1. Objective
The University of South-Eastern Norway’s ICT regulations are intended to ensure that use of USN’s ICT resources complies with Norwegian legislation and the activities of USN. These ICT regulations are intended to promote data and operational security, and thus support students and employees in their work.
2. Scope
These ICT regulations apply to all students, employees and other users who are granted access to USN’s ICT resources.
They apply to all use of USN’s ICT resources. ICT resources are defined as all physical components (computer networks consisting of wiring and network electronics, as well as general or special computers), software acquired or used by USN and cloud services that are incorporated in USN’s IT services. This also includes private equipment that is connected to USN’S ICT resources, as well as software licensed by USN that is installed on private equipment.
3. Users' rights
USN shall protect users’ privacy in line with the Norwegian Personal Data Act and ensure that the personal information and data of users are not misused. USN shall not disclose information about individual users or data belonging to users unless such is expressly called for by Norwegian regulations.
4. Use of USN’s ICT resources
These ICT regulations shall be read and accepted before any work is carried out or any user accounts are used. The execution of work or use of any accounts is contingent on acceptance of the guidelines.
4.1 User IDs and passwords
- Any passwords used for logging on to USN's IT services are personal and secret. Passwords and user IDs shall not be disclosed or lent to anyone else.
- If you suspect that your password has been compromised, you should change it and inform IT Support as soon as possible. Passwords can be changed on konto.usn.no.
- In order to prevent access by any unauthorised persons, screen lock shall be activated when users leave the workplace. When handing over a machine to someone else, the user shall log out of his/her own user ID.
4.2 Use of equipment
- USN’s PCs are normally configured by the IT Department. The basic set-up must not be changed by users.
- Employees must ensure that they save documents on USN’s IT storage services in order to ensure that data is backed up. USN’s IT storage services are all drives (such as M: and V: drives) that are automatically loaded when you log on.
- Laptops (work PCs) that are used as clients on USN’s network may be used for work when travelling or at home. Work PCs should only be used for work-related tasks.
- Employees must update operating systems, applications and anti-virus software when such are automatically made available by the IT Department.
- Employees must never leave laptops or other portable equipment unattended.
- If you need to recover data that has been deleted, please contact IT Support. Only data saved to USN’s IT services (e.g. M: and V: drives) can be restored).
- Data which has been deleted from cloud services, such as Office365, cannot be recovered by the IT Department. Please refer to the individual cloud service agreement for information about backing up and recovering deleted files.
4.3 The Internet
- Be careful using online information and offers, opening web pages, attachments and links in email and instant messaging, etc.
- Downloading material in violation of the law and other rights, etc. is not permitted. File-sharing services are not permitted due to the security risks involved.
- Resource-heavy services, such as digital radio and TV/video streaming, web servers and game servers, etc., should be limited to ensure they do not adversely affect work-related traffic in the network.
- Attempts to bypass security mechanisms, e.g. by concealing unauthorised services in other services, are not permitted.
5. The USN’s logging entitlement
USN logs information which is needed in order to secure information and operation of USN’s ICT resources. Such logs are used for system monitoring at aggregate level.
If any security breaches or illegal activities are detected by logging, the users shall be informed that such will be checked in order to identify the user responsible, and that all such activities shall cease immediately. If the activities in question do not stop, USN will identify whoever is responsible without the consent of the users. Illegal activities will reported.
6. Access
The USN has limited rights of access to e-mail or personal storage areas, cf. Chapter 9 of the Norwegian Personal Data Regulations. Users shall collate personal e-mail and data in separate folders called “Personal” in order to further protect such data from access.
The USN shall only be entitled to search, open or read users’ e-mails
- when such is necessary in order to protect daily operations or other justified college interests
- when justified suspicions exist about security breaches or the illegal use of e-mails or personal storage
Whenever possible, users shall be notified of any reasons for such in writing and they shall have the opportunity to explain themselves before USN gains access to such. When providing such notification, the HSN shall justify why it believes the conditions for gaining access apply. The user in question shall be entitled to be present during such access and to be able to receive the help of an employees’ or other representative.
If access is gained without providing prior notice, the user concerned shall be provided with a written report as soon as such access has occurred. In addition to providing information about why USN believes that the conditions for gaining access apply, such reports shall contain information about the method of access employed, which e-mails or other documents were checked and the results of the inspection, cf. Section 2-16 of the Norwegian Personal Data Act.
Access must be carried out in such a way as to ensure, as far as possible, that the data is not altered and that the information obtained can be inspected.
Applications for access shall be submitted by the senior manager of a unit (institute, faculty or department in the Central Administration of Department). Decisions relating to access shall be adopted by the Rector.
USN may allow the public authorities to access information, logs and backups when such is legally permissible and in response to a court decision.
7. Hacking
It is forbidden to search for and acquire other people's passwords or other security devices, or to attempt to gain unauthorised access to other people's data. This applies, irrespective of whether not the data in question is protected.
Unauthorised access or attempting to break into other people’s machines, sites or systems via USN’s network is prohibited. Users are not permitted to listen to online data traffic.
8. Reporting and non-conformance
Any errors or suspected breaches, viruses/worms/Trojan horses or incidents that could have an impact on security, or any errors in the information system (both hardware and software) on USN’s equipment shall be reported to IT Support as soon as possible.
Only the Rector, or his/her authorised representative, shall have the authority to comment to the press or media in connections with matters relating to IT security, security breaches or major incidents.
Any non-conformance with USN’s ICT regulations/these instructions shall be handled in accordance with the procedures for non-conformance and shall be reported to the person responsible for information security without delay. Notification can also be provided via IT Support, who will inform the person responsible for information security about such non-conformance.
If students or employees have project-specific needs that differ from these instructions, they shall submit such requests to IT Support via their departmental manager.
9. Sanctions
Breaches of the provisions contained in the ICT's regulations could result in the user concerned being denied access to all or part of USN’s ICT resources. Furthermore, sanctions may be imposed in line with other rules, such as disciplinary reactions pursuant to the Norwegian Act relating to Civil Servants, etc. (the Civil Servants Act), liability in damages and criminal liability, etc.
Temporary exclusion is decided by a senior manager at the unit in question following consultation with the system owner. The Personnel and Organisation Department shall be notified if exclusion applies to an employee.
Temporary exclusion may be initiated when there is justified suspicion that:
- the user is guilty of serious infringements, or
- the user or the user’s ICT equipment constitutes a major threat to information security
When assessing the situation, emphasis shall be placed on the seriousness of the infringement, whether or not the user has previously violated the regulations and the consequences of exclusion for the user and the situation in general.
Appeals against decisions adopted pursuant to the Norwegian Civil Servants Act and the Norwegian Public Administration Act shall be in accordance with the rules relating to appeals contained in these pieces of legislation
10. Termination of student and employee contracts
When disposing of memory sticks, equipment containing hard disks and other storage materials, employees must handover such equipment to IT Support for secure disposal.