General Policy on the Use of Information Systems
Table of contents
1. Purpose of this Policy
University of Applied Sciences must ensure the confidentiality, integrity and usability of the data of all its different user groups, and provide a reliable and secure environment for data processing. These and other policies are written to help the different user groups to know the rights, responsibilities and obligations that are tied to the user rights. Even unintentional negligence of responsibilities linked to the user rights can endanger the integrity, confidentiality and usability of data belonging to other users.
These policies are applied to all information systems governed by the University or otherwise falling under University jurisdiction and their usage, and, for users, to other services the possibility or rights to use have been pertained through the University. The rules apply also to the workstations intended for public use within the University, and all computers connected to the University network.
All computer users within the University shall follow, in addition to these policies, the other rules and advice for information systems given by the University, good manners and Finnish legislation. Usage against this policy or other policies or rules concerning information system usage will be dealt with according to the policy of consequences for IT offences.
These policies will be updated when necessary or when common policy package for Universities is updated. Need for updates is followed by Chief Information Officer or person who this task is designated to, for example Chief Information Security Officer.
The valid version of the policy can be found at portal which is used as an organizational information system.
2. Principles of Usage
The major principles governing all use and interpretation of usage policies are:
- All entitled to use have a possibility to reasonable and relevant use.
- Other users or organizations and information systems within the network may not be harmed or damaged.
- Right to privacy shall be respected.
- The user account provided by the University is personal.
- The user is liable for all use of his or her account.
The University information systems are meant as tools for tasks related to studying, research, teaching and administration within Helsinki Metropolia University of Applied Sciences. Other use requires separate agreements.
Private use is allowed to a small extent as long as it does not interfere with other use of the system, does not imply technical changes at University and does not conflict with the policies applied to the specific system, or regular usage policies. Private material shall be kept separate from work-related material to guarantee the protection of privacy.
Commercial use for other than University purposes is allowed only with a specific permission granted by Chief Information Officer.
All users shall participate in taking care of general information security matters. Even if a single user has nothing special to secure, other users may have. All users share a personal responsibility for the overall security of the information system. Observed or suspected insufficient information security and misuse shall be reported to the Chief Information Officer or person who this task is designated to, for example Chief Information Security Officer.
The University of Applied Sciences strives to protect all users from malware, spam and attempted attacks towards systems and individual workstations. Users shall take their own part in this in accordance to given instructions.
Users are responsible for the protection of their own files, and ultimately of making back-ups. The University makes back-ups of centrally stored files, but will not be liable for damages caused by possible eradication of files.
Users have obligation to maintain secrecy concerning the informational contents of the systems, methods of use, security level and properties when required by the nature of use of information systems, the instructions of use or legislation.
It is forbidden to connect computers or other equipment to University's physical network without permission from network administrator. When connecting equipment given guidelines must be followed. Personal computers should be connected to wireless LAN.
3. User Rights and User Accounts
Users will be granted rights to use specified information systems. Rights are based on the user's position within the University, or they can be granted for a particular purpose to a person not affiliated with the University of Applied Sciences.
The precondition for activating user rights is that the user commits himself to this policy and other instructions, rules and regulations of use. The user must beforehand get acquainted with the instructions and policies of the system.
User rights may not be transferred. If there is a reason to suspect that a password or other identifier has come into another person's possession, the password shall be changed or the use of the identifier shall be prevented immediately. The Password shall be changed at regular intervals and it must be difficult to guess or break.
4. Validity of User Rights
The user rights are terminated automatically,
- when the user is no longer affiliated with the University of Applied Sciences,
- when user rights granted for a fixed period have expired or
- as the user's position is changed in such a way that there no longer are grounds for user rights to the specific information system.
Before this, the user shall personally take care of the proper transfer or removal of the information pertaining to his or her user account. The user's files and mailbox shall be locked after two weeks and removed after four months after the expiration of the user rights.
5. Maintenance of Information Systems
Each of the University of Applied Sciences's information systems has a named administrator (owner), who is responsible for the purpose of the system, its functions, contents and usage. The owner of the information system compiles the usage instructions and sees to it that the services and usage of the information system are in accordance with these policies. The Information Management Unit is in charge of the maintenance of the University of Applied Sciences's common information systems. Information systems governed by the University of Applied Science's units are the responsibility of the head of the unit or a person named by the head in writing.
A separate Policy of Information System Maintenance governs in more detail the maintenance of information systems, the responsibilities and rights of an administrator to control the operation and usage of an information system and to take care of information security.
Operation and usage of information systems are logged for the following purposes:
- for service production and development and for taking care of its information security
- for privacy protection of information contained in the systems
- to detect and repair possible problems and technical defects
- to detect, hinder, unravel and bring to preliminary investigation any misuse of the service.