The contents of this instruction:
Rules of IT service use
In brief
- These binding rules concern all users. Including you.
- These rules apply to the use of all of the university’s IT services, hardware, software and networks.
- The university authorises users to access its IT services by granting user IDs (user accounts) or making services available.
- Every user is personally responsible for all use of the services with his/her user ID.
- The provided IT services are intended for work- and study-related use.
- They may also be used for personal purposes within reason and in keeping with laws and good practices.
- Other users’ privacy and ownership of information must be respected at all times.
- Use of the services for any commercial or propagandistic purposes is forbidden.
- Unauthorised use is forbidden.
- Use of services is monitored, and breach of these rules will be sanctioned.
Further specifications to these rules are provided below.
Rules of IT Service Use as a whole
The Rules of IT Service Use bind and obligate all members of the university community, users of IT
services and systems, and all units of the University.
These rules apply to all of the University’s IT services and hardware, and the use thereof, also
including services made available or authorised by the University. Examples of such services are
CSC’s services HAKA, Funet, etc. Some of the University’s services are cloud services and in addition to these rules and service provider’s own terms of use, Terms of cloud service (to read this, log in with your university account) apply to the use of them.
Usage authorisation
Usage authorisation is granted by issuing a user ID or making the service available
Authorised users are allowed to use the university’s IT services. Compliance with the Rules of IT
Service Use is a prerequisite for authorisation.
- The scope of usage authorisation depends on the user’s status and tasks (roles) at the
University - one person may have several roles.
Usage authorisation is granted for a fixed term
The authorisation expires when
- the person is no longer a member of the university community
- the granted fixed term user ID expires
- the person’s role changes, and the new role does not make him/her eligible to use the IT
services.
Usage authorisation can be restricted if there is justified reason to suspect that information security
has been compromised or the services have been abused.
The user must remove all personal e-mails and files from the system before the expiry of his/her
usage authorisation. The user account is automatically turned off 14 days after expiry of the usage
authorisation and receiving email is blocked. The University will delete all files and mailbox contents
when 12 months have passed since the expiry of the user ID or usage authorisation. University staff
members, as well as students who have worked in research teams or participated in other such
activities, must transfer all work-related messages and files to the person specified with the
supervisor.
All users must uninstall any software based on employee or student licenses from their home
computers when their employment or study right ends.
User ID
- Users are identified (authenticated) with the user ID (user account)
- every user must have an individual ID for all IT services that require authentication.
Group IDs can be granted upon request for special purposes
The use of group IDs can compromise the confidentiality of information. For example, in the case of
using an administrator-level group ID in order to use special software in a computer lab.
- The user who applies for a group ID is responsible for the distribution of the ID
- group IDs may only be used for the purpose specified in the application and granted permit
- every group ID user is responsible for his/her actions conducted using the ID.
Every user is personally responsible for his/her user IDs
User accounts must be protected using strong passwords and complying with other instructions. If
there is reason to believe that a password or other account details have been compromised, the
password must be changed or the use of the compromised element must be prevented immediately.
- Never dispose or lend your username and password to other persons
- each user is responsible for all actions conducted using his/her ID
- users are financially and legally liable for any damage or loss caused using their ID
- the use of another person’s ID is forbidden, even upon the user’s own request.
Users’ rights and responsibilities
The IT services are intended for work- and study-related use
The University’s IT services are intended to serve as tools in tasks related to studies, research,
teaching or administration.
Small-scale private use is allowed
Small-scale private use refers to such actions as private e-mail conversations and online service use.
However, private use must never
- disturb other use of the system
- breach the rules and instructions of IT service use.
Commercial or propagandistic use is not allowed
Special permission for these purposes can, however, be applied from IT Management.
- Commercial use is only allowed in cases assigned by the University
- use for pre-election campaigns or other political activities is only allowed in conjunction with
the University’s elections and activities of the Student Union, student organisations or trade
unions - all propagandistic use is forbidden
- unnecessary consumption of resources is forbidden.
Laws must be observed
- Material that is illegal or against common manners must not be published or distributed.
Everyone is entitled to privacy
The right to privacy, however, does not cover all work-related material that is in an employee’s
possession.
- All materials that are in students’ possession are deemed to be private.
- Staff members must clearly separate their private materials from work-related ones e.g. create a directory entitled “Private”. This rule also applies to students working for the University.
Information security is everyone’s responsibility
Any detected or suspected breaches or vulnerabilities in information security must be immediately
reported to Campus ICT support service: ict (at) oulu.fi.
- Personal passwords must never be disclosed to anyone
- everyone is obligated to maintain the secrecy of any confidential information that may come
to one’s knowledge - abuse, copying and distributing other users’ private information is forbidden.
As a precaution, the University is entitled to restrict or revoke the right to use its IT services.
Setting up unauthorised services is forbidden
Only devices approved by the University may be connected to the IT network. Only services
authorised by the University may be produced using the university’s IT networks.
Bypassing information security mechanisms is forbidden
Usage rights must never be used for any illegal or forbidden activities, such as searching for
vulnerabilities in information security, unauthorised decryption of data, copying or modifying
network communications, or unauthorised access to IT systems.
Parts and features of IT systems that are not clearly made available for public use – such as system
administration tools or functions prevented in system settings – must not be used.
Phishing for information and deceiving users is forbidden
Cheating and unauthorised acquisition of information is forbidden.
Other clauses
Validity
These Rules of IT Service Use become effective 20.11.2013 and replace the earlier version of
corresponding rules. After the date specified above, all new IT services must be produced according
to these rules.
Change management
These rules will be reviewed when needed to ensure that they comply with all valid services and
laws. Any significant changes to these rules are addressed according to the co-operation procedure.
The information security officer makes decisions concerning change needs.
Information about changes is distributed using the regular communication channels, never
personally.
Exceptions from the Rules of Use
Permission for exceptions from the Rules of Use can be granted for compelling reasons upon a
written application. Exceptional permits are granted by the CIO. The permits may include additional
terms and conditions, restrictions and responsibilities.
Monitoring
Compliance with the Rules of Use is overseen by the IT department, owners of services and IT
services, as well as supervisors within their job descriptions. Breaches of the rules lead to sanctions
according to the Consenquences of IT Service Abuse.
E-mail rules
In brief
Every e-mail user has one or more roles
- There are slightly different rules, for example, for staff members and students.
All rules must be obeyed
- Use different passwords in the university services and in external services
- apply thorough consideration before using the university e-mail address for private purposes
(see Rules of IT Service Use) - if you mistakenly receive e-mail intended for someone else, forward the message to the correct
recipient, and inform the sender of the mistake - remember that the privacy of correspondence also applies to e-mail
- make sure you have enough free space in your mailbox
- don’t distribute spam
- don’t leave any private messages in the university mailbox when your user rights expire.
Staff members
- Always use the university e-mail address for work-related correspondence
- send confirmations to e-service messages without any delay
- don’t transfer or automatically reroute workrelated e-mail to external e-mail accounts
- keep your private and work-related messages separated, also the sent ones
- make sure your e-mail is monitored during your absence
- if you use an out-of-office message, instruct recipients to use the organisation address
- only use e-mail encryption methods supported by the University
- if you are about to leave the University’s employ, transfer all e-mail messages that are relevant for the organisation to the correct persons responsible users before your user rights expire.
Students
- Use primarily the university e-mail account for study-related purposes
- for receiving university’s announcements to the correct email address always inform your address to
the university’s services and information systems that you use - when you contact university through email, remember always to inform your name and contact information in a message
- all messages sent and received in the role of a student are private
- if you have an employment contract with the University, you are also bound by the staff members’ rules; moreover, you must keep your work- and studyrelated e-mail clearly separated.
Mailing list owner
- Keep the list up to date (correct, valid addresses, brisk moderation)
- request the deletion of your list when it is no longer in use.
Supervisor
- Make sure that all relevant organisation addresses are available
- make sure that the organisation addresses are used in your unit’s communications
- appoint users responsible (with deputies) for monitoring the organisation addresses.
Organisation address owner
- Establish procedures for message handling, back-up and informing other handlers
- change the password of the organisation e-mail account regularly, and always after an e-mail
handler (who knows the password) leaves the organisation.
Further specifications to these rules are provided below.
E-mail rules as a whole
These e-mail rules concern all users of the university’s e-mail systems. The parts aimed at university staff members concern all of the University’s units, their employees and other users in corresponding positions (such as scholarship-funded researchers and emeritus/emerita professors). The rules also concern all users responsible for e-mail systems.
The e-mail rules comply with the currently valid laws and regulations.
The sender is responsible for making sure that the message delivery has been successful. Particularly crucial messages should be sent well before the deadline, and the recipient should be asked to confirm receipt.
Privacy of correspondence also applies to e-mail
If a user receives an e-mail message intended for another person, the unintended recipient is obligated to maintain the secrecy of the message and refrain from utilising its contents or the knowledge of its existence.
- According to the Administrative Procedure Act (434/2003), Section 21, a document delivered
by mistake and dealing with administrative matters beyond the recipient’s competence shall
be transferred to the authority deemed to be competent, and the sender of the document
shall be informed about the transfer; if such a transfer is not possible, the message shall be
returned to the sender and deleted from the university’s e-mail system - all other received messages intended for another user must be returned to the sender.
The forwarding and returning obligation does not concern messages containing malware or spam.
E-mail addresses
The organisation address is an official e-mail address
The organisation address is used for official matters and service provision.
The organisation address is formed according to a certain formula, for example:
- university-level: office@oulu.fi
- unit-level: unit@oulu.fi
- role-level: rector@oulu.fi
The work e-mail is a personal e-mail account provided for work-related use
- Example: john.smith@oulu.fi
- Work e-mail messages are related to both the work e-mail account and the user’s job.
- As default, the University considers e-mail messages received to the work e-mail account to
be private messages. - In outgoing e-mail messages, the organisation address or the work e-mail address formed from
the user’s name must be given as the sender’s address.
The study e-mail is a personal e-mail account provided by the University for its students
- Example: john.smith@student.oulu.fi
- The study e-mail account is primarily intended for study-related use.
- The University considers students’ e-mail messages to be private messages.
- The sender’s address in outgoing e-mail messages is the study e-mail address formed from the student’s name.
- The student can forbid the publishing of his/her e-mail address outside the University.
Every e-mail service user is personally responsible for keeping his/her mailboxes clean and ensuring that the reserved space does not run out.
The University determines the e-mail addresses and their format
Various domain-based addresses related to certain roles are used at the University of Oulu, for
example:
- organisation addresses could be of the format service@oulu.fi
- staff members’ addresses could be of the format john.smith@oulu.fi
- students’ addresses could be of the format brian.virta@student.oulu.fi
Staff and student e-mail addresses are formed from the user’s name
If another user with exactly the same name joins the University, the original user’s e-mail address
may be changed. A person who first receives an address of the format
forename.surname@(student.)oulu.fi can keep it, and for the namesakes an address is of the format
forename.middle name’s first letter.surname@(student.)oulu.fi.
Use of e-mail and e-mail addresses
- The name-based address must be used as the personal e-mail address
- the organisation addresses are used in the university’s communications
- the organisation address or work e-mail address must be used in work-related matters.
The handling and archiving of e-mail messages received to the organisation or work e-mail account
are governed by the Act on the Openness of Government Activities and the university’s archive
creation plan.
- It is forbidden to transfer or automatically route e-mail messages from the organisation or
work account outside the University; this is due to reasons related to information security,
data protection and information management; in addition, it may constitute a breach of the
Personal Data Act - if a received message contains a confirmation request or is part of an e-service (1), the
message handler must send the confirmation immediately - only e-service systems are allowed to use automatic receipt confirmations.
Organisation addresses have owners
The owner must make sure that messages received in the organisation address are handled on a
regular basis and according to the archive creation plan, even when the owner is absent.
- E-mail messages received in the organisation account belong to the employer
- the address owner must respond to any received messages immediately
- the response must indicate that it is a reply to a message sent to an organisation address
- organisation addresses must not be used for personal communications.
Messages related to work e-mail accounts are treated as private messages
- The University can retrieve and open an employee’s e-mail messages in certain cases and
certain ways as defined in separate guidelines: Retrieving and opening an employee’s e-mail - work-related e-mail messages sent by employees must, when applicable, clearly indicate
whether they are official statements related to work or the employee’s personal opinions - when responding to applications or other such matters related to public administration, the
response message’s reply address must be an organisation address- instead of changing the reply address, the sender can be advised to use the
organisation address in the future - the original message and the response are transferred to the organisation address
for archiving - If you are not aware of the suitable organization address you can check it from
Campus ICT ict(at)oulu.fi
- instead of changing the reply address, the sender can be advised to use the
The e-mail account provided by the University can be used for private purposes within the
limitations set forth in the university’s Rules of IT Service Use.
- Employees must clearly separate their personal and work-related e-mail messages, both
those received and sent - if a user is both a student and a staff member, the e-mail messages related to each role must
be clearly separated from each other.
External e-mail service must not be used for university-related tasks
Access to external e-mail services from the university network can be technically restricted, if such
services are deemed to form a major data security risk.
Use personal auto replies with caution
Auto replies entail a risk of spam flow, but if one is nevertheless deemed necessary, it should advise
the recipient to contact the relevant organisation address.
E-mail must be monitored even during absence
One option is to close the mailbox (for example, during long leaves of absence). The recommended
practice is to instruct clients to use the respective organisation address for all contacts.
The e-mail account is fixed-term
Personal messages should not be left in the university mailbox when the usage right expires.
Employees must agree with their supervisor on the transfer of work-related messages to another
user within the university organisation. If an employee resigns from his/her duties before the expiry
of the employment contract, the employee, or his/her supervisor, can request the discontinuation of
incoming e-mail immediately.
E-mail messages can be encrypted
All applications used for encrypting organisation- and work-related e-mail messages must be
supported and implemented by the University.
- If a received organisation- or work-related e-mail message is encrypted so that only the
recipient can decrypt it, the message must be decrypted immediately after receipt; this rule
does not apply to messages containing malware or spam - after decrypting, the message can be encrypted again so that all handlers can open it.
In terms of information security, non-encrypted e-mail can be compared to a postcard.
Mailing lists have owners
The owner must keep the list moderated, regularly check that it is up-to-date and remove any
redundant addresses from the list.
- The list owner is responsible for maintaining and removing joint mailing lists.
- Personal mailing lists are each user’s own responsibility.
A mailing list forms a person register and, hence, it may be subject to confidentiality obligations and
separate limitations of disclosure. If such rules apply, use the blind carbon copy (bcc) function in
order to keep the list’s addresses hidden from recipients.
Mass mailing and sending/forwarding chain letters is forbidden
Exceptions to this rule can be made upon separate decisions.
Service provision and administration
System administration can intervene in e-mail traffic
in order to secure the service level or safety of the e-mail system. Such interventions, as well as email usage monitoring and log-keeping, are governed by separate instructions.
E-mail is checked and filtered
All e-mail traffic goes through an automatic content analysis, based on which
- messages and attachments containing malware are automatically deleted
- the delivery of harmful, oversized or numerous attachments can be restricted.
In addition, filtering and deletion without notification can be applied to messages
- sent from known spam servers
- classified as spam based on the automatic content analysis.
The e-mail address no longer works
The e-mail address no longer works when the usage authorisation has expired. Messages sent to a user whose e-mail account is no
longer valid will not be delivered; longer valid will not be delivered; instead, an automatic message is sent to inform the sender about
the expiry of the address. When an e-mail account expires, all its re-routing arrangements also
become invalid.
Other clauses
Validity
These e-mail rules become effective 20.11.2013 and replace the earlier version of corresponding
rules.
Change management
These rules will be reviewed when needed to ensure that they comply with all valid services and
laws. Any significant personnel-related changes are addressed according to the co-operation
procedure. The IT Director makes decisions concerning change needs.
Information about changes is distributed using the regular communication channels, never
personally.
Deviations from the e-mail rules
Permission for exceptions from the e-mail rules can be granted for compelling reasons upon a
written application. Exceptional permits are granted by [the IT Director]. The permits may include
additional terms and conditions, restrictions and responsibilities.
Monitoring
Compliance with the e-mail rules is overseen by the IT services. Breaches of the rules lead to
sanctions according to the Consequences of IT service Abuse.
Rules of wlan use in brief
The wlan connections that have been built in the connection of the network of the university have been meant for the on the university working or studying persons’ use. The use rule of the wireless local area networks of the University of Oulu applies to the use wlan with the cordless data terminal equipment (for example a smart phone, tablet, laptop).