Introduction

This Acceptable Use Policy (AUP) for Clinical School Computing Service (CSCS) Systems is designed to protect the users from harm caused by the misuse of CSCS IT systems. Misuse includes both deliberate and inadvertent actions.

This policy sets out obligations all users of the CSCS network are required to satisfy under the regulations set out by JANET (the University’s network provider) and the University Computing Service, along with those policy elements specific to CSCS.

The repercussions of misuse of our systems can be severe. Potential damage includes, but is not limited to, malware infection (e.g. computer viruses, which could lead to system downtime, data loss from personal or group drives), legal and financial penalties and reputational damage resulting from data leakage, and lost productivity resulting from network downtime.

Everyone who uses Clinical School Computing Service systems is responsible for the security of those IT systems and the data on them. As such, all users must ensure they adhere to the guidelines in this policy at all times.  Should any user be unclear on the policy or how it impacts their role they should speak to their manager or the CSCS Service Desk.

 

Definitions

“CSCS” means the Clinical School Computing Service, an institution under the Faculty of Clinical Medicine, responsible for the implementation, maintenance and support of IT systems for the School of Clinical Medicine.

“Users” are everyone who has access to any CSCS IT systems. This includes permanent and temporary staff, students, researchers, contractors, agencies, consultants, suppliers and research or health partners.

“Systems” means all IT equipment that connects to the CSCS network or accesses CSCS applications. This includes, but is not limited to, desktop computers, laptops, smartphones, tablets, printers, data and voice networks, networked devices, software, electronically-stored data, portable data storage devices, third party networking services, telephone handsets, video conferencing systems, and all other similar items commonly understood to be covered by this term.

“Data” means all information stored in electronic form on systems owned and operated by CSCS, or attached to a network owned and operated by CSCS

Scope

This is a universal policy that applies to all CSCS Users and all Systems. Some aspects of this policy affect areas governed by UK law: in such cases the need for legal compliance has clear precedence over this policy within the bounds of that jurisdiction.

CSCS Staff who monitor and enforce compliance with this policy are responsible for ensuring that they remain compliant with UK law at all times.

 

Use of IT Systems

Access to desktops and laptops on the CSCS network should only be by authorised individuals. For supported computers access is only allowed by those who have a CSCS user account or authenticate by a CSCS approved method.  For unsupported computers on the network the department to whom the network address has been provided is responsible for ensuring that only authorised persons have access to that system, and in the event of an information security incident may be asked to prove who was using a system at any given point in time.

CSCS systems exist to support and enable the aims of the School of Clinical Medicine. A reasonable amount of personal use is allowed. However it must not interfere with the performance of the user’s duties or cause any damage or difficulty to computers or to networks, or any difficulty or distress to others.

CSCS trusts users to be fair and sensible when judging what constitutes an acceptable level of personal use of CSCS IT systems. If users are uncertain they should consult their manager.

Any information that is particularly sensitive or vulnerable must be encrypted and/or securely stored so that unauthorised access is prevented (or at least made extremely difficult). However this must be done in a way that does not prevent, or risk preventing, legitimate access by all properly-authorized parties.

CSCS can monitor the use of its IT systems and the data on it at any time. This may include (except where precluded by UK law) examination of the content stored within the email and data files of any user, and examination of the access history of any users.

CSCS reserves the right to regularly audit networks and systems to ensure compliance with this policy.

CSCS implements a firewall policy which blocks access to websites which are categorised as hosting malware (Viruses, Trojans, Rootkits or Spyware) or child abuse images (according to the Internet Watch Foundation).

 

Data Security

Unless specifically marked as ‘Personal’, all data stored on systems owned and operated by CSCS is considered to be resulting from use in accordance with the aims of the University and Colleges, and as such does not constitute personal information which is protected under Human Rights legislation, and therefore may be accessed by the institution with due authority.

If data on CSCS systems is classified as confidential this should be clearly indicated within the data and/or the user interface of the system used to access it. Users must take all necessary steps to prevent unauthorized access to confidential information.

Users are expected to exercise reasonable personal judgement when deciding which information is confidential.

Users must not send, upload, remove on portable media or otherwise transfer to a non-CSCS system any information that is designated as confidential, or that they should reasonably regard as being confidential to their parent institution, the School of Clinical Medicine or the University, except where explicitly authorized to do so in the performance of their regular duties.

Users must keep passwords secure and not allow others to access their accounts.

Users who are supplied with computer equipment are responsible for the safety and care of that equipment, and the security of software and data stored it and on other CSCS systems that they can access remotely using it.

Because information on portable devices, such as laptops, tablets and smartphones, is especially vulnerable, special care should be exercised with these devices. Users will be held responsible for the consequences of theft of or disclosure of information on portable systems entrusted to their care if they have not taken reasonable precautions to secure it.

All workstations (desktops and laptops) should be secured with a lock-on-idle policy active after at most 10 minutes of inactivity. In addition, the screen and keyboard should be manually locked by the responsible user whenever leaving the machine unattended.

Staff who have been charged with the management of those systems are responsible for ensuring that they are at all times properly protected against known threats and vulnerabilities as far as is reasonably practicable and compatible with the designated purpose of those systems.

Users must at all times guard against the risk of malware (e.g., viruses, spyware, Trojan horses, rootkits, worms, backdoors) being imported into CSCS systems by whatever means and must report any actual or suspected malware infection to the CSCS Service Desk immediately.

 

Unacceptable Use

All users should use their own judgement regarding what is unacceptable use of CSCS systems. The activities below are provided as examples of unacceptable use, however it is not exhaustive. Should an employee need to contravene these guidelines in order to perform their role, they should consult with and obtain approval from their manager before proceeding.

• Creation or transmission, or causing the transmission, of any offensive, obscene or indecent images,  data  or  other  material,  or  any  data  capable  of  being  resolved  into  obscene  or  indecent images or material.
• Creation or  transmission  of  material  with  the  intent  to  cause  annoyance,  inconvenience  or needless anxiety.
• Creation or transmission of material with the intent to defraud.
• Creation or transmission of defamatory material.
• Creation or transmission of material such that this infringes the copyright of another person.
• Attaching more than one device to any network port by use of network switches, firewalls, NAT gateways, routers or wireless access points or any other means.
• Deliberate unauthorised access to networked facilities or services.
• Deliberate  or  reckless  activities  having,  with  reasonable  likelihood,  any  of  the  following characteristics:
  • corrupting or destroying other users’ data;
  • violating the privacy of other users such as accessing other user’s data without having first obtained appropriate approval;
  • disrupting the work of other users;
  • denying service to other users (for example, by overloading of CSCS services);
  • continuing to use an item of software or hardware after CSCS has  requested  that  use  cease  because  it  is  causing disruption to the correct functioning of CSCS systems.

 

Enforcement

CSCS will not tolerate any misuse of its systems and will take action against anyone found to have contravened the policy, including not exercising reasonable judgement regarding acceptable use. While each situation will be judged on a case-by-case basis, employees should be aware that consequences may include removal of their access to CSCS systems.

Use of any of CSCS resources for any illegal activity may result in action under the applicable University Disciplinary Procedures, and CSCS will not hesitate to cooperate with any criminal investigation and prosecution that may result from such activity.