Standards and Guidelines for all users of University Computing and Network Facilities

Version 1.0

Conditions of Use of Computing and Networking Facilities.
Code of Practice in the Use of Computing & Network Facilities.
Appropriate Use of Electronic Mail.
Guidelines on Passwords.
Student Laboratory & Network Code of Practice.
Internet Conditions, Standards, and Guidelines.
OECD Information Privacy Principles.

1. Conditions of Use of Computing and Networking Facilities.

It is the policy of the University that its computing and networking facilities are intended for use for teaching, learning, research and administration in support of the University's mission. Although recognizing the increasing importance of these facilities to the activities of staff and students, the University reserves the right to limit, restrict, or extend access to them.
All persons using the computing and networking facilities shall be responsible for the appropriate use of the facilities provided as specified by the "Codes of Practice" of this policy, and shall observe conditions and times of usage as published by the Administrator of the system.
It is the policy of the University that its computing and associated network facilities are not to be used for commercial purposes or non-University-related activities without written authorization from the University. In any dispute as to whether work carried out on the computing and networking facilities is internal work, the decision of the Vice-Chancellor or his delegate shall be final.
The user will not record or process information which knowingly infringes any patent or breach any copyright.
The University will endeavour to protect the confidentiality of information and material furnished by the user and will instruct all computing personnel to protect the confidentiality of such information and material, but the University shall be under no liability in the event of any improper disclosure.
The University will endeavour to safeguard the possibility of loss of information within the University's computing and networking facilities but will not be liable to the user in the event of any such loss. The user must take all reasonable measures to further safeguard against any loss of information within the University's computing and networking facilities.
If a loss of information within the system can be shown to be due to negligence on the part of the computing or network personnel employed by the university, or to any hardware or software failure which is beyond the user's means to avoid or control, then the Information Technology Services will endeavour to help restore the information and will not charge the user for computer time spent in such restoration.
The use of the computing and networking facilities is permitted by the University on the condition that it will not involve the infringement of any patent or the breach of any copyright and the user agrees to indemnify and keep indemnified the University and each member and every member of its staff against all actions, claims, and demands for infringement of patent and or breach of copyright which may be brought or made against the University or any member of its staff arising out of or in connection with the use of the computing and networking facilities.
Users of the computing and networking facilities recognize that when they cease to be formally associated with the University (e.g. no longer an employee, enrolled student or visitor to the University), their information may be removed from University computing and networking facilities without notice. Users must remove their information or make arrangements for its retention prior to leaving the University.
The University reserves the right to limit permanently or restrict any user's usage of the computing and networking facilities; to copy, remove, or otherwise alter any information or system that may undermine the authorized use of the computing and networking facilities; and to do so with or without notice to the user in order to protect the integrity of the computing and networking facilities against unauthorized or improper use, and to protect authorized users from the effects of unauthorized or improper usage.
The University, through authorized individuals, reserves the right to periodically check and monitor the computing and networking facilities, and reserves any other rights necessary to protect them.
The University disclaims responsibility and will not be responsible for loss or disclosure of user information or interference with user information resulting from its efforts to maintain the privacy, security and integrity of the computing and networking facilities and information.
The University reserves the right to take emergency action to safeguard the integrity and security of the computing and networking facilities. This includes but is not limited to the termination of a program, job, or on-line session, or the temporary alteration of user account names and passwords. The taking of emergency action does not waive the rights of the University to take additional actions under this policy.
Users of the computing and networking facilities do so subject to applicable laws and University policies. Murdoch University disclaims any responsibility and/or warranties for information and materials residing on non-university computer systems or available over publicly accessible networks, except where such responsibility is formally expressed. Such materials do not necessarily reflect the attitudes, opinions, or values of Murdoch University, its staff, or students.
The Director of the IT Services Unit may suspend any person from using the computing and networking facilities for a period not exceeding 28 days (and may recommend additional penalties to the Vice-Chancellor) if after appropriate investigation that person is found to be:-

responsible for willful physical damage to any of the computing and networking facilities;
in possession of confidential information obtained improperly;
responsible for willful destruction of information;
responsible for deliberate interruption of normal services provided by the Computing Centre;
responsible for the infringement of any patent or the breach of any copyright;
gaining or attempting to gain unauthorized access to accounts and passwords;
gaining or attempting to gain access to restricted areas without the permission of the Director;
responsible for inappropriate use of the facilities.

External work or use of the computing and networking facilities shall not be undertaken which would prevent University users from having their usual access to the facilities.
External users of the University's computing and networking facilities must adhere to the AVCC's policy on access to the Internet which prohibits direct connectivity to the Internet to individuals and organizations outside of the University.

2. Code of Practice in the Use of Computing & Network Facilities.

1. Introduction

Standards for the use of the University's computing and networking facilities derive directly from standards of common sense and common decency that apply to the use of any shared resource. The University community depends on a spirit of mutual respect and cooperation to resolve differences and resolve problems that arise from time to time. This code of practice is published in that spirit. Its purpose is to specify user responsibilities and to promote the appropriate use of IT for the protection of all members of the University community.

2. Appropriate and Reasonable Use.

Appropriate and responsible use of the Murdoch computing and networking facilities is defined as use that is consistent with the teaching, learning, research and administrative objectives of the University and with the specific objectives of the project or task for which such use was authorized. All uses inconsistent with these objectives are considered to be inappropriate use.

3. Responsibilities.

Users of the Murdoch computing and networking facilities accept the following specific responsibilities:

Security:
- To safeguard their data, personal information, passwords and authorization codes, and confidential data;
- To take full advantage of file security mechanisms built into the computing systems;
- To choose their passwords wisely and to change them periodically;
- To follow the security policies and procedures established to control access to and use of administrative data.
Confidentiality:

To respect the privacy of other users; for example, not to intentionally seek information on, obtain copies of, or modify files, tapes, or passwords belonging to other users or the University;
Not to represent others, unless authorized to do so explicitly by those users;
Not to divulge sensitive personal data to which they have access concerning staff or students without explicit authorization to do so.

To respect the rights of other users; for example, to comply with all University policies regarding sexual, racial, and other forms of harassment. Murdoch University is committed to being a racially, ethnically, and religiously heterogeneous community.
To respect the legal protection provided by copyright and licensing of programs and data; for example, not to make copies of a licensed computer program to avoid paying additional license fees or to share with other users.
To respect the intended usage of resources; for example, to use only the account name and password, funds, transactions, data, and processes assigned by service providers, unit heads, or project directors for the purposes specified, and not to access or use other account names and passwords, funds, transactions, data, or processes unless explicitly authorized to do so by the appropriate authority.
To respect the intended usage of systems for electronic exchange (such as e-mail, Usenet News, World Wide Web, etc.); for example, not to send forged electronic mail, mail that will intimidate or harass other users, chain messages that can interfere with the efficiency of the system, or promotional mail for profit-making purposes. Also, not to break into another user's electronic mailbox or read someone else's electronic mail without their permission.
To respect the integrity of the computing and networking facilities; for example, not to intentionally develop or use programs, transactions, data, or processes that harass other users or infiltrate the system or damage or alter the software or data components of a system. Alterations to any system or network software or data component are to be made only under specific instructions from authorized academic staff, unit heads, project directors, or management staff.
To respect the financial structure of the computing and networking facilities; for example, not to intentionally develop or use any unauthorized mechanisms to alter or avoid charges levied by the University for computing, network, and data processing services.
To adhere to all general University policies and procedures including, but not limited to, policies on proper use of information resources and computing and networking facilities; the acquisition, use, and disposal of University-owned computer equipment; use of telecommunications equipment; legal use of software; and legal use of administrative data.
To report any information concerning instances in which the University IT Security Policy or any of its standards and codes of practice has been or is being violated. In general, reports about violations should be directed initially to the administration of the school, area or unit where the violation has occurred whereupon it will be passed on to the Custodian of the system. If it is not clear where to report the problem, it may be sent to the Information Technology Services Unit Help Desk which will redirect the incident to the appropriate person(s) for action or will handle it directly.

4. Code of Practice for Specific Activities.

The following apply to specific activities.

1. Illegal activity.

In general, it is inappropriate use to store and/or give access to Information on the University computing and networking facilities that could result in legal action against the University.

2. Objectionable material.

The University's computing and networking facilities must not be used for the transmission, obtaining possession, demonstration, advertisement or requesting the transmission of objectionable material knowing it to be objectionable material as defined by the WA Censorship Act 1996, namely:

A film classified RC (refused classification), a computer game classified RC (refused classification), or a refused publication;
Child pornography;
An article that promotes crime or violence, or incites or instructs in matters of crime or violence; or
An article that describes or depicts, in a manner that is likely to cause offense to a reasonable adult e.g.
- The use of violence or coercion to compel any person to participate in, or submit to, sexual conduct;
- Sexual conduct with or upon the body of a dead person;
- The use of urine or excrement in association with degrading or dehumanizing conduct or sexual conduct;
- Bestiality;
- Acts of torture or the infliction of extreme violence or extreme cruelty.

Users of the facilities should be aware that there are severe penalties under the Act for such activities; that the police or a person authorized for the purposes of the Act may without a warrant, at any reasonable time, enter any place where the operating of a computer service is carried on and inspect any articles and records kept on the premises and may seize any thing that the member reasonably suspects is connected with an offense against the Act that is found on or in the place. In addition there are penalties for delaying, obstructing or otherwise hindering the police or authorized person in the performance of their functions under the Act and for giving false or misleading statements including statements which are misleading through the omission of information.

It should be noted that the Act allows that it is a defense to a charge of an offense against this section to prove that the article concerned is:

An article of recognized literary, artistic or scientific merit; or
A bona fide medical article,

and that transmitting, obtaining possession of, demonstrating, advertising, or requesting the transmission of, the article is justified as being for the public good.

3. Restricted Material

The University's computing and networking facilities must not be used to transmit or make available restricted material to a minor, restricted material being defined by the WA Censorship Act 1996 as an article that a reasonable adult, by reason of the nature of the article, or the nature or extent of references in the article, to matters of sex, drug misuse or addiction, crime, cruelty, violence or revolting or abhorrent phenomena, would regard as unsuitable for a minor to see, read or hear.

It should be noted that the Act allows that it is a defense to a charge to prove that:

The defendant complied with a code of practice;
The defendant took all reasonable steps in the circumstances to avoid a contravention of the Act; or
The defendant believed on reasonable grounds that:
- The person to whom the defendant transmitted the restricted material was not a minor; or
- The restricted material would not be made available to a minor.

4. Restricted Software and Hardware.

Users should not knowingly possess, give to another person, install on any of the computing and networking facilities, or run, programs or other Information which could result in the violation of any University policy or the violation of any applicable license or contract. This is directed towards but not limited to software known as viruses, Trojan horses, worms, password breakers, and packet observers. Authorization to possess and use Trojan horses, worms, viruses and password breakers for legitimate research or diagnostic purposes can be obtained from the Director of the Information Technology Services.

The unauthorized physical connection of monitoring devices to the computing and networking facilities which could result in the violation of University policy or applicable licenses or contracts is inappropriate use. This includes but is not limited to the attachment of any electronic device to the computing and networking facilities for the purpose of monitoring data, packets, signals or other information. Authorization to possess and use such hardware for legitimate diagnostic purposes must be obtained from the Director of the Information Technology Services Unit.

5. Copying and Copyrights.

Users of the computing and networking facilities must abide by the Murdoch University Copyright Policy, which covers copyright issues pertaining to University faculty, staff and students as well as commissioned works of non-employees.
Respect for intellectual labour and creativity is essential to academic discourse. This tenet applies to works of all authors and publishers in all media. It includes respect for the right to acknowledgment and right to determine the form, manner, and terms of publication and distribution. If copyright exists, as in most situations, it includes the right to determine whether the work may be reproduced at all. Because electronic information is volatile and easily reproduced or altered, respect for the work and personal expression of others is especially critical in computing and networking environments. Viewing, listening to or using another person's information without authorization is inappropriate use of the facilities. Standards of practice apply even when this information is left unprotected.
In particular, users should be aware of and abide by the University Policy on Copying and Using Computer Software. Most software that resides on the computing and networking facilities is owned by the University or third parties, and is protected by copyright and other laws, together with licenses and other contractual agreements. Users are required to respect and abide by the terms and conditions of software use and redistribution licenses. Such restrictions may include prohibitions against copying programs or data for use on the computing and networking facilities or for distribution outside the University; against the resale of data or programs, or the use of them for non-educational purposes or for financial gain; and against public disclosure of information about programs (e.g., source code) without the owner's authorization. University employees who develop new packages that include components subject to use, copying, or redistribution restrictions have the responsibility to make any such restrictions known to the users of those packages.
With a greater emphasis on computer based assignments, students need to be especially cognizant of the appropriate use of computing and networking facilities. In particular, academic dishonesty or plagiarism in a student assignment may be suspected if the assignment calling for independent work results in two or more solutions so similar that one can be converted to another by a mechanical transformation. Academic dishonesty in an assignment may also be suspected if a student who was to complete an assignment independently cannot explain both the intricacies of the solution and the techniques used to generate that solution. Suspected occurrences of academic dishonesty are referred to the Head of the student's school.

6. Harassment.

University policy prohibits sexual and discriminatory harassment. Murdoch's computing and networking facilities are not to be used to libel, slander, or harass any other person. The following constitute examples of Computer Harassment:
Intentionally using the computer to annoy, harass, terrify, intimidate, threaten, offend or bother another person by conveying obscene language, pictures, or other materials or threats of bodily harm to the recipient or the recipient's immediate family;
Intentionally using the computer to contact another person repeatedly with the intent to annoy, harass, or bother, whether or not any actual message is communicated, and/or where no purpose of legitimate communication exists, and where the recipient has expressed a desire for the communication to cease;
Intentionally using the computer to contact another person repeatedly regarding a matter for which one does not have a legal right to communicate, once the recipient has provided reasonable notice that he or she desires such communication to cease (such as debt collection);
Intentionally using the computer to disrupt or damage the academic, research, administrative, or related pursuits of another;
Intentionally using the computer to invade the privacy, academic or otherwise, of another or the threatened invasion of the privacy of another.
The display of offensive material in any publicly accessible area is likely to violate University harassment policy. There are materials available on the Internet and elsewhere that some members of the University community will find offensive. One example is sexually explicit graphics. The University cannot restrict the availability of such material, but it considers its display in a publicly accessible area to be inappropriate. Public display includes, but is not limited to, publicly accessible computer screens and printers.

7. Wasting Resources

It is inappropriate use to deliberately perform any act which will impair the operation of any part of the computing and networking facilities or deny access by legitimate users to any part of them. This includes but is not limited to wasting resources, tampering with components or reducing the operational readiness of the facilities.
The willful wasting of computing and networking facilities resources is inappropriate use. Wastefulness includes but is not limited to passing chain letters, willful generation of large volumes of unnecessary printed output or disk space, willful creation of unnecessary multiple jobs or processes, or willful creation of heavy network traffic. In particular, the practice of willfully using the University's computing and networking facilities for the establishment of frivolous and unnecessary chains of communication connections is an inappropriate waste of resources.
The sending of random mailings ("junk mail") is discouraged but generally permitted in so far as such activities do not violate the other guidelines set out in this document. It is poor etiquette at best, and harassment at worst, to deliberately send unwanted mail messages to strangers. Recipients who find such junk mail objectionable should contact the sender of the mail, and request to be removed from the mailing list. If the junk mail continues, the recipient should contact the appropriate local support person.

8. Game Playing.

Limited recreational game playing, that is not part of an authorized and assigned research or instructional activity, is tolerated (within the parameters of each department's rules). University computing and network services are not to be used for extensive or competitive recreational game playing. Recreational game players occupying a seat in a public computing facility must give up that computing position when others who need to use the facility for academic or research purposes are waiting.

9. Commercial Use

University computing and network facilities are provided by the University for the support of its mission. It is inappropriate to use the computing and networking facilities for:

Commercial gain or placing a third party in a position of commercial advantage
Any non-university related activity, including non-university related communications
Commercial advertising or sponsorship except where such advertising or sponsorship is clearly related to or supports the mission of the University or the service being provided.

This paragraph is not intended to restrict free speech or to restrict the University from setting up Information servers or other services specifically designated for the purpose of fostering an "electronic community" with the wider community the University serves. These designated Information servers should normally conform to the university IT Security Policy of which this Code of Practice is a part.

10. Use for Personal Business.

University computing and network facilities may not be used in connection with compensated outside work nor for the benefit of organizations not related to Murdoch University, except in connection with scholarly pursuits (such as academic publishing activities), in accordance with the University Consulting Policy or in a purely incidental way. This and any other incidental use (such as electronic communications or storing data on single-user machines) must not interfere with other users' access to resources (computer cycles, network bandwidth, disk space, printers, etc.) and must not be excessive.

11. Additional Guidelines at Local Sites.

The University computing and network facilities are composed of many "sites." Each site may have local rules and regulations which govern the use of computing and network facilities at that site. Each site has operators, consultants, and/or supervisors who have been given the responsibility to supervise the use of that site. Each site has an administrator (Custodian) with overall policy responsibility for the site. Users are expected to cooperate with these individuals and comply with University and local site policies. Site policies may be more restrictive than University policy. It is the intention that the University IT Security Policy represent a minimum standard. Local administrators may impose more restrictive policies, which become their responsibility to administer.

12. Connection to the Campus-Wide Data Network.

Most campus buildings are included in the Campus Network. To maintain the integrity of the University computing and network facilities, connections to the campus network are made only by specialized personnel under the direction of the Information Technology Services Unit. Users are encouraged to attach appropriate equipment only at existing user-connection points. All requests for additional Network connections or for the relocation of a connection should be directed to Network Services at the Computing.

13. Use of Desktop Systems.

Users are responsible for the security and integrity of University information stored on their personal desktop system from wherever they are working. This responsibility includes making regular disk backups, controlling physical and network access to the machine, and installing required operating system patches and using appropriate virus protection software. Users should avoid storing passwords or other information that can be used to gain access to other campus computing resources. Users should not store University passwords or any other confidential data or information on their laptop or home PC or associated floppy disks or CD's. All such information should be secured after any dialup connection to the University network.

14. Use of External Services.

Networks and telecommunications services and administrative systems and services to which Murdoch University maintains connections (e.g. AARNet) have established acceptable use standards. It is the user's responsibility to adhere to the standards of such networks. The University cannot and will not extend any protection to users should they violate the policies of an external network.

15. Printouts.

Users are responsible for the security and privacy of printouts of University information.

3. Appropriate Use of Electronic Mail.

1. Preamble.

Electronic mail and communications facilities provided by Murdoch University are intended for teaching, research, outreach and administrative purposes. Their use is governed by University rules and policies, applicable laws, and acceptable use policy of the provider.

Electronic mail may be used for personal communications within appropriate limits.

2. Scope.

These Standards of Use cover all electronic mail systems used by members of the University community, from the University�s network or connecting to the University�s network or while acting in an official University capacity.

3. Appropriate Use and Responsibility of Users.

Electronic mail can be both informal like a phone call and yet irrevocable like an official memorandum. Because of this, users should explicitly recognize their responsibility for the content, dissemination and management of the messages they send. This responsibility means ensuring that messages:

Do not contain information that is harmful to the University or members of the University community;
Are courteous and polite;
Are consistent with University policies;
Protect others� right to privacy and confidentiality;
Do not contain obscene, offensive or slanderous material;
Are not used for purposes that conflict with the University�s interests;
Contain an accurate, appropriate and informative signature;
Do not unnecessarily or frivolously overload the email system (e.g. spamming and junk mail is not allowed);
Are not for commercial purposes unless authorized by the University.

Users should cover periods of absence by adopting an appropriate functional account, forward, or vacation message strategy.

Electronic mail containing a formal approval, authorization, delegation or handing over of responsibility must be copied to paper and filed appropriately for purposes of evidence and accountability.

Users must ensure that personal information in the custody of the University is protected in accordance with the University�s Intellectual Property Policy, the Privacy Act 1988, and Information Privacy Principles.

4. Data Backups.

Although IT Services does everything possible to back up data stored on central server areas, it is the responsibility of the individual user to backup their own data from their computers, safely onto tape, diskette, or other media. It is the responsibility of the individual to store all information that is of value to the University on a recommended University supplied server.

5. Confidentiality and Security.

Electronic mail is inherently NOT SECURE.
As University networks and computers are the property of the University, the University retains the right to allow authorized University officers to monitor and examine the information stored within.
It is recommended that personal confidential material not be stored on or sent through University equipment.
Users must ensure the integrity of their password and abide by University policy on password security (see the relevant section on password security).
Sensitive confidential material should NOT be sent through the electronic mail system unless it is encrypted.
Confidential information should be redirected only where there is a need and with the permission of the originator, where possible.
Users should be aware that a message is not deleted from the system until all recipients of the message and of any forwarded or attached copies have deleted their copies.
Electronic mail messages can be forged in the same way as faxes and memoranda. If a message is suspect, users should verify its authenticity via telephone or fax.

6. User Indemnity.

Users agree to indemnify the University for any loss or damage arising out of improper use.

7. Limited Warranty.

The University takes no responsibility and provides no warranty against the non-delivery or loss of any files, messages or data nor does it accept any liability for consequential loss in the event of improper use or any other circumstances. In the event of data or message loss, the remedy shall be limited to the refund of any relevant fees or charges relating to the period in question.

4. Guidelines on Passwords.

1. Password Management.

1. Passwords should be memorized - never written down.

2. Passwords belong to individuals and must never be shared with anyone else.

3. Passwords should be changed every 3 to 6 months, or immediately if compromised.

2. Password Administration.

1. System Custodians should regularly run password cracking software against their password files to identity weak passwords.

2. New or changed passwords must be given in writing only to the identified user - never over the telephone or via email.

3. All Unix computers should run at least C2 level security operating system.

3. Password Construction.

Password security isn't just a matter of thinking up a nice word and keeping it to yourself. You must choose a password which will be difficult for someone else to guess or crack.

We often have a tendency to forget passwords, so we choose something that has particular relevance to ourselves: the name of a loved one, our favorite car, sport, or ice cream, etc. Anyone knowing a little about us can make a list of these words and easily crack the password. All-digit passwords usually fall into this category - birth dates, phone numbers.

Observe the following guidelines when choosing your password:

1. A password should be at least 6 characters long.

2. NEVER make your password a name or something familiar, like your pet, your children, or partner. Favorite authors and foods are also guessable.

3. NEVER, under any circumstances, should your password be the same as your username or your real name.

4. DON'T use words that can be associated with you

5. Do not have a password consisting of a word from a dictionary. Most basic cracking programs contain over 80000 words, and plenty of variations.

6. Try to have a password with a number or mixed case letters. Simple substitutions like a '1' for an 'i', and '0' for an 'O' are easily guessed. Add a '%' or '$' to the middle of the password.

7. Choose something you can remember, that can be typed quickly and accurately and includes characters other than lowercase letters.

Examples:

Made-up "words" - chok-bel (can be "pronounced", has a punctuation character)
Personal acronyms - ihc,alt (I Hate Coffee, And Love Tea)
Invert syllables - sick.sea (instead of 'seasick')

5. Student Laboratory & Network Code of Practice.

1. General.

Your access to the Student Network is provided by the University for administrative, academic, research or study purposes only. The Student Network is a valuable but limited resource which must be shared with others. It is your obligation to use the facilities in an efficient, ethical, legal and responsible manner, in accordance with the University�s "Code of Practice in the Use of Computing and Network Facilities", "Appropriate Use of Electronic Mail", and the code of conduct specified below. Grossly improper behaviour may be grounds for termination of your access or be subject to other penalties which may apply.

2. Account Management.

1. Your Student Network account is provided by the University in your name for your use only.

2. You must not share your account with family, friends or make your password available to any other person.

3. You should change your password at least every 30 days.

4. You may not use the account of any other person. If you inadvertently gain such access to any unauthorized information, you should advise Helpdesk staff immediately.

5. In certain circumstances you may share an account with others where shared duties apply. Such accounts will be specifically authorized by the Director ITS or delegate. In such cases all sharers are jointly responsible for the account but may not share with others outside the group.

6. You MUST NOT attempt to find the password of another user or access their account in an unauthorized username.

3. Identification.

Computing Labs are provided for Murdoch students only. You must carry a University Photo ID at all times while using the labs. Security and Helpdesk staff have the right to deny access to the Labs to anyone without proper identification.

4. Appropriate Electronic Behaviour.

Users of Internet, PARNet and AARNet are asked to comply with guidelines of network etiquette (netiquette). Netiquette is based on the use of good manners and common sense. Some are:

1. Always acknowledge electronic mail.

2. Limit your email to a single screen of text where possible.

3. Do not send large files as email attachments.

4. Do not use offensive language.

5. Be polite to other users of the Internet.

5. Appropriate Use.

Avoid wasting network resources:

FTP should be used for academic and study purposes only.

Participating in multi-user Internet applications (e.g. MUDS, MOO�s) is NOT acceptable use unless authorized by your lecturer as being an essential component of your studies and Computer Services has been notified prior to its use.

The use of TALK wastes bandwidth and is discouraged. Limit use to 5-10 minute sessions only. Use of email is preferred. Do not attempt to talk to someone without obtaining their prior permission via email or similar.

6. Illegal Activities.

1. Do not download or copy software without appropriate authority or license.

2. It is an offense to knowingly inject viruses into any system or engage in any other form of hacking.

3. It is an offense to transmit material which is offensive, obscene, harassing, slanderous, damaging to the files or programs of others, or which violate any applicable law. Do not download or copy software without appropriate authority.

7. Laboratory Etiquette.

1.No food, drink or cigarettes are to be consumed in the laboratories.

2. Avoid excessive noise. It annoys other uses.

3. The number of workstations is limited. Please limit your sessions to 30 minutes, especially if there are queues. Automatic termination of services may apply.

4. Please be courteous to staff and fellow users.

5. Game-playing is not desirable. It is forbidden when there are queues unless authorized in writing by your lecturer as part of your course.

6. You are required to comply with any instruction by a University staff member or security officer.

6. Internet Conditions, Standards, and Guidelines.

1. Scope.

The new resources, new services, and inter-connectivity available via the Internet all introduce new opportunities and new risks. In response to the risks, this statement describes Murdoch University official policy regarding Internet security. It applies to all University employees, students, contractors, and temporaries who use the Internet with University computing or networking resources, as well as those who represent themselves as being connected with Murdoch University.

2. Transmission of Information.

1. Downloading.

All software downloaded from non-University sources via the Internet must be screened with virus detection software prior to being invoked. Whenever the provider of the software is not trusted, down-loaded software should be tested on a stand-alone non-production machine. If this software contains a virus, worm, or Trojan horse, then the damage will be restricted to the involved machine.

2. Suspect Information.

All information taken off the Internet should be considered suspect until confirmed by separate information from another source. There is no quality control process on the Internet, and a considerable amount of its information is outdated or inaccurate.

3. Contacts.

Contacts made over the Internet should not be trusted with University information unless reasonable steps have been taken to ensure the legitimacy of the contacts. This applies to the release of any internal University information.

4. Information Security.

Wiretapping and message interception is straightforward and frequently encountered on the Internet. Accordingly, University, proprietary, or private information must not be sent over the Internet unless it has first been encrypted by approved methods. Credit card numbers, log-in passwords, and other parameters that can be used to gain access to University systems, networks and services, must not be sent over the Internet in readable form.

3. Software Security.

University computer software, documentation, and all other types of internal information must not be sold or otherwise transferred to any non-university party for any purposes other than University purposes expressly authorized by Faculty Deans or DSOU Heads.

Exchanges of software and/or data between University and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange, as well as the ways in which the software and/or data is to be handled and protected. Regular business practices--such as shipment of software in response to a customer purchase order--need not involve such a specific agreement since the terms are implied.

The University strongly supports strict adherence to software vendors' license agreements. Adherence to these agreements is subject to random audits by these vendors. When University computing or networking resources are employed, copying of software in a manner that is not consistent with the vendor's license is strictly forbidden.

4. Personnel Security.

1. Privacy.

Staff using University information systems and/or the Internet should realize that their communications are not automatically protected from viewing by third parties. Unless encryption is used, workers should not send information over the Internet if they consider it to be private. Any doubts regarding the privacy of information should be resolved by contacting the system�s custodian, the organization�s ITLO, or ITS.

2. Right to Examine.

At any time and without prior notice, University management reserves the right to examine e-mail, personal file directories, and other information stored on University computers. This examination assures compliance with internal policies, supports the performance of internal investigations, and assists with the management of University information systems.

3. Resource Usage.

Murdoch University encourages staff to explore the Internet, but if this exploration is for personal purposes, it should be done on personal, not University time. Likewise, games, news groups, and other non-University activities must be performed on personal, not University time. Use of University computing resources for these personal purposes is permissible so long as the incremental cost of the usage is negligible, and so long as no University activity is pre-empted by personal use.

4. Public Representations.

Staff may indicate their affiliation with the University in bulletin board discussions and other offerings on the Internet. This may be done by explicitly adding certain words, or it may be implied, for instance via an e-mail address. In either case, whenever staff provide an affiliation, they must also clearly indicate the opinions expressed are their own, and not necessarily those of Murdoch University. All external representations on behalf of the University must first be cleared with the Faculty Dean or Divisional Director. Additionally, to avoid libel problems, whenever any affiliation with the University is included with an Internet message or posting, "flaming" or similar written attacks are strictly prohibited.

All staff must not publicly disclose internal University information via the Internet that may adversely affect the University's relations or public image.

Care must be taken to properly structure comments and questions posted to mailing lists, public news groups, and related public postings on the Internet. If a user is working on a research and/or development project, or related University matters, all related postings must be cleared with Faculty Deans and Directors prior to being placed in a public spot on the Internet.

5. Access Control.

All users wishing to establish a connection with University computers via the Internet must authenticate themselves at a firewall before gaining access to University internal network.

Unless the prior approval of the Director of ITS has been obtained, staff may not establish modems, Internet or other external network connections that could allow non-University users to gain access to University systems and/or networks and University information

Likewise, unless the Director, ITS has approved in advance, users are prohibited from using new or existing Internet connections to establish new communication channels. These channels include electronic data interchange (EDI) arrangements, electronic malls with on-line shopping, on-line database services.

6. Reporting Security Problems.

ITS must be notified immediately when:

1. Sensitive University information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties.

2. Unauthorized use of University information systems has taken place, or is suspected of taking place.

3. Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.

4. There is any unusual systems behaviour, such as missing files, frequent system crashes, misrouted messages.

Security problems should not be discussed widely but should instead be shared on a need-to-know basis.

Users must not attempt to probe computer security mechanisms at Murdoch University campuses or other Internet sites. If users probe security mechanisms, alarms will be triggered and University resources will needlessly be spent tracking the activity.

Unless prior written authority has been obtained from the Director of IT Services, files containing hacking tools or other suspicious material may be taken as prima facie evidence of unauthorized hacking activity and may expose the user to disciplinary procedures.

7. Penalties.

Violations of these computer security policies can lead to withdrawal and/or suspension of system and network privileges and/or disciplinary action.

7. OECD Information Privacy Principles.

The following OECD Information Privacy Principles are presented as guidelines for all members of Murdoch University.

1. Collection Limitation Principle.

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle.

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification Principle.

The purposes for which personal data is collected should be specified not later than at the time of collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change or purpose.

4. Use Limitation Principle.

Personal data should not be disclosed, made available or otherwise used, for purposes other than those specified in accordance with Principle 7.3 except with the consent of the data subject; or by the authority of law.

5.Openness Principle.

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purpose of their use, as well as the identity and usual residence of the data controller.

6. Individual Participation Principle.

An individual should have the right:

1. To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to that person;

2.To have communicated to the person, data relating to that person:

within a reasonable time;
at a charge (if any) that is not excessive;
in a reasonable manner; and
in a form that is readily intelligible;

3. To be given reasons if such request is denied, and to be able to challenge such denial; and

4. To challenge data relating to the person and if the challenge is successful, to have the data erased, rectified, completed or amended.

7. Accountability Principle.

A data controller should be accountable for complying with measures which give effect to the principles stated above.