Defining the University’s approach to acceptable use of its IT Systems
This control procedure defines the University’s approach to acceptable use of its IT Systems and infrastructure, and directly supports the following policy statement from the Information Security Policy:
The University’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.
This procedure is intended to be read and understood by all users accessing University information, IT systems, networks or software using any University or personally owned device.
There are other University policies which will apply when you access University systems, including the University’s Data Protection Policy (and users should complete the University’s mandatory data protection training).
Users are bound by the laws of England and Wales when using the University’s IT resources. In addition, when using MMU devices or accessing the University’s network from abroad, users must adhere to the laws of that country too.
Acceptable use is defined as any use that supports the University’s teaching, learning, research, consultancy and administrative activities, and does not meet the definition of Prohibited Use.
Prohibited use includes but is not limited to activity that:
Specifically, users are prohibited from:
Occasionally use of University IT systems is required for University‐related activities such as security sensitive research that may otherwise meet the definition of prohibited use. In this case prior, explicit approval through the University’s official processes for dealing with academic, ethical issues is required. Please contact the Information Security team for further information.
The University recognise that users may make personal use of University systems, including email and the Internet. Personal use should be reasonable and not excessive, ensuring that it does not interfere with IT resources, business requirements or any other university or legislative requirement.
It is not recommended that users store or share their own sensitive data for personal use on University systems as the University cannot guarantee the confidentiality, integrity or availability of this information.
The University reserves the right to withdraw access to IT resources for personal use at any time and may remove or modify information (including personal data) held on its IT resources.
The University may log all forms of IT use. Monitoring systems is necessary for administrators to identify and investigate technical or security related problems, and also provides an audit log in the event of misconduct or criminal investigations.
The University also reserves the right to inspect any items of computer equipment connected to the network. Any IT equipment connected to the University’s network will be removed if it is deemed to be breaching University policy or otherwise interfering with the operation of the network.
The University may need to access or suspend any user’s account for business purposes. Action will only be taken where it has been authorised by a suitable HR representative.
Upon leaving the University it is expected that users:
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Any prohibited use which is deemed to be in contravention of the law and/or which involves the intentional access, creation, storage or transmission of material which may be considered indecent or obscene will be regarded as an act of gross misconduct on the part of staff. This would also qualify as an act for which students may be expelled under the student disciplinary procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Security Board.