Policy on Consequences for IT Offences
Acting against the rules and regulations concerning university information systems and using the informations systems against Finnish laws are treated as IT offences.
This document outlines actions taken against a person when an IT offence has been discovered or there is reason to believe an offence has occurred. The actions are divided on the one hand to user permission limitations and on the other hand possible consequences imposed for offences.
The document concentrates primarily on degree seeking students and staff at the university.
User accounts at university systems may also have been given to
- members of interest groups
- students in continuing studies and at the university
Because of the group's heterogeneity, decisions pertaining to it will require more case by case consideration.
All IT offences and actions taken because of them must be reported to the Chief Information Security Officer.
1. Restricting user permissions pending investigation
User permissions can be restricted either by disabling all or some of a person's user accounts or by other means preventing the use of an information system (e.g. by removing the modify permission) for the duration of the investigation,
- a student's user accounts are as a rule disabled and she or he will be called to a discussion with the Chief Information Security Officer or the person in charge of the system
- the user permissions of a staff member will be restricted as needed. In a network violation incident, user permission restriction may also involve disconnecting the user's workstation from the network.
User permission must be restricted whenever there are reasonable grounds to believe that the user has misused university IT resources and it is possible that user action impedes the investigation or the minimizing of damages.
The decision to restrict user permissions is made by the owner of the information system in question, the head of the unit, or someone else appointed to the task. The restrictions are carried out by the administrator. In an urgent situation, the administrator may independently restrict user permissions for three days at maximum, and will immediately report it to the person in charge of restrictions.
In minor offences the user admonished for improper action.
The person committing an IT offence is liable for the costs incurred from the use of resources (e.g. computer time) as well as for the costs incurred from the investigation.
A student may be subject to the following consequences: restriction of user permissions (disabling of user accounts) (General Policy of the Use of Information Systems), the university's internal administrative actions (a written warning, a temporary dismissal) (Polytechnics Act 14.11.2014/932), and reporting a crime (actions punishable by law).
The decision to disable a user account is made by the university's President or someone else appointed by the President. The restriction time does not include the time that the account is disabled pending investigation.
The decision to give a written warning is made by the university's President. The decision of a temporary dismissal is made by the Board of Management.
A staff member may be subject to the following consequences: the university's judiciary action as defined in labor law (a written warning, dismissal, termination of the contract of employment) (Employment Contracts Act, Chapter 7, Section 2, Chapter 8, Section 1) and reporting a crime (actions punishable by law). A warning is given by the head of the unit or the director of administration. Access to specific information systems can be disabled temporarily or permanently on the grounds of a lack of trust resulting from misuse. When determining the consequences, the intent and the seriousness of the offence are considered.
3. Examples of offences
Distributing material subject to criminal law such as:
- cruel violence, racist material and incitement to crime.
Unlawful distribution of material subject to copyright law such as:
- music, videos, cartoons, games and software.
Giving one's login credentials to someone else
- Giving login credentials includes giving one's password to another user or leaving a session open so that someone else can use the credentials unsupervised.
Risking data integrity
- handing over information classified as non-public to a person who is not authorized to having it, e.g. handing over server user data
- negligence of information security in the case of information classified as non-public - e.g. insufficient protection of an information system
- breach of confidentiality
- breaking the Data Protection Act
- negligence of personal information security e.g. leaving one's password in the open