IT Acceptable Use Policy

Summary

This policy defines the principles and actions considered acceptable and unacceptable when Authorised Users access the Bionics Institute IT Services.
The policy aims to protect both authorised users and the Bionics Institute from risks associated with unacceptable use including information security threats, compromise of network systems and services, legal issues, and data loss.

Purpose

This Policy provides guidance on what constitutes acceptable use as well as unacceptable use of IT Services and outlines the responsibilities of Authorised Users to protect Bionics institute IT Services.

Scope

This policy applies to all Authorised Users and to the access and use of IT Services whether this is done from a Bionics Institute office or remotely.

Definitions
Acceptable Use Activities that directly or indirectly support the business of Bionics Institute. A limited level of personal use is considered acceptable provided it does not use significant amounts of time or IT resource. 
Authorised User/s  Means a person/s who has been provided with a Bionics Institute Network Account to access IT Assets and Infrastructure. These include all staff, students, consultants, and visitors
IT Services  Includes:
  • Desktop computers, laptops, tablets, handheld devices, and servers
  • Network accessible storage and local computer storage
  • Removable media, e.g. CDs, USB storage devices, data cards, and portable storage devices
  • Printers, copiers, imaging equipment, and multi-function devices
  • Telephones, mobile phones, Fax machines
  • Radios or other high frequency communication devices
  • Cameras, webcams
  • Electronic networks, internet, intranet, and web services
  • Instant messaging, chat facilities, and online discussion groups
  • Email accounts
  • Software
  • Data and/or information 

Policy Statement

Authorised Users may use Bionics Institute IT assets and services for any Bionics Institute work-related purposes and for limited personal use. 

Acceptable use
Authorised Users may use Bionics Institute IT assets and services for any work-related purposes and for limited personal use providing that the use complies with the Bionics Institute Code of Conduct, values, and policies, is lawful, and does not adversely impact the Bionics Institute operations, assets, or reputation.

Bionics Institute IT Services must not be used in any manner considered inappropriate, or in any way that may be reasonably seen as potentially damaging the reputation of the Institute, such as:

  • participating in gambling activities
  • knowingly downloading, storing, distributing, or viewing of offensive, obscene, indecent, or menacing material
  • stalking, blackmailing, or engaging in otherwise threatening behaviour
  • any use which breaches a law, including copyright breaches, fraudulent activity, computer crimes and other computer offences
  • transmitting spam or other unsolicited communications
  • the introduction or distribution of security threats, including a virus or other harmful malware
  • unauthorised monitoring of electronic communications
Monitoring use

Any use of Bionics Institute IT assets and services may be monitored by the Bionics Institute IT Department including:

  • data storage volumes
  • internet sites visited
  • download volumes
  • suspected malicious viruses
  • instant messaging/chat messages
  • emails
  • computer hard drives
Bionics Institute Network Account
Authorised Users are provided a Network Account to access Bionics Institute IT Services for carrying out their Bionics Institute role. Authorised Users are responsible for all activity initiated from their Network Account and must not allow anyone else access to or use of that Network Account. The Authorised User must ensure their Network Account credentials, including passwords, are securely stored, and not disclosed to another person. An Authorised User must inform the IT Department immediately if they believe that the security or integrity of their Bionics Institute Network Account (including email account) has been compromised including suspected lost or stolen password, the presence of malware or suspicious email activity.

Access to their Bionics Institute Network Account will be removed when the relationship between Authorised User and the Bionics Institute ceases. If an Authorised User requires their Network Account to remain active for a period after they leave Bionics Institute, this must be authorised by the Bionics Institute Business and Commercial Support Manager. The extension of the access must have an end date specified.

IT Equipment
All Bionics Institute supplied IT equipment such as computers, and peripheral devices such as monitors and printers remains the property of Bionics Institute and care must be taken to prevent the equipment from being damaged, lost or stolen. Authorised Users must:
  • ensure that Bionics Institute IT equipment is stored securely when not in use
  • inform the IT Department if any malfunction or damage occurs to their IT equipment
  • inform the IT Department and their line manager immediately if their IT equipment is stolen or lost

Bionics Institute may install programs or software to track the location and use of the IT equipment and reserves the right to monitor use of IT equipment, including during any remote working arrangement.

Software
The IT Department will provide advice for, and may, or may not, approve software to be used on Bionics Institute IT equipment. Software, including source files and executable files, must not be added to, removed from, or modified on IT equipment unless authorised by the IT department. Software applications and tools purchased by the Bionics Institute are licensed primarily to the Bionics Institute, however Authorised Users may require access from other locations on nonBionics Institute owned computers during their work within the parameters of the software license agreement. Authorised Users must discontinue use and un-install the software from non-Bionics Institute owned computer(s) upon cessation or termination of engagement with the Bionics Institute, or upon notification by the Bionics Institute of its termination of the software license agreement.

Authorised Users must comply with contractual obligations and terms and conditions of use stated in the software license agreements entered by the Bionics Institute.

Email and electronic communications
A Bionics Institute email account is provided to Authorised Users for work-related activities. Authorised Users with a Bionics institute email account must ensure that all email correspondence and attachments sent using this email account appropriately represents the Bionics Institute. Virus protection measures are in place on the Bionics Institute network; however, it is the responsibility of Authorised Users to take reasonable care when opening emails, attachments, and links to identify that emails, attachments, and link are genuine. If an Authorised User receives an email or attachment that seems suspicious, they must contact the IT Department immediately. E-mail is not considered a secure form of communication and third parties can potentially intercept and view email in transit. E-mails should therefore be considered insecure unless the message has been encrypted and digitally signed. When deciding what information is to be included in an email, consideration should be given to the fact that it may be forwarded to another party without the Authorised Users knowledge.

Bionics Institute provides access to Microsoft Teams chat functionality. This is considered secure within the Bionics Institute Office 365 Tenant (when communicating with others using their Bionics Institute Office 365 account). Other forms of electronic communication such as chat applications and messaging services should be considered unsecure. 

Data/Information
Authorised Users must ensure that Bionics Institute data is stored, retained, made accessible, and disposed of according to the Bionics Institute Employee Privacy Policy, the Bionics Institute Privacy Statement, legal, statutory, ethical, and funding bodies’ requirements.  This policy and its associated procedures first and foremost support its commitment to comply with the Australian Code for the Responsible Conduct of Research (2018), and Bionics Institute’s Research Data and Information Management Guidelines. It is Bionics Institute’s responsibility to provide appropriate safe, secure, sustainable, and appropriate facilities for the storage of research data. Authorised Users are responsible for retaining clear, accurate, secure, and complete records of research data.

Bionics Institute provides secure data storage facilities to all Authorised Users. Secure and backed up network drives are provided.

All Authorised Users must:
  • use IT Department approved storage for records and media
  • exchange information only through data transfer methods approved by the Bionics Institute IT Department
  • ensure data is stored in the appropriate repository so that it can be backed up, and not stored on local devices only (e.g. desktop, laptop, external hard drive)
  • consider intellectual property rights and copyright when using information and images not created or owned by Bionics Institute
External Personnel

The Bionics Institute Guest Wireless Network provides a facility for external personnel for connectivity to the Internet. This Guest Wireless Network operates independently from the Bionics Institute Network, with no connectivity provided between the two networks. The Guest Wireless Network provides access to external internet sites only. No access to Bionics Institute IT services is possible from the Guest Wireless Network.

Upholding this policy
Any identified activity that is not consistent with this IT Acceptable Use Policy should be reported to your Supervisor, the Human Resources Team, and/or a member of the IT Department. Support will be provided to employees who report genuine concerns of breaches. The IT Department may immediately suspend an Authorised User’s account prior to, during or after an investigation.

If an investigation confirms a breach of this IT Acceptable Use Policy, disciplinary action may be taken up to and including dismissal or other appropriate action for non-employee/s against the individual or individuals concerned.

Supporting Procedures
  • IT_PRO_Access Control
  • RGV_FRM_Data Management Guidelines
Related Policies
  • IT_POL_IT Policy
  • Cybersecurity Policy
  • Password Policy
  • HR_POL_Privacy Statement
  • HR_POL_Employee Privacy
  • HR_FRM_Code of Conduct
External References

N/A

Please acknowledge you have read and understood the details of the above policy