2.3. Not use Institute computer or network equipment for non-commercial personal purposes beyond a reasonable amount, or to the detriment of the Institute or its goals.
3.2.4. Not access, distribute, store or display illegal, pirated or offensive material.
3.2.5. Not use Institute computer or network equipment for unauthorised personal financial or commercial gain.
3.2.6. Not misrepresent the views of the Institute, via use of the Institute’s IT Resources.
3.2.7. Not conduct activities that consume excessive network bandwidth.
3.2.8. Report suspected or actual security breaches to the Information Technology (IT) Help Desk in a timely manner; and
3.2.9. Maintain the security and confidentiality of information generated or collected by the Institute in accordance with the Privacy Management policy.
3.3. Secure System Access and Use
To protect access to Institute IT Resources, individuals are required to:
3.3.1. Select long and strong passwords that are not easily guessed and not in use in other non-Institute applications.
3.3.2. Not share Institute-provided or self-selected passwords with other individuals.
3.3.3. Keep personal and Institute-provided systems, used to access Institute systems or information, free from known vulnerabilities by keeping up to date with vendor provided security updates.
3.3.4. Maintain operational and up-to-date antivirus on personal and Institute -provided systems used to access Institute systems or information.
3.3.5. Securely store passwords that provide access to Institute systems or information.
- Only use the accounts provided by the Institute for their own individual use.
- Not bypass or attempt to circumvent the Institute’s Security Controls or Protection Mechanisms.
- Not introduce malicious software such as viruses, worms, ransomware or trojans into the Institute environment; and
- Not use Hacking Tools (including sniffing, scanning, password guessing or exploitation) when accessing, using or otherwise engaging with Institute IT Resources.
3.4. Monitoring and Compliance
3.4.1. The Institute monitors its information systems for compliance with this policy. Breaches of this policy constitute misuse of Institute’s information and information systems.
3.4.2. The Acceptable Use of IT Resources - Misuse Schedule provides some examples of activities that constitute misuse of IT Resources. If misuse of IT Resources is detected or suspected, relevant disciplinary provisions will be invoked.
3.4.3. The Institute may refer serious matters or repeated breaches to the General Manager or the appropriate external authorities which may result in disciplinary and / or civil, and / or criminal proceedings.
3.4.4. The Institute has a statutory obligation to report illegal activities and corrupt conduct to appropriate authorities and will cooperate fully with the relevant authorities.
3.4.5. To the extent allowed by law, the Institute is not liable for loss, damage or consequential loss or damage arising directly or indirectly from the use or misuse of any Information Technology Resource.
3.5. Definitions
The following definitions apply for the purpose of this policy:
3.5.1. Authorised Purposes means activities associated with work or study at the Institute, or provision of services to or by the Institute, which are approved or authorised by the relevant officer or employee of the Institute in accordance with Institute policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other purpose authorised by the relevant officer or employee.
3.5.2. Hacking Tools means tools that are designed to facilitate the identification and exploitation of software or system weaknesses for the purposes of unauthorised access.
3.5.3. Information Technology Resources, or IT Resources, includes, but is not limited to:
- All computers and all associated data networks and systems, internet access and network bandwidth, email, hardware, data storage, computer accounts, media, software (both proprietary and those developed by the Institute) and telephony services.
- Information Technology services provided jointly, or as part of a joint venture between the Institute and any other partner organisation.
- Information Technology services provided by third parties that have been engaged by the Institute.
3.5.4. Security Controls or Protection Mechanisms means systems or facilities implemented to restrict access only to individuals who are authorised to access or utilise the resource or information.
3.6. Related Documents
3.6.1. Schedule – Acceptable Use of Computer and Network Resources - Misuse Schedule.