Detailed IT Regulations in Practice

Summary

The core principles of the University’s IT Regulations are as follows:

• Governance
  • Don’t break the law, do abide by Regulations, Policies and Guidelines and do observe the regulations of any third parties whose facilities you access.
• Identity
  • Don’t allow anyone else to use your IT credentials, protect your online identity, and don’t impersonate others.
• Infrastructure
  • Don’t put the University’s IT facilities at risk by introducing malware, interfering with hardware or loading unauthorised software.
• Information
  • Safeguard personal data, respect other people’s information and don’t abuse copyright material.  Remember that mobile devices may not be a secure way to handle information.
• Behaviour
  • Don’t waste IT resources, interfere with others’ legitimate use of IT resources or behave towards others in a way that would not be acceptable in the physical world.

Detailed Regulations

The following sections expand on the core principles above. Some examples of specific situations are included and are intended to help you relate your everyday use of the IT facilities to the ‘dos and don’ts’.

Where examples are given, these are just some of the most common instances, and the list is not intended to be exhaustive.

1 Scope

1.1 Users

• These Regulations apply to all staff and students, and anyone using AU IT facilities whether accessing these on campus or remotely from off campus, such as from home.
• It is the responsibility of all users to familiarise themselves with these Regulations and associated policies, and also with current cyber-security risks. Users are also expected to complete any mandatory and/or appropriate training.

1.2 IT Facilities and Services

The term IT Facilities and Services include:

• IT Hardware that AU provides, such as PCs, laptops, tablets, smart phones and printers;
• Software that AU provides, such as operating systems, office application software, web browsers etc. This includes all software hosted on-premises; software that the University has arranged for you to have access to, for example special deals for students on commercial application packages; facilities which are considered Software as a Service (SaaS).
• Information and data that AU provides, or arranges access to. This might include online journals, data sets or citation databases;
• Access to the network provided or arranged by the University. This would cover, for example, network connections in offices, halls of residence, on-campus WiFi, connectivity to the internet from University PCs and VPN;
• Online services arranged by the University such as Microsoft 365, JSTOR, or any of the Jisc online resources;
• IT credentials, such as the use of your University login, or any other token (email address, Abercard or any other form of smartcard, dongle) issued by AU to identify yourself when using IT facilities. For example, you may be able to use drop-in facilities or WiFi connectivity at other institutions using your usual username and password through the eduroam system. While doing so, you are subject to these Regulations, as well as the regulations at the institution you are visiting.

2 Governance

You must remember that using IT has consequences in the physical world.

Your use of IT is governed by general and IT-specific laws and regulations (such as those listed below) and Aberystwyth University's policies, including the Information Security Policy.

2.1 Domestic Law

Your behaviour in relation to IT usage is subject to UK law, even those pieces of legislation that are not apparently related to IT such as the laws on fraud, theft and harassment.

There are many laws that are particularly relevant to the use of IT, including:

• Computer Misuse Act 1990
• Copyright, Designs and Patents Act 1988
• Counter-Terrorism and Security Act 2015
• Criminal Justice and Immigration Act 2008
• Data Protection Act 2018
• Defamation Act 1996 and 2013
• Equality Act 2010
• Freedom of Information Act 2000
• Freedom of Information (Scotland) Act 2002
• UK General Data Protection Regulation
• Human Rights Act 1998
• Obscene Publications Act 1959 and 1964
• Police and Criminal Evidence Act 1984
• Police and Justice Act 2006
• Prevention of Terrorism Act 2005
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)
• Protection of Children Act 1978
• Regulation of Investigatory Powers Act 2000
• Terrorism Act 2006

So, for example, you must not:

• Create or transmit, or cause the transmission, of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;
• Create or transmit material with the intent to cause annoyance, inconvenience or needless anxiety;
• Create or transmit material with the intent to defraud;
• Create or transmit defamatory material;
• Create or transmit material such that this infringes the copyright of another person or organisation;
• Create or transmit unsolicited bulk or marketing material to users of networked facilities or services, except where that material is embedded within, or is otherwise part of, a service to which the user or their user organisation has chosen to subscribe;
• Deliberately access networked facilities or services which you have no authorisation to access

There is a useful set of legal guides relating to IT use available at  https://www.jisc.ac.uk/guides

All users should also be aware that the University has a statutory duty under the Counter-Terrorism and Security Act 2015 and must have due regard to the need to prevent people from being drawn into terrorism.

2.2 Foreign Law

If you are using services that are hosted in a different part of the world, be aware that you may also be subject to specific laws in those relevant countries. It is your responsibility to familiarise yourself with any legislation or rules which relate to those services.

2.3 General Institutional Regulations

As staff, students, or others using AU facilities you are also bound by AU’s general Regulations and policies which may interact with these IT Regulations.

For staff:  https://www.aber.ac.uk/en/hr/info-staff/employment/

For students:   https://www.aber.ac.uk/en/academic-registry/handbook/regulations/student-rules-regs/

2.4 Third Party Regulations

If you use AU’s IT facilities to access third party services or resources you are bound by the regulations associated with that service or resource and you should familiarise yourself with what they contain.

One example of this would be using Janet, the IT network that connects all UK higher education and research institutions together and to the Internet. When connecting to any site outside AU you will be using Janet and subject to the Janet Acceptable Use Policy, the Janet Security Policy and the Janet Eligibility Policy

The requirements of these policies have been incorporated into these Regulations, so if you abide by these Regulations you should not infringe the Janet policies.

Users shall only use software and other resources in compliance with all applicable licences, terms and conditions.

Breach of any applicable law or third-party regulation will be regarded as a breach of these IT Regulations.

3 Authority

3.1 These Regulations are issued under the authority of the Director of Information Services who is responsible for their interpretation and enforcement, and who may delegate such authority to other people.

3.2 Authority to use the University’s IT facilities is granted by a variety of means:

• The issue of a username and password or other IT credentials
• The explicit granting of access rights to a specific system or resource
• The provision of a facility in an obviously open access setting, such as an Institutional web site; a self-service kiosk in a public area; or an open WiFi network on the campus.

If you have any doubt whether or not you have the authority to use an IT facility you should seek further advice from Information Services

3.3 Attempting to use the IT facilities without the permission of the relevant authority is an offence under the Computer Misuse Act 1990.

3.4 Access to IT facilities is based on the principle of ‘least privilege’ to minimize the risks posed by the introduction of malware, by internet-based threats to the network and to comply with data protection legislation.  Administrator privileges will not be provided to standard user accounts and will be strictly limited.

3.5 You must comply with any reasonable written or verbal instructions issued by people with delegated authority in support of these Regulations. If you feel that any such instructions are unreasonable or are not in support of these Regulations, you may appeal to the Director of Information Services

4 Intended Use

AU’s IT facilities, and the Janet network that connects institutions together and to the Internet, are publicly funded and provide privileged access to facilities and data. AU has a responsibility to ensure that the system is appropriately secure and that data is protected.

4.1 Use for Purposes in Furtherance of University’s Mission

The IT facilities are provided for use in furtherance of the University’s mission to deliver inspirational education and research in a supportive, creative and exceptional environment. This includes use for purposes such as knowledge transfer, public outreach, the commercial activities of the University, or the administration necessary to support all of the above.

4.2 Personal Use

You may currently use the IT facilities for personal use provided that it does not breach the Regulations, and that it does not prevent or interfere with other people using the facilities for valid purposes. However, it is recommended that, where possible, employees use personal devices for personal, non-university business.

Employees who do utilise the IT facilities for non-work purposes during working hours are subject to the same management policies as for any other type of non-work activity.

4.3 Commercial Use and Personal Gain

Use of IT facilities for non-institutional commercial purposes or for personal gain, requires the explicit approval of the Director of Information Services. The provider of the service may require a fee or a share of the income for this type of use. For more information contact Information Services

Even with such approval, the use of licences under the Chest agreements for anything other than teaching, studying or research, administration or management purposes is prohibited, and you must ensure that licences allowing commercial use are in place.

5 Identity

Many of the IT services provided or arranged by the University require you to identify yourself so that the service knows that you are entitled to use it.

This is most commonly done by providing you with a username and password, but other forms of IT credentials may be used, such as an email address, a smart card or some other form of security device.

5.1 Your account credentials and protecting your identity

You must take all reasonable precautions to safeguard any IT credentials issued to you (including your Aber Card or other identity hardware) or passwords which you are asked to generate yourself or other unique identifiers such as tokens or one-time-passwords.

• Do not record passwords or other credentials where there is any likelihood of someone else finding them. Do not use the same password as you do for personal (i.e. non-University) accounts. Do not share passwords with anyone else, even IT staff, no matter how convenient and harmless it may seem.
• Do not use your AU email address and password to sign up for non-AU services.
• If you think someone else has found out what your password is, change it immediately and report the matter to is@aber.ac.uk
• Do not use your username and password to log in to web sites or services you do not recognise, and do not log in to web sites which show a ‘Not Secure’ next to the address bar or click through your browser’s security warnings.
• Do not leave logged-in computers unattended and log out properly when you are finished.
• Do not allow anyone else to use your Aber Card or other security hardware. Take care not to lose items. If you do, report the matter to Information Services immediately.

If a staff member’s account is recorded as having been compromised more than 3 times in the course of a 12 month period, due to negligence or a lack of care and attention, Information Services may progress this to Human Resources as a disciplinary matter.

5.2 Impersonation

Never use someone else’s IT credentials, or attempt to disguise or hide your real identity when using the University’s IT facilities. This includes using another person’s Aber Card to use services or enter buildings.

It is acceptable not to reveal your identity if the system or service clearly allows anonymous use (such as a public facing website).

5.3 Attempt to Compromise Others’ Identities

You must not attempt to usurp, borrow, corrupt or destroy someone else’s IT credentials.

6 Infrastructure

The IT infrastructure is all the underlying hardware and software that allows the University’s IT to function. It includes servers, the network, PCs, printers, operating systems, databases, cloud-based (‘Software as a Service’) services and a wide range of other hardware and software that has to be set up correctly to ensure the reliable, efficient and secure delivery of IT services.

You must not do anything to jeopardise the infrastructure and its integrity.

6.1 Physical Damage or Risk of Damage

Do not damage, or do anything to risk physically damaging the infrastructure. This includes being careless with food or drink whilst near IT equipment.

6.2 Reconfiguration and loading of unauthorised software

Do not attempt to change the setup of the infrastructure without authorisation, such as changing the network point that a device is plugged into, connecting devices to the network (except for WiFi or Ethernet networks specifically provided for this purpose) or altering the configuration of the University-owned equipment. Unless you have been authorised, you must not add software to or remove software from PCs.

Do not move equipment without authority.

6.3 Network Extension

Any changes to the network cabling infrastructure, including installation or removal, must be undertaken by IS staff or by contractors who have specific approval from IS following appropriate liaison.

You must not extend the wired or WiFi network without authorization. Such activities, which may involve the use of routers, repeaters, hubs or WiFi access points, can disrupt the network and are likely to be in breach of the Janet Security Policy. For further information, see the AU Wireless Policy: https://www.aber.ac.uk/en/is/regulations/wireless/

6.4 Setting up Servers

You must not set up any hardware or software that would provide a service to others over the network without permission from Information Services.

Examples would include games servers, file sharing services, DHCP (Dynamic Host Configuration Protocol) or web sites.

6.5 Introducing Malware

You must take all reasonable steps to avoid introducing malware to the infrastructure.

The term malware covers many things such as viruses, worms and Trojans, but is basically any software used to disrupt computer operation or subvert security. It is usually spread by visiting websites of a dubious nature, downloading files from untrusted sources, opening email attachments from people you do not know or inserting media that have been created on compromised computers.

It is essential that you ensure your computer is free from virus attacks, hacking or misuse by a third party. All computers connected to the Aberystwyth University network, either on

campus or via VPN, must have up-to-date virus checking software installed on them. You must keep your anti-virus software current and switched on, and run scans of your computer on a regular basis.

Any individual found to have introduced malware to the system due to negligence, will be found personally responsible and may be subject to disciplinary action.

6.6 Ransomware

Any suspicions of the use of ransomware must be reported to Information Services immediately

Ransomware is malicious software associated with the extortion of money using threats of denial of access, theft of data or other disrupting scenario.

6.7 Subverting Security Measures

AU has taken extensive measures to safeguard the security of its IT infrastructure, including use of anti-virus software, firewalls and spam filters.

You must not attempt to subvert or circumvent these measures in any way.

Any individual found subverting or circumventing these measures will be subject to disciplinary action.

7 Information

7.1 Personal, Sensitive and Confidential Information

If you handle personal, confidential or sensitive information, you must take all reasonable steps to safeguard it and must observe, and make yourself familiar with, AU’s Data Protection Policy and Information Security Policy and guidance, particularly with regard to removable media, mobile and privately-owned devices. You are bound by these policies even when using your own devices to access AU data.

Most of this information will be subject to the Data Protection Act and the General Data Protection Regulation, or to other legislation because of its sensitivity or confidentiality. Safeguarding the security of protected information is a highly complex issue, with organisational, technical and human aspects. For the rest of the section, this data will be referred to as ‘protected information’.

7.1.1 Transmission of Protected Information

When sending protected information electronically, you must use a method with appropriate security. Email is not inherently secure. Advice about how to send protected information electronically is available in our FAQS.

7.1.2 Removable Media and Mobile Devices

Protected information must not be stored on removable media (such as USB storage devices, removable hard drives, CDs, DVDs). Technical restrictions will prevent the use of removable storage devices for staff with access to protected information.    

Protected information must not be stored on mobile devices (laptops, tablet or smart phones) unless the device is centrally managed and encrypted.

7.1.3 Remote Working

If you access protected information from off campus, you must make sure you are using an approved connection method that ensures that the information cannot be intercepted between the device you are using and the source of the secure service.

You must also be careful to avoid working in public locations where your screen can be seen.

It will be your responsibility to ensure that any devices used to connect to the network from your home, or elsewhere, are appropriately secure and guarded by up-to-date anti-virus software.

Advice on working remotely is available on Information Services webpages.

7.1.4 Personal or Public Devices

It is recommended that staff use University-provided devices for University work.

Even if you are using approved connection methods, devices that are not fully managed by AU cannot be guaranteed to be free of malicious software that could, for example, gather keyboard input and screen displays. You should not therefore use such devices to access, transmit or store protected information.

7.1.5 Third-Party Services (including Cloud Services)

Anyone intending to sign up to third party IT services (free or charged) on behalf of the University, or to use for University related work, must obtain IS approval to ensure that they are legally compliant and compatible with existing systems.

There may be issues relating to inter-operability, IT support, jurisdiction, data management or other compliance considerations, such as the need for a Privacy Impact Assessment.

Do not store protected information in personal cloud services.

7.2 Copyright Information

Almost all published works are protected by copyright. If you are going to use material (images, text, music, software), the onus is on you to ensure that you use it within copyright law. This is a complex area, and training and guidance are available on our webpages. The key point to remember is that the fact that you can see something on the web, download it or otherwise access it does not mean that you can do what you want with it.

7.3 Others’ Information

You must not attempt to access, delete, modify or disclose restricted information belonging to other people without their permission, unless it is obvious that they intend others to do this, or you have approval from the appropriate senior University manager, the Director of Information Services or the Data Protection Officer.

Where information has been produced in the course of employment by AU and the person who created or manages it is unavailable, the responsible Faculty Manager or Head of Department may give permission for it to be retrieved for work purposes following documented agreement from the Director of Information Services, the Data Protection Officer or their nominee. In doing so, care must be taken not to retrieve any private information in the account, nor to compromise the security of the account concerned.

Private information may only be accessed by someone other than the owner under very specific circumstances governed by institutional and/or legal processes and approval of the Vice Chancellor.

7.4 Inappropriate Material

You must not create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening, discriminatory, or which promotes hatred, hostility or extremism. The University reserves the right to block or monitor access to such material.

AU has a statutory duty, under the Counter Terrorism and Security Act 2015, termed “PREVENT”. The purpose of this duty is to aid the process of preventing people being drawn into terrorism.

AU has procedures to approve and manage valid activities involving such material for valid research purposes, where legal, with the appropriate ethical approval. For more information, please refer to https://www.aber.ac.uk/en/rbi/support-services/ethics

It should be noted that, in providing access to the internet, the University does not approve or condone any content of third-party websites which users choose to access. Users should be mindful of their personal responsibility and aware that certain sites which may be accessed via AU’s network may contain material which is illegal, or which relates to proscribed or banned organisations as determined by the government from time to time.

It should be noted that there is an exemption covering authorised IT staff involved in the preservation of evidence for the purposes of investigating breaches of the regulations or the law.

7.5 Publishing Information

Publishing means the act of making information available to the general public, this includes through web sites, social networks and news feeds. Whilst AU generally encourages publication, there are some general guidelines you should adhere to:

7.5.1 Representing the University

You must not make statements that purport to represent Aberystwyth University without the approval of the appropriate member of the University Executive Group.

7.5.2 Publishing for Others

You must not publish information on behalf of third parties using the University’s IT facilities without the approval of the Director of Information Services.

Users must also refrain from using Aberystwyth University’s IT facilities for publishing material that would bring the University into disrepute.

8 Behaviour

The way you behave when using IT should be no different to how you would behave under other circumstances. Abusive, inconsiderate or discriminatory behaviour is unacceptable.

8.1 Conduct online and on social media

AU’s policies concerning staff and student behaviour also apply to the use of all social media.

These include human resources policies, codes of conduct, acceptable use of IT and disciplinary procedures.

8.2 Spam

You must not send unsolicited bulk emails or chain emails other than in specific circumstances. For further details see the AU e-mail Policy

8.3 Denying Others Access

If you are using shared IT facilities for personal or social purposes, you should vacate them if they are needed by others with work to do. Similarly, do not occupy specialist facilities unnecessarily if someone else needs them.

8.4 Working safely

When using shared spaces, remember that others have a right work without undue disturbance. Keep noise to a minimum (turn ‘phones to silent if you are in a silent study area), do not obstruct passageways with cabling or equipment and be sensitive to what others around you might find offensive.

8.5 Excessive Consumption of Bandwidth / Resources

Use resources wisely and considerately. Do not consume excessive bandwidth by uploading or downloading more material (particularly video) than is necessary. Do not waste paper by printing more than is needed, or by printing single sided when double sided would do. Do not waste electricity by leaving equipment needlessly switched on.

9 Monitoring

9.1 Institutional Monitoring

AU monitors and logs the use of its IT facilities for the purposes of:

• Monitoring the effective functioning and operation of the facilities;
• Detecting, investigating or preventing misuse of the facilities or breaches of the University’s regulations;
• Investigating more serious allegations of misconduct;

In instances where staff are absent for periods of time, there may also be a need to access personal accounts where communications which are of importance to the business continuity of the University may be held. This will be undertaken sensitively and all actions approved and recorded appropriately (see 7.3 above).

AU will comply with lawful requests for information from law enforcement and government agencies for the purposes of detecting, investigating or preventing crime, and ensuring national security.

9.2 Unauthorised Monitoring

You must not attempt to monitor the use of the IT without the explicit permission of the Director of Information Services.

This would include:

• Monitoring of network traffic;
• Network and/or device discovery;
• WiFi traffic capture;
• Installation of key-logging or screen-grabbing software that may affect users other than yourself;
• Attempting to access system logs or servers or network equipment.

Where IT is itself the subject of study or research, special arrangements must be made, and you should contact your module leader / research supervisor for more information.

10 Infringement

10.1 Internal Disciplinary Process and Sanctions

Breaches of these regulations will be handled by the University’s disciplinary processes for staff or students as appropriate.

• Staff: - https://www.aber.ac.uk/en/hr/policy-and-procedure/
• Students: - https://www.aber.ac.uk/en/regulations/student-rules-regs/

This could have a bearing on your future studies or employment with the University and beyond.

Instances of repeated negligence relating to the IT Regulations will be recorded by Information Services and escalated where appropriate.

Sanctions may be imposed if the disciplinary process finds that you have breached the regulations, for example: imposition of restrictions on your use of IT facilities; removal of services; withdrawal of offending material; fines and recovery of any costs incurred by AU as a result of the breach.

10.2 Reporting to Other Authorities

If the University believes that unlawful activity has taken place, it will refer the matter to the police or other enforcement agency.

10.3 Reporting to Other Organisations

If the University believes that a breach of another organisation’s regulations has taken place, it may report the matter to that organisation.

10.4 Report Infringements

If you become aware of an infringement of these regulations, you must report the matter to Information Services.

There is a form https://aber.ac.uk/en/is/feedback/isfeedback/ available to report any infringements of these Regulations. This also allows anonymous reporting if you do not want to provide your name.

These Regulations are maintained by Jonathan Davies, were last reviewed in August 2023 and are due for review in August 2025