Skip to content

Rules of use (UO)


Keywords: , , , , , , , , , , , , ,

The contents of this instruction:

Rules of IT service use

In brief

  • These binding rules concern all users. Including you.
  • These rules apply to the use of both universities, University of Oulu (UO) and Oulu University of Applied Sciences (Oamk), IT services, hardware, software and networks.
  • Universities authorise users to access its IT services by granting user IDs (user accounts) or making services available.
  • Every user is personally responsible for all use of the services with his/her user ID.
  • The provided IT services are intended for work- and study-related use.
  • They may also be used for personal purposes within reason and in keeping with laws and good practices.
  • Other users’ privacy and ownership of information must be respected at all times.
  • Use of the services for any commercial or propagandistic purposes is forbidden.
  • Unauthorised use is forbidden.
  • Use of services is monitored, and breach of these rules will be sanctioned.

Further specifications to these rules are provided below.

Rules of IT Service Use as a whole

The Rules of IT Service Use bind and obligate all members of the university community, users of IT services and systems, and all units of the universities.

These rules apply to all of university’s IT services and hardware, and the use thereof, also including services made available or authorised by the universities. Examples of such services are CSC’s services HAKA, Funet, etc. Some of the university services are cloud services and in addition to these rules and service provider’s own terms of use, Terms of cloud service (to read this, log in with your university account) apply to the use of them.

Usage authorisation

Usage authorisation is granted by issuing a user ID or making the service available

Authorised users are allowed to use the university’s IT services. Compliance with the Rules of IT Service Use is a prerequisite for authorisation.

  • The scope of usage authorisation depends on the user’s status and tasks (roles) at the universities
  • one person may have several roles.
Usage authorisation is granted for a fixed term

The authorisation expires when

  • the person is no longer a member of the university community
  • the granted fixed term user ID expires
  • the person’s role changes, and the new role does not make him/her eligible to use the IT services.

Usage authorisation can be restricted if there is justified reason to suspect that information security has been compromised or the services have been abused.

The user must remove all personal e-mails and files from the system before the expiry of his/her usage authorisation. The user account is automatically turned off 14 days after expiry of the usage authorisation and receiving email is blocked. The university will delete all files and mailbox contents when 12 months have passed since the expiry of the user ID or usage authorisation. University staff members, as well as students who have worked in research teams or participated in other such activities, must transfer all work-related messages and files to the person specified with the supervisor.

All users must uninstall any software based on employee or student licenses from their home computers when their employment or study right ends.

User ID

  • Users are identified (authenticated) with the user ID (user account)
  • every user must have an individual ID for all IT services that require authentication.
Group IDs can be granted upon request for special purposes

The use of group IDs can compromise the confidentiality of information. For example, in the case of using an administrator-level group ID in order to use special software in a computer lab.

  • The user who applies for a group ID is responsible for the distribution of the ID
  • group IDs may only be used for the purpose specified in the application and granted permit
  • every group ID user is responsible for his/her actions conducted using the ID.
Every user is personally responsible for his/her user IDs

User accounts must be protected using strong passwords and complying with other instructions. If there is reason to believe that a password or other account details have been compromised, the password must be changed or the use of the compromised element must be prevented immediately.

  • Never dispose or lend your username and password to other persons
  • each user is responsible for all actions conducted using his/her ID
  • users are financially and legally liable for any damage or loss caused using their ID
  • the use of another person’s ID is forbidden, even upon the user’s own request.

Users’ rights and responsibilities

The IT services are intended for work- and study-related use

The university’s IT services are intended to serve as tools in tasks related to studies, research, teaching or administration.

Small-scale private use is allowed

Small-scale private use refers to such actions as private e-mail conversations and online service use.
However, private use must never

  • disturb other use of the system
  • breach the rules and instructions of IT service use.
Commercial or propagandistic use is not allowed

Special permission for these purposes can, however, be applied from ICT Services.

  • Commercial use is only allowed in cases assigned by universities
  • use for pre-election campaigns or other political activities is only allowed in conjunction with
    the university’s elections and activities of the Student Union, student organisations or trade
    unions
  • all propagandistic use is forbidden
  • unnecessary consumption of resources is forbidden.
Laws must be observed
  •  Material that is illegal or against common manners must not be published or distributed.
Everyone is entitled to privacy

The right to privacy, however, does not cover all work-related material that is in an employee’s possession.

  • All materials that are in students’ possession are deemed to be private.
  • Staff members must clearly separate their private materials from work-related ones e.g. create a directory entitled “Private”. This rule also applies to students working for the university.
Information security is everyone’s responsibility

Any detected or suspected breaches or vulnerabilities in information security must be immediately reported to Campus ICT support service: ict (at) oulu.fi.

  • Personal passwords must never be disclosed to anyone
  • everyone is obligated to maintain the secrecy of any confidential information that may come to one’s knowledge
  • abuse, copying and distributing other users’ private information is forbidden.

As a precaution, the universities are entitled to restrict or revoke the right to use its IT services.

Setting up unauthorised services is forbidden

Only devices approved by the university may be connected to the IT network. Only services authorised by the university may be produced using the university’s IT networks.

Bypassing information security mechanisms is forbidden

Usage rights must never be used for any illegal or forbidden activities, such as searching for vulnerabilities in information security, unauthorised decryption of data, copying or modifying
network communications, or unauthorised access to IT systems.

Parts and features of IT systems that are not clearly made available for public use – such as system administration tools or functions prevented in system settings – must not be used.

Phishing for information and deceiving users is forbidden

Cheating and unauthorised acquisition of information is forbidden.

Other clauses

Validity

These Rules of IT Service Use become effective 20.11.2013 and replace the earlier version of corresponding rules. After the date specified above, all new IT services must be produced according to these rules.

Change management

These rules will be reviewed when needed to ensure that they comply with all valid services and laws. Any significant changes to these rules are addressed according to the co-operation procedure.

The information security officer makes decisions concerning change needs.

Information about changes is distributed using the regular communication channels, never personally.

Exceptions from the Rules of Use

Permission for exceptions from the Rules of Use can be granted for compelling reasons upon a written application. Exceptional permits are granted by the CIO. The permits may include additional
terms and conditions, restrictions and responsibilities.

Monitoring

Compliance with the Rules of Use is overseen by the ICT Services department, owners of services and IT services, as well as supervisors within their job descriptions. Breaches of the rules lead to sanctions
according to the Consenquences of IT Service Abuse.


E-mail rules

In brief

Every e-mail user has one or more roles

  • There are slightly different rules, for example, for staff members and students.

All rules must be obeyed

  • Use different passwords in the university services and in external services
  • apply thorough consideration before using the university e-mail address for private purposes
    (see Rules of IT Service Use)
  • if you mistakenly receive e-mail intended for someone else, forward the message to the correct
    recipient, and inform the sender of the mistake
  • remember that the privacy of correspondence also applies to e-mail
  • make sure you have enough free space in your mailbox
  • don’t distribute spam
  • don’t leave any private messages in the university mailbox when your user rights expire.

Staff members

  • Always use the university e-mail address for work-related correspondence
  • send confirmations to e-service messages without any delay
  • don’t transfer or automatically reroute work-related e-mail to external e-mail accounts
  • keep your private and work-related messages separated, also the sent ones
  • make sure your e-mail is monitored during your absence
  • if you use an out-of-office message, instruct recipients to use the organisation address
  • only use e-mail encryption methods supported by the university
  • if you are about to leave the university’s employ, transfer all e-mail messages that are relevant for the organisation to the correct persons responsible users before your user rights expire.

Students

  • Use primarily the university e-mail account for study-related purposes
  • for receiving university’s announcements to the correct email address always inform your address to the university’s services and information systems that you use
  • when you contact the university through email, remember always to inform your name and contact information in a message
  • all messages sent and received in the role of a student are private
  • if you have an employment contract with the university, you are also bound by the staff members’ rules; moreover, you must keep your work- and study related e-mail clearly separated.

Mailing list owner

  • Keep the list up to date (correct, valid addresses, brisk moderation)
  • request the deletion of your list when it is no longer in use.

Supervisor

  • Make sure that all relevant organisation addresses are available
  • make sure that the organisation addresses are used in your unit’s communications
  • appoint users responsible (with deputies) for monitoring the organisation addresses.

Organisation address owner

  • Establish procedures for message handling, back-up and informing other handlers
  • change the password of the organisation e-mail account regularly, and always after an e-mail handler (who knows the password) leaves the organisation.

Further specifications to these rules are provided below.

E-mail rules as a whole

These e-mail rules concern all e-mail systems users of both universities, University of Oulu (UO) and Oulu University of Applied Sciences (Oamk). The parts aimed at university staff members concern all of the university’s units, their employees and other users in corresponding positions (such as scholarship-funded researchers and emeritus/emerita professors). The rules also concern all users responsible for e-mail systems.

The e-mail rules comply with the currently valid laws and regulations.

The sender is responsible for making sure that the message delivery has been successful. Particularly crucial messages should be sent well before the deadline, and the recipient should be asked to confirm receipt.

Privacy of correspondence also applies to e-mail

If a user receives an e-mail message intended for another person, the unintended recipient is obligated to maintain the secrecy of the message and refrain from utilising its contents or the knowledge of its existence.

  • According to the Administrative Procedure Act (434/2003), Section 21, a document delivered by mistake and dealing with administrative matters beyond the recipient’s competence shall be transferred to the authority deemed to be competent, and the sender of the document shall be informed about the transfer; if such a transfer is not possible, the message shall be returned to the sender and deleted from the university’s e-mail system
  • all other received messages intended for another user must be returned to the sender.

The forwarding and returning obligation does not concern messages containing malware or spam.

E-mail addresses

The organisation address is an official e-mail address

The organisation address is used for official matters and service provision.

The organisation address is formed according to a certain formula, for example:

  • university-level: office@oulu.fi
  • unit-level: unit@oulu.fi
  • role-level: rector@oulu.fi
The work e-mail is a personal e-mail account provided for work-related use
  • Example: john.smith@oulu.fi, eric.jones@oamk.fi
  • Work e-mail messages are related to both the work e-mail account and the user’s job.
  • As default, the university considers e-mail messages received to the work e-mail account to
    be private messages.
  • In outgoing e-mail messages, the organisation address or the work e-mail address formed from
    the user’s name must be given as the sender’s address.
The study e-mail is a personal e-mail account provided by the University for its students
  • Example: john.smith@student.oulu.fi, eric.jones@students.oamk.fi.
  • The study e-mail account is primarily intended for study-related use.
  • The university considers students’ e-mail messages to be private messages.
  • The sender’s address in outgoing e-mail messages is the study e-mail address formed from the student’s name.
  • The student can forbid the publishing of his/her e-mail address outside the university.

Every e-mail service user is personally responsible for keeping his/her mailboxes clean and ensuring that the reserved space does not run out.

The university determines the e-mail addresses and their format

Various domain-based addresses related to certain roles are used at the university, for example:

  • organisation addresses could be of the format service@oulu.fi, service@oamk.fi
  • staff members’ addresses could be of the format john.smith@oulu.fi, john smith@oamk.fi
  • students’ addresses could be of the format brian.virta@student.oulu.fi, brian.virta@students.oamk.fi.
Staff and student e-mail addresses are formed from the user’s name

If another user with exactly the same name joins the university, the original user’s e-mail address may be changed. A person who first receives an address of the format forename.surname@(student.)oulu.fi/(students.)oamk.fi can keep it, and for the namesakes an address is of the format forename.middle name’s first letter.surname@(student.)oulu.fi/(students.)oamk.fi.

Use of e-mail and e-mail addresses

  • The name-based address must be used as the personal e-mail address
  • the organisation addresses are used in the university’s communications
  • the organisation address or work e-mail address must be used in work-related matters.

The handling and archiving of e-mail messages received to the organisation or work e-mail account are governed by the Act on the Openness of Government Activities and the university’s archive creation plan.

  • It is forbidden to transfer or automatically route e-mail messages from the organisation or work account outside the university; this is due to reasons related to information security, data protection and information management; in addition, it may constitute a breach of the Personal Data Act
  • if a received message contains a confirmation request or is part of an e-service (1), the message handler must send the confirmation immediately
  • only e-service systems are allowed to use automatic receipt confirmations.
Organisation addresses have owners

The owner must make sure that messages received in the organisation address are handled on a regular basis and according to the archive creation plan, even when the owner is absent.

  • E-mail messages received in the organisation account belong to the employer
  • the address owner must respond to any received messages immediately
  • the response must indicate that it is a reply to a message sent to an organisation address
  • organisation addresses must not be used for personal communications.
Messages related to work e-mail accounts are treated as private messages
  • The University can retrieve and open an employee’s e-mail messages in certain cases and certain ways as defined in separate guidelines: Retrieving and opening an employee’s e-mail
  • work-related e-mail messages sent by employees must, when applicable, clearly indicate whether they are official statements related to work or the employee’s personal opinions
  • when responding to applications or other such matters related to public administration, the response message’s reply address must be an organisation address
    • instead of changing the reply address, the sender can be advised to use the organisation address in the future
    • the original message and the response are transferred to the organisation address for archiving
    • if you are not aware of the suitable organization address you can check it from Campus ICT ict(at)oulu.fi.

The e-mail account provided by the university can be used for private purposes within the limitations set forth in the university’s Rules of IT Service Use.

  • Employees must clearly separate their personal and work-related e-mail messages, both those received and sent
  • if a user is both a student and a staff member, the e-mail messages related to each role must be clearly separated from each other.
External e-mail service must not be used for university-related tasks

Access to external e-mail services from the university network can be technically restricted, if such services are deemed to form a major data security risk.

Use personal auto replies with caution

Auto replies entail a risk of spam flow, but if one is nevertheless deemed necessary, it should advise the recipient to contact the relevant organisation address.

E-mail must be monitored even during absence

One option is to close the mailbox (for example, during long leaves of absence). The recommended practice is to instruct clients to use the respective organisation address for all contacts.

The e-mail account is fixed-term

Personal messages should not be left in the university mailbox when the usage right expires.

Employees must agree with their supervisor on the transfer of work-related messages to another user within the university organisation. If an employee resigns from his/her duties before the expiry of the employment contract, the employee, or his/her supervisor, can request the discontinuation of incoming e-mail immediately.

E-mail messages can be encrypted

All applications used for encrypting organisation- and work-related e-mail messages must be supported and implemented by the university.

  • If a received organisation- or work-related e-mail message is encrypted so that only the recipient can decrypt it, the message must be decrypted immediately after receipt; this rule does not apply to messages containing malware or spam
  • after decrypting, the message can be encrypted again so that all handlers can open it.

In terms of information security, non-encrypted e-mail can be compared to a postcard.

Mailing lists have owners

The owner must keep the list moderated, regularly check that it is up-to-date and remove any redundant addresses from the list.

  • The list owner is responsible for maintaining and removing joint mailing lists.
  • Personal mailing lists are each user’s own responsibility.

A mailing list forms a person register and, hence, it may be subject to confidentiality obligations and separate limitations of disclosure. If such rules apply, use the blind carbon copy (bcc) function in order to keep the list’s addresses hidden from recipients.

Mass mailing and sending/forwarding chain letters is forbidden

Exceptions to this rule can be made upon separate decisions.

Service provision and administration

System administration can intervene in e-mail traffic

in order to secure the service level or safety of the e-mail system. Such interventions, as well as email usage monitoring and log-keeping, are governed by separate instructions.

E-mail is checked and filtered

All e-mail traffic goes through an automatic content analysis, based on which

  • messages and attachments containing malware are automatically deleted
  • the delivery of harmful, oversized or numerous attachments can be restricted.

In addition, filtering and deletion without notification can be applied to messages

  • sent from known spam servers
  • classified as spam based on the automatic content analysis.
The e-mail address no longer works

The e-mail address no longer works when the usage authorisation has expired. Messages sent to a user whose e-mail account is no longer valid will not be delivered; longer valid will not be delivered; instead, an automatic message is sent to inform the sender about the expiry of the address. When an e-mail account expires, all its re-routing arrangements also become invalid.

Other clauses

Validity

These e-mail rules become effective 20.11.2013 and replace the earlier version of corresponding rules.

Change management

These rules will be reviewed when needed to ensure that they comply with all valid services and laws. Any significant personnel-related changes are addressed according to the co-operation procedure. The IT Director makes decisions concerning change needs.

Information about changes is distributed using the regular communication channels, never personally.

Deviations from the e-mail rules

Permission for exceptions from the e-mail rules can be granted for compelling reasons upon a written application. Exceptional permits are granted by the ICT Services Director. The permits may include additional terms and conditions, restrictions and responsibilities.

Monitoring

Compliance with the e-mail rules is overseen by the IT services. Breaches of the rules lead to sanctions according to the Consequences of IT service Abuse.


Use of wireless local area networks by University of Oulu (UO) and Oulu University of Applied Sciences (Oamk)

This rule applies to WLAN access points connected to the university’s telecommunications network and to those WLAN terminal devices that wish to be connected to the public or restricted services of the university’s data network via the above-mentioned access points. The rule aims to ensure the security of network connections.

A public panOULU network is also available in the premises of the higher education institution, which provides access to the internet and through it to the university’s services that the university has opened up to the internet. The panOULU consortium separately instructs on the use of the panOULU network (http://www.panoulu.net).

ICT Services are responsible for the construction and operation of telecommunications connections in both universities

ICT Services are responsible for the planning, implementation and maintenance of the construction of the telecommunications network of universities. ICT Services install the systems needed to build the backbone network, external connections, and unit networks (fixed and wireless connections), and monitor their operation and performance. When designing unit networks, the special needs of the unit are taken into account as far as possible.

The ICT Services alone has the right to install wireless network connections in the telecommunications network of universities. The connection to a telecommunications network of base stations that are not installed or approved by ICT Services is prohibited. ICT Services remove unauthorized access points from the university’s telecommunications network.

Access rights to the university’s WLAN connections

The wireless connections built in connection with the university’s telecommunications network are intended for use by a person working or studying at the university.
Users and machines that log in to the wireless local area network must be identifiable, so personal or machine-specific IDs are used to log in to the network. ID databases maintained or approved by ICT Services are used for logging in.

The user of the university’s WLAN connection can use the information services of the university’s network that the service provider has made available to the wireless network.

The use of strong encryption is required on the university’s WLAN networks, for which instructions are given in separate network user manuals (Wireless network connection (oulu.fi).

Safety of terminal equipment is the responsibility of the user

The WLAN terminal must have in place normal security protections in accordance with the terminal in question, e.g. in terms of operating system, application programs and malware prevention. The designated operator or end user of the terminal is responsible for the safety of the terminal. The policies and rules of the university’s information network also apply to the use of WLAN.

The policies and rules of the university network could be found in Patio: Information security rules and policies | Patio (oulu.fi).
 

« Back

This article was published in categories English version available, All instructions, Oamk , for Oamk staff, for Oamk students, for the University of Oulu staff, for the University of Oulu students, accessible content, UniOulu and tags , , , , , , , , , , , , , . Add the permalink to your favourites.