Acceptable Use Policy¶
Note
This document contains links to other policies which are not publically available. If access to these is required please submit a request to the SRCPS helpdesk.
Contents
Purpose¶
The following statements are here to explain and clarify authorization to use the SRCPS IT facilities, uses of the SRCPS IT facilities which are acceptable and, indeed, encouraged and those uses which are unacceptable.
It is important to note that they are neither exhaustive nor exclusive. The fact that a certain action is not mentioned does not imply that it is permitted, nor, for that matter, prohibited. Before doing such an action, the user needs to check with their SRCPS Service Desk and wait for confirmation.
Scope¶
These statements apply to all SRCPS staff and all end-users of the Secure Research Computing Platform.
Responsibilities¶
The ISMS Governance Group is responsible for this document: to maintain, review, authorise and/or communicate.
All Clients (e.g. Principal Investigators responsible for the allocation of users to access their tenancy) are responsible for communicating this policy to the users of the SRCP tenancies for which they have access, and for obtaining acknowledgement of their receipt, understanding and acceptance of this policy.
SRCPS manager is responsible for communicating this policy to all their staff and for obtaining acknowledgement of their receipt, understanding and acceptance of this policy.
The ISMS Manager is responsible for reviewing this policy at least yearly and putting any recommendations for change to the ISMS Governance Group and through the document change procedure.
Definitions¶
The terms and definitions used in this document can be found in Information Security Definitions1.
Policy Statements¶
Authorization¶
Authorisation to access the SRC Platform is given via the SRCPS User registration and deregistration policy or by being a relevant member of the SRCPS staff. As part of this process users must have read the SRCPS User Security Policy.
Acceptable Use¶
Users are obliged to report any incidents of possible misuse, or violation of this policy, to the SRCPS Service Desk as soon as they are able, so that any necessary steps can be taken to contain and rectify the result of the incident or misuse.
Users are obliged to report any discovered weaknesses in the platform or tenancy to the SRCPS Service Desk as soon as possible, so that any necessary steps can be taken to repair the weakness.
All users have an obligation to protect data and systems by following up-to-date recommendations to avoid damage from malware and other malicious programs.
Users to treat all data as confidential unless labelled as otherwise and should treat all data according to the SRCPS Information Classification: Classification Handling and Labelling2 and all should be aware of the SRCPS Information Security Policy [3].
Users to treat all personal data according to the General Data Protection Regulation 2018 and the UK Data Protection Act 2018.
Users to follow both the Clear Desk Policy and the Clear Screen Policy as defined here, below, or to follow overriding local policy (e.g. Clinical School Policy, SRCPS Unattended User Equipment Clear Desk and Clear Screen Policy [4] for SRCPS staff).
Clear Desk Policy: When the user is away from the desk, all confidential and/or personal data is to be removed from the desk and/or secured from view.
Clear Screen Policy: When working with Confidential and Personal Data, the user is to ensure that the screen is in a position that cannot be overlooked and the screen is locked when the user is away from the desk.
The same standards of confidentiality to be observed for electronically held or generated information as for information held on paper.
Users are to use the platform tenancy(ies) to which they have been allocated, only, and for the designated purpose for which that allocation has been made.
Users should ensure that any device used to connect to the SRCPS platform remotely is up to date regarding security patches and is running appropriate anti-malware software.
Misuse¶
Users may not attempt to access any data, documents, email correspondence, programs or SRCPS facilities, without the authorization to do so.
Users are not allowed to send any data with the classification of sensitive as defined in the SRCPS Information Classification: Classification Handling and Labelling2 via email or any other electronic messaging service.
Users may not share their account(s), password(s), personal identification numbers, security tokens, or similar information or devices used for identification and authorization purposes.
Users may not purposely engage in activity that may harass, threaten, abuse or bully others (as stated in the ‘Dignity at Work Policy’ http://www.admin.cam.ac.uk/offices/personnel/policy/bullying.html)
Users may not engage in activity that may degrade the performance of the SRCPS facilities; deprive an authorized user access to SRCPS resources; obtain extra resources beyond those allocated; or circumvent SRCPS security measures, unless specifically authorized by the SRCPS manager.
Users may not create, download, store, transmit or display material that promotes or incites racial or religious hatred, terrorist activities or hate crime; or any instructional information about any illegal activities.
Users may not access unlicensed copyrighted material. It is against the copyright, designs and patents act to access anything which is copyrighted, without permission from the copyright holder, unless otherwise stated by the copyright holder.
Users may not download, install or run security programs or utilities such as password cracking programs, packet sniffers or port scanners that reveal or exploit weaknesses in the security of SRCPS resources unless approved to do so.
Users may not install any software on the platform unless they have received authorisation to do so by the SRCPS Manager.
SRCPS facilities may not be used for unauthorized personal benefit, unauthorized political activity, unsolicited advertising, unauthorized fund raising, or for the solicitation of performance of any activity that is prohibited by UK or English Law.
SRCPS facilities may not be used for any activity that may reasonably be regarded as unlawful or potentially so. This includes, but is not limited to, any of the following activities:
Creation or transmission, or causing the transmission, of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material.
Creation or transmission of material with the intent to cause annoyance, inconvenience or needless anxiety.
Creation or transmission of material with the intent to defraud.
Creation or transmission of defamatory material.
Creation or transmission of material such that this infringes the copyright of another person.
Creation or transmission of unsolicited bulk or marketing material to users of networked facilities or services.
Deliberate unauthorised access to networked facilities or services.
Deliberate or reckless activities having, with reasonable likelihood, any of the following characteristics:
wasting SRCPS resources;
corrupting or destroying other users’ data;
violating the privacy of other users;
disrupting the work of other users;
denying service to other users;
continuing to use an item of software or hardware after SRCPS has requested that use cease because it is causing disruption to the network;
other misuse of SRCPS facilities, such as the introduction of “viruses” or other malware
Additional Policies and Guidance¶
All users to abide by any other relevant laws, policies and procedures. SRCPS staff should also abide by relevant SRCPS policies and procedures as defined in the ISMS and should make themselves aware of the SRCPS Legal Register for all relevant information security laws. Additional laws and guidance for research users may be available from their tenancy client or their ethics committee.
Sanctions¶
Breaches of this policy may result in action in accordance with the SRCPS Human Resource Policy [5].
Exceptions¶
There are no exceptions to this policy.
Review Plan¶
This document is expected to be reviewed on a yearly basis or after an event such that it requires change. This could be the change to another related document or a related requirement.
References¶
Ref. No. |
Document Title |
Reference |
Location |
1 |
Information Security Definitions |
ID010 |
Available on Request |
2 |
SRCPS Information Classification: Classification Handling and Labelling. |
ID030 |
Available on Request |
3 |
SRCPS Information Security Policy |
ID008 |
Available on Request |
4 |
SRCPS Unattended User Equipment, Clear Desk and Clear Screen Policy |
ID045 |
Available on Request |
5 |
SRCPS Human Resource Policy |
ID057 |
Available on Request |
Document Controls¶
Title |
ID024a Acceptable Use Policy |
Version |
2.0 |
Originator |
ISMS Manager |
Controls |
A.8.1.3 |
Protective Marking |
Public |
Last Update |
26th May 2023 |
Next Review Date |
25th May 2024 |