• Section 1 - Purpose and Context
• Application and Compliance
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures
• Policy Breaches and Penalties
• Access to and Use of IT Resources
• Termination of Access
• Authorised Users' Responsibilities
• BYOD — Bring Your Own Device
• Security of Data and Systems
• Monitoring
• Section 5 - Guidelines
• Reference Information
• Section 6 - Terms and Acronyms

Section 1 - Purpose and Context

(1) Western Sydney University (University) provides Information Technology (IT) Resources to enable and support University activities. The University must protect its IT Resources and meet legal obligations in regards to IT, and the University will take steps to prevent and disallow inappropriate use of IT Resources.

(2) This policy outlines what the University considers to be acceptable and appropriate use of these Resources. The policy also sets out the responsibilities of all Authorised Users to access the University's IT Resources, and describes penalties for policy breaches.

Application and Compliance

(3) This policy applies to all current students, staff, contractors, consultants, and visitors who have access to any University IT Resource.

Section 2 - Definitions

(4) Words and terms used in this policy are defined in Section 6 - Terms and Acronyms.

Section 3 - Policy Statement

(5) The University grants access to its IT Resources to all Authorised Users, for the purpose of pursuing and advancing its business and educational goals.

(6) The University requires that all Authorised Users are aware of what conduct is expected of them in making use of University IT Resources, and provides information and guidance (including this policy) to aid Users in determining its expectations [Ref. ISO 27002 section 5.1].

(7) University IT Resources are and remain the property of the University. This includes named email accounts that are provided to Authorised Users for use with their study or work.

(8) The University is committed to allowing its Authorised Users to make incidental personal use of its IT Resources, provided such use is legal, and does not breach University policies.

(9) If an Authorised User breaches the terms of this policy, their access may be restricted or revoked. Any breaches of this policy will be reported to the relevant University or regulatory authority or the police to take appropriate action, depending on the nature and seriousness of the breach.

Section 4 - Procedures

Policy Breaches and Penalties

(10) All Authorised Users should report breaches of this policy to the CIDO (or nominee), immediately. Breach reports will be treated confidentially. Any investigations of alleged breaches will be conducted as defined in the Workplace Surveillance Policy.

(11) The CIDO (or nominee) may temporarily deny or restrict access to IT Resources, including email, in order to:

1. prevent policy or legal breaches,
2. launch an Investigation of any potential breaches (as defined in the Workplace Surveillance Policy), or
3. mitigate threats or risks to the University or its IT Resources.

(12) If an Authorised User breaches this policy, intentionally or inadvertently, the CIDO (or nominee) will decide what actions should be taken, including:

1. the User will lose access to all IT Resources (for a period of time or completely, depending on the nature of the breach);
2. the User's activities are treated as a breach of policy and referred for action under the Student Misconduct Rule, the Code of Conduct or the disciplinary processes of the relevant staff agreement; and/or
3. the User's activities should be referred to the relevant external authority (e.g. the State or Federal Police, or the ICAC) for investigation of illegal or unlawful activities.

Access to and Use of IT Resources

(13) Only Authorised Users may access or use IT Resources for purposes related to their relationship with the University.

(14) The University participates in Eduroam. Users of Eduroam must abide by the policies of their home and visited organisations. Other organisations' access policies may be more restrictive than Western Sydney University's policies.

(15) Accessing University IT Resources (internally or remotely) as an affiliate or associate requires an application approved by the manager from the university business unit, school, or research centre who is sponsoring the affiliate.

(16) When Authorised Users leave the University, their User accounts — including documents, email and internet access (and records of access) — are archived and retired. Before leaving the University, users are responsible for tidying their own documents and mailboxes, ensuring their managers or teams have the necessary information to safeguard business operations, making copies of any personal information that they will require, and contacting any internal or external correspondents to make them aware that the University email address will be retired (see the Staff Separation Checklist for more details). While copies of personal data are acceptable, University business remains university property; no departing Authorised User is permitted to take any University Digital Information. See the Intellectual Property Policy for more information.

Termination of Access

(17) Staff access will be terminated after their employment is ended. Student email accounts are archived and retired after they have graduated. Affiliate or Associate access will be terminated at the end of the approval period or contract/term of the appointment.

(18) After access is terminated, the University will only consider requests for creating a data extract for email or consolidated document retrieval if the request relates to:

1. a legal or investigative matter, as determined by the Office of General Counsel, a valid external authority (such as the State or Federal Police, or the ICAC, or an authorised investigator) or
2. a compelling, legitimate business reason supplied by the requester, approved by the CIDO (or nominee).

Authorised Users' Responsibilities

(19) All Authorised Users are responsible for:

1. complying with this and all other University policies;
2. choosing a strong password for their user account and change it periodically (as defined in the Digital Information Security Policy);
3. ensuring that all relevant University policies are followed when using personal devices with University IT Resources and network infrastructure. Refer to Clause 21 for additional information.
4. not providing their password to anyone, including other Users, supervisors, managers, or ITDS support staff;
5. not asking other Users for their password(s);
6. not accessing or attempting to access programs or data stored under another person's Credentials, without permission from that Authorised User and the CIDO (or nominee).
7. keeping their Credentials secure; not displaying an Authorised User account password where others can see it or easily find it. Account Credentials are effectively an Authorised User's digital identity. Email or documents sent under an Authorised User's account credentials will be traced back to them. [Ref. ISO 27002 9.2.4]
8. not attempting to undermine the confidentiality, integrity, or availability of University IT Resources without Appropriate approval (such as study or job requirements). Actions that fall under this definition include: [Ref. ISO 27002 section 9]
   1. preventing or attempting to prevent access to IT Resources;
   2. intentionally or negligently degrading performance;
   3. examining, copying, renaming, changing, or deleting programs, files, data, messages, or information belonging to the University or any other Authorised User;
   4. modifying, uninstalling or disabling any software or hardware;
   5. altering any restrictions associated with any University computer system, computer account, network system, personal computer software protection or other of the University's IT Resources;
   6. running network wide security assessment tools without permission from the area supervisor and ITDS;
   7. utilising cloud storage solutions for University digital information that have not been approved by ITDS; and
   8. removing any University IT Resources from University premises without authorisation.
9. ensuring that Clause 19(h) is complied with unless the Authorised User has requested and received an exemption, documenting where the intended use is in support of university business, learning, teaching or research.
10. not attempting to access any IT Resources remotely, except through channels provided, authorised, and supported by Information Technology and Digital Services. See the Digital Information Security Policy for more information.
11. not using University IT Resources for private commercial enterprises or personal gain. This includes, but is not limited to, gambling, trading, and/or soliciting.
12. not using University IT Resources to excess for personal reasons (e.g., playing games on library or lab computers).

(20) Authorised Users must not access or use University IT Resources in ways that:

1. are likely to disrupt the authorised use of IT resources by other Authorised Users;
2. could disrupt the University's business and operations;
3. contravene University rules, policies, procedures and/or guidelines;
4. are unlawful or illegal;
5. may diminish the University's image and reputation;
6. use, disclose or expose personal information about staff and/or students without approval;
7. may threaten, bully, harass, vilify, unlawfully discriminate, or perform any other action that University considers to be unacceptable or unlawful behaviour (see the University's Discrimination, Harassment, Vilification and Victimisation Prevention Policy and Bullying Prevention Policy for more information);
8. may be defamatory or libellous;
9. distribute or access material that the University considers unacceptable or offensive. This includes, but is not limited to, malicious, pornographic, gambling, or terrorist material. Authorised Users requiring access to unacceptable or offensive content for research or study should request a specific exemption for access to be permitted;
10. attempt to gain unauthorised access to other systems, data, or IT Resources, either internal or external to the University; or
11. promotes, instructs, or incites any of the above.

BYOD — Bring Your Own Device

(21) When using BYOD, Authorised Users must take all reasonable steps to: [Ref. ISO 27002 sections 9.3, 9.4]

1. prevent the theft or loss of University Digital Information;
2. keep information confidential where appropriate;
3. not hold any University digital information that is Confidential and Sensitive on a BYOD device;
4. delete any University business information from any personal devices immediately after it is no longer required. This includes information contained within emails;
5. ensure that relevant information is copied back onto University systems and manage any potential data integrity issues with existing information;
6. report the loss of any device containing University data (including stored or saved email) to the IT Service Desk;
7. advise the University if the device is lost or stolen. Be aware that if the University is advised that the device is lost or stolen, the University may wipe messages, by remote action, from the device. The University is not responsible if unrelated or personal information is lost in this process;
8. remove all data belonging to the University on any BYOD devices before leaving the University; and
9. be aware of any data protection issues and ensure Confidential and Sensitive University Digital Information is handled appropriately (see the Privacy Policy for more information).

Security of Data and Systems

(22) All Authorised Users are responsible for the security, privacy and confidentiality of University data held or transmitted under their Credentials. This includes the secure storage of data for which Users are responsible. Please refer to the Privacy Policy, Employee Personal Information and Records Guidelines and Disclosure and Use of Student Personal Information Guidelines documents. [Ref. ISO 27002 section 7.2]

(23) Authorised Users are responsible for security and appropriate use of all systems that are accessed under their Credentials, including BYOD devices. Authorised Users are expected to report any breach in digital security to the IT Service Desk. [Ref. ISO 27002 section 7.2.1]

(24) To protect University data and databases, direct access to data in databases using interactive tools (such as Toad or Excel ODBC links) is restricted. Authorised Users must only store data collected using these tools on University machines or approved services designated for the data's ongoing processing. Users are not permitted to store such extracted data on BYOD machines or any personal external device or media. [Ref. ISM Control 1083]

(25) ITDS uses spam and phishing detection software, URL blocking controls and other methods for minimising risk to IT Resources. See the Cyber Security Policy for more detail.

(26) When responding to requests for assistance with IT Resources from Authorised Users, Service Desk personnel can make use of software that allows them to control another computer on the University's network remotely. Staff may only attempt remote control access with the Authorised User's permission, and only in the performance of duties directly related to their work.

Monitoring

(27) Monitoring of computers, and activities performed on those computers, is performed as a part of routine IT practices by ITDS. See the Workplace Surveillance Policy for more details

(28) University IT Resources and data (including email) remains the property of the University. The University reviews and monitors its IT Resources (including email) to ensure proper functioning. The University reserves its right to recover or otherwise protect that data (including by deletion) at all times (Refer to the Email and Internet Policy for details).

(29) The University reserves its right to monitor messages and materials accessed, sent or received over its network to check that the security measures have not been undermined or that University IT Resources are not being abused. The University is committed to responding promptly to any potentially damaging publication by any action deemed necessary, including withdrawing its service from Users and removing any unacceptable materials. (Refer to the Email and Internet Policy for details about website blocking).

Section 5 - Guidelines

(30) The University recommends the following measures for best practice when using IT Resources:

1. Workstations should be locked or logged off when not in use.
2. Labels on any University IT Resources should not be removed, defaced, or modified.
3. Staff should undertake training in the use of IT Resources (such as email or Microsoft Office use) via Staff Online.
4. All Authorised Users are advised to be wary of using IT Resources in ways that cause a breach of copyright. See the Copyright Policy for more information.
5. Any University Records created, altered, received, or maintained with or on IT Resources are required to be archived with the University's Records and Archives Management Systems. See the Records and Archives Management Policy for more information.
6. University data (or data relevant to Authorised Users' role with the University) should be stored on approved University storage, such as the 'My Documents' folder on a Standard Operating Environment (SOE) computer (which is not the local hard drive).

(31) The University recommends the following measures for using BYOD equipment:

1. Devices should be screen locked when not in use.
2. Devices should have up-to-date antivirus protection.
3. Devices should have up-to-date operating systems.
4. All Authorised Users should enable and use appropriate security measures (such as a passphrase or PIN) on the device.
5. All Authorised Users should save and back up their work. The University accepts no responsibility for lost data on any BYOD equipment.

Reference Information

(32) This policy is to be read in conjunction with the following University documents:

1. Email and Internet Policy,
2. Cyber Security Policy,
3. Digital Information Security Policy,
4. Bullying Prevention Policy,
5. Intellectual Property Policy,
6. Discrimination, Harassment, Vilification and Victimisation Prevention Policy,
7. Student Misconduct Rule,
8. Code of Conduct,
9. Copyright Policy,
10. Records and Archive Management Policy,
11. Employee Personal Information and Records Guidelines,
12. Disclosure and Use of Student Personal Information Guidelines,
13. Privacy Policy, and
14. Workplace Surveillance Policy.

(33) This policy makes reference to the Australian Signals Directorate's Information Security Manual.

(34) This policy makes reference to Australian Standard AS/NZS ISO/IEC 27002, which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.

Section 6 - Terms and Acronyms

(35) The following definitions apply for the purpose of this policy:

1. Affiliate Users include (but are not limited to):
   1. Board of Trustees' members and members of Board Executive Committee;
   2. Visiting fellows, and research associates;
   3. External (non-profit) community groups needing temporary access
   4. Third parties, vendors, and contractors engaged in the provisioning of service or services on behalf of the University; and
   5. Official affiliation/associations of Western Sydney University
2. Authorised User: a person who is an enrolled student, a current employee, or a formal supplier, affiliate or associate of the University who is granted access and provided with authentication Credentials by the University. Eduroam Users are also Authorised Users.
3. BYOD (bring your own device): the ability for staff or students to use non-University equipment (such as laptops, smart phones, tablets and similar devices) to connect to the University's network.
4. CIDO: Chief Information and Digital Officer
5. Confidential and Sensitive Material: any information or material that a person knows or ought reasonably to know is confidential or sensitive, including but not limited to:
   1. The Personal Information of staff or students
   2. Student, staff or research subject health information
   3. Unpublicised strategic, legal, financial, or research information
   4. Any data that could compromise any facet of the University, including reputation
6. Credentials: constituted by a username and password, and used to access University IT Resources.
7. Eduroam: An educational roaming internet service offered by multiple organisations worldwide, including Western Sydney University. This provides University staff and students access to internet through Eduroam when at another member's campus/facility.
8. Eduroam user: a person granted Eduroam access and credentials by an Eduroam organisation (such as Western Sydney University). Eduroam users are Authorised Users and granted access to the University's internet.
9. ICAC: the Independent Commission Against Corruption
10. Incidental personal use: the utilisation of IT Resources for personal reasons (e.g. checking or sending email that is not related to study or work; utilising the internet for personal reasons). Incidental, by the nature of the word, does not include extended or continuous use.
11. ITDS: Information Technology and Digital Services
12. IT Resources: systems, software, hardware, services, communications and network facilities (including email, internet, and Wi-Fi access), and supporting infrastructure provided by or on behalf of the University.
13. IT Service Desk: a team within ITDS, established to be the first point of call for staff and students, for all IT matters.
14. Monitoring: a form of Surveillance; the collection or storage of information, or the creation of records, in a routine and passive manner; the routine review of the information or the routinely collected records to ensure the integrity, security and service delivery of the University IT Resources. Monitoring does not involve actively investigating or keeping track of an individual or their activities. Monitoring is conducted as permitted by the Workplace Surveillance Policy.
15. Remote Desktop Software: an application, protocol, or other software solution that allows a computer or similar device to connect to the University's hardware or network without being on-site. This does not include the University's Wi-Fi network, which is only broadcast on-site.
16. University digital information: any data stored electronically, or used by, or on behalf of the University in the conduct of its teaching, research, or business. University information is the property of the University. See the Intellectual Property Policy for more information.
17. University email: the official email service the University provides to staff and students, including the content of emails, electronic attachments to emails and transactional information associated with such communications. University email is an IT Resource and is the property of the University. University emails are emails sent or received using a University email account.
18. University Records: are any records made or received, and kept, by any person in the course of the exercise of official functions in the University, or for any purpose of the University, or for the use of the University (State Records Act 1998 (NSW)), and include records in any format such as paper, electronic (email, spreadsheets, word processing documents, images, etc), audio or video cassettes, film, photographs, publications and microfilm/fiche. [Ref. Records and Archives Management Policy].