Â鶹ÊÓƵ

Purpose

The purpose of this policy is to ensure that the Â鶹ÊÓƵ provides IT systems and services that are secure, reliable, and available for learning, teaching, research, and operational activity, while minimising security, legal, and reputational risks. This policy supports compliance with Cyber Essentials and defines expectations for acceptable use of IT facilities.

Scope

This policy applies to all users of University IT facilities, including staff, students, contractors, affiliates, and partners, and to all devices and methods used to access those facilities, including on-campus, remote, and cloud-based access.

Definitions

University IT Facilities: All hardware, software, networks, data, telephony, cloud services, and credentials provided or authorised by the University.

User: Any individual granted access to University IT facilities.

Prevent Duty: A legal obligation requiring organisations to have due regard to the need to prevent individuals from being drawn into terrorism or supporting terrorism.

Policy Statements

Legal and Responsible Use

• Use of University IT facilities must be lawful and responsible.
• Use must not bring the University into disreput
• Freedom of expression within the law is supported.
• Use must comply with statutory obligations including Prevent Duty.
• IT systems may be monitored for security, compliance, and legal purposes.

Personal Use

• Personal use is permitted where reasonable and compliant with policy.
• Personal use must not interfere with University operations.
• Personal use must not introduce risk.
• Personal use is a privilege and may be withdrawn.

User Responsibilities

• Use IT for authorised purposes only.
• Follow IT security guidance.
• Act lawfully and respectfully.
• Do not bypass security controls.
• Do not engage in harmful or unlawful activity.

Secure Use of Devices and Systems

• Use devices meeting University security requirements.
• Allow updates and security controls to operate.
• Report suspicious activity promptly.
• Do not disable security controls.
• Do not install unauthorised software.

Access and Authentication

• Use only individually-allocated IT Account.
• Protect credentials and use MFA where required.
• Do not share accounts or credentials.
• Do not access systems without authorisation.

Network Use

• Use secure and approved network connections.
  
• Do not connect unauthorised equipment.
  
• Do not bypass security controls using unauthorised services.

Roles & Responsibilities

• Users: Comply with policy and protect credentials.
  
• Digital Services: Implement controls, monitor systems, and investigate breaches.

Documentation & Records

Monitoring and logging records may be retained to support security, compliance, and investigations, in accordance with legal and regulatory requirements.

Any exception to this policy must:

• Be formally documented;
  
• Include justification and risk assessment;
  
• Be approved by the Director Digital Services (or delegated authority);
  
• Be time limited and reviewed regularly.

Training & Awareness

Users must complete mandatory information security training when required, and be aware of their responsibilities when using IT facilities.

Compliance

Failure to comply with this policy may result in:

• Removal of IT access
• Investigation under University disciplinary procedures
• Formal sanctions, including suspension or termination of studies or employment

Related Policies and References

Cyber Essentials Alignment

This policy underpins the following Cyber Essentials controls:

• Secure configuration
• User access control
• Malware protection
• Patch management
• Firewall management and network security

All users are required to act in a way that supports these controls.

Related Policies

This policy should be read in conjunction with:

• Secure Configuration Policy
• Firewall Management Policy
  
• Vulnerability and Patch Management Policy
  
• Malware Protection Policy
  
• System Logging and Monitoring Policy
  
• IT Change Management Policy

Policy Review & Revision

This policy will be reviewed annually or following significant organisational, technical, or regulatory change.

Change Control