Undertaking & Acceptable Use Policy of VTC IT Resources

 

The Policy

This document, together with all other prevailing policies, rules, best practices and standards as may be announced by Information Security Committee (Infosec Committee) or promulgated on VTC Information Security website from time to time (together the "Policy"), governs the use of VTC IT resources by VTC staff and students.

The Policy might be reviewed and updated by VTC from time to time to incorporate changes as VTC might deem necessary or appropriate. Those changes are effective as and when they are announced or promulgated.

Using VTC IT resources means acceptance of the Policy. Without prejudice to VTC's other rights and remedies against the staff or student who fails to comply with the Policy (including taking disciplinary action and reporting the case to the relevant authorities), VTC may suspend or terminate use of VTC IT resources temporarily or permanently without notice.


Purpose of VTC IT Resources


VTC IT resources (including but not limited to the VTC Network, the Computer and Network Account, VTC email system) are the property of VTC, and are managed and operated by Information Technology Services Division (ITSD) to provide, quality, equitable, and cost-effective information and communication service to VTC staff and students. Use of VTC IT resources are only for the purposes of carrying out the official functions of VTC and for other authorised purposes stated in this Policy. All users of VTC IT resources must abide by the overriding principles to: (1) use VTC IT resources in an effective, ethical and lawful manner (2) follow the Policy, both in letter and in spirit. The provision of VTC IT resources is a privilege (which may be revoked at any time by VTC) rather than a right.



The VTC Network


VTC Network is a high-speed network which connects all VTC campuses to the central network equipment in Headquarters.


Authorization to use VTC Network:  Use of VTC Network is open to authorised VTC staff and students only, for purposes stated in this Policy. To be authorized, a staff or student should follow steps listed below:

1.      A staff or student must have a valid Computer and Network Account (CNA) before using any VTC IT resources.

2.     Staff should apply CNA for using VTC IT resources. Student CNA will be created automatically according to information from Student Records System (SRS) or information from SHAPE Admission Offices.

3. All equipment connecting Internet/VTC network must be registered first by submitting Internet Access Application Form, which can be downloaded from ITSD Intranet Page https://cnatools.vtc.edu.hk/CNAPortalFAQ/pdf/InternetAccessForm.pdf (For staff only).



The Computer and Network Account (CNA)


CNA is the key for individual to access VTC IT resources. CNA users should read this policy carefully before activating their CNA. By activating a CNA, it means that user have read, understood and agreed to observe the Policy.



Acceptable Use Policy of VTC IT resources


Use of VTC IT resources shall conform to the following principles:

a.     Be consistent with the authorised purposes of VTC IT resources,

b.     Avoid interfering with the work of other users of the VTC IT resources,

c.     Avoid disrupting the network host systems (nodes) in VTC IT resources,

d.     Avoid disrupting network services,

e.     Avoid violating any laws or regulations which govern access of VTC IT resources and/or any other computer system, network or the Internet



Acceptable Use Policy of CNA


1.     CNA is non-transferable and a user is not allowed to let other people use his/her account. Password of his/her account shall be kept confidential at anytime.

2.     CNA users shall immediately report any system security violation, or any suspected system security violation to their local technical support / representatives.

3.     Irresponsible use of VTC IT resources like abuse VTC’s electronic mail system is prohibited. CNA user must make sure that his/her email and all the mail attachments are free of virus, Trojan horses, worms or any other harmful or deleterious contents.

4.     For each CNA, an appropriate amount of storage is allocated for storing e-mail messages and attachments. Therefore, CNA user is advised to back up important messages and attachments, and delete outdated messages and attachments. They are also advised to empty the trash folder frequently.

5.     Departing staff's CNA will be deleted on the following day after his/her last service day according to the information from HRMIS, he/she should transfer the ownership of mailing list and/or department account to other colleagues before leaving.

6.     Student CNA will be automatically deleted by the time he/she is no longer an active student. VTC will not be responsible to users for the deleted contents.



Good Practices - Using VTC IT resources


The following are good practices with examples to help users to understand and follow the rules.  However the list is not exhaustive and therefore precaution should be taken.

1.      VTC IT resources are provided only for carrying out the official functions of VTC, including the support of teaching, learning, consultation and administration purposes. It is not to be used for commercial purposes, such as marketing, advertising or business transactions between commercial organisations. Example :

a.       Setting up websites that are irrelevant to the teaching, learning, consultation or administrative purposes is strictly prohibited.

b.      Commercial advertising is forbidden. But discussion of a product's relative advantages and disadvantages by users of the product for the authorised purposes is allowed and encouraged. Vendors may respond publicly to questions about their products as long as the responses are not in the nature of advertising.

2.      Any user is not allowed to transfer, resell or make available to others the VTC IT resources, which has been personally allocated to him/her, in various possible forms, such as network bandwidth and connection time, access rights, computer budget, etc.
Example: Sharing accounts and passwords between users may result in security breaches and should be prohibited.

3.      Activities which will interfere in the proper use, cause congestion or impair the healthy state of the VTC Network are unacceptable and prohibited. Research and experimentation on network should be carried out with great caution. Negligence in the conduct which will lead to the contrary of the aforementioned best practices is irresponsible and unacceptable. Example:

a.       Downloading or uploading or circulating multiple large files (e.g. entertainment files, software or games) irrelevant to the teaching, learning, consultation or administrative purposes is strictly prohibited.

b.      Experiments on the network which will lead to exhaustive flooding of its available bandwidth should be avoided. Networking experiment for teaching purposes should be done in an isolated environment to avoid impairing the healthy state of VTC Network.

4.      Any waste of VTC IT resources is unacceptable. Example:

a.       Repetitive retrieval of copies of the same files by a user who does not keep a copy on his/her own system is considered a waste of network resources and should be avoided.

b.      Sending SPAM email (unsolicited bulk commercial email, whether internally or externally) wastes the VTC IT resources and may cause negative impact to VTC’s image. Such activity is strictly prohibited.

5.      Any use of VTC IT resources which violates applicable laws and regulations, including but not limited to those related to copyright, data privacy, defamation and transmission of obscene and indecent materials, is not allowed. Offenders may be subject to disciplinary actions and/or incur civil/criminal liabilities. Examples:

a.       The installation, modification and/or use of any software in the user's office computer without proper licensing are strictly prohibited. Software licensed only for the user's personal use cannot be installed in his/her office computer.

b.      Copyrighted materials, including those downloaded from the Internet, should not be stored in the VTC IT system or disseminated to others without the prior permission of the copyright owners.

c.       Transmitting any material that may infringe the intellectual property rights or proprietary rights of others, e.g. trade mark, copyright, patent, right of publicity.

d.      Misuse or disclosure of others’ personal data without their consent for purposes beyond the original purposes of collection, e.g. sending unsolicited and irrelevant communications to staff whose personal data are accessible on VTC IT resources for official contact/enquiry purposes.

6.      Users must not compromise the confidentiality and privacy of other users of VTC IT resources and the confidentiality/integrity of data and information mounted on or transmitted through the VTC Network. A breach of these principles may attract civil and/or criminal liabilities.
Example:

a.    Unauthorised reading, altering, intercepting of, electronic eavesdropping on, any network communications over the network or data kept on systems on the network are examples of violation of these principles.

b.    Unauthorised disclosure of confidential information owned by VTC.

7.      Irresponsible use of VTC email to harass, defame or offend others users of the network are prohibited and may lead to suspension/ cancellation of the CNA, other disciplinary actions as appropriate and/or even lead to civil or criminal consequences. Users should observe good conduct and common courtesy to respect other users.
Example: Sending out chain letters, broadcasting/ circulating messages, disseminating messages that contain statements of personal attack/criticisms or unverified incidents/rumors or any other forms of network communications that harass or offend other users of the network, and the use of false identities/ email addresses are considered irresponsible use.

8.      The mass mailing/mailing list function is made available to facilitate authorised communications between users and not for any other purposes. Users must not abuse this function. As a guiding principle (the numerical references are solely for guidance and shall not prejudice VTC’s discretion in deciding whether this Policy has been breached), a user shall be deemed (subject to contrary proof) to have abused this function/the VTC IT resources if he/she (i) sends an email to more than 100 recipients in a single email; (ii) sends an email under this function with email size (including attachments) exceeding 500 kbytes; or (iii) sends an email to a recipient who has indicated his/her objection to receiving the email, or fails to promptly remove/unsubscribe such a recipient from the massing mailing/mailing list. It shall be the sole responsibility of the sender to obtain the consent of the recipient before sending these emails and promptly honour the recipient’s request to unsubscribe.

9.      VTC email is an official communication channel among staff and students. It must be used for the authorised purposes only, e.g.  learning and teaching purpose. VTC email accounts shall not be used for other purposes such as:

a.       Register public websites, such as forum/discussion group, social networks, photo or video-sharing platforms, chat rooms or auction sites

b.      Conduct commercial activities, such as marketing or business transactions

c.       Send irrelevant or chain mails to a large number of recipients

d.      Broadcast messages which are likely to harass or offend others

10.  Users are responsible for taking adequate security measures to protect the VTC's IT resources from physical damage or loss, and guard against unauthorised access to the VTC IT resources.
Example: Installation of unauthorized Internet connection (e.g. dial-up, broadband Internet access), server (e.g. DHCP server), network equipment (e.g. modem, switch), remote access software (e.g. pcAnywhere, terminal service) and wireless access point introduces security holes to the VTC Network. If such activities are required for authorised teaching, learning, consultation or administrative purposes, they should be implemented at an environment isolated from the VTC Network.

11.  Users are responsible for taking adequate security measures to protect the VTC IT resources from unauthorised access and/or modification.
Example: If users are using systems that are developed or acquired by their own to handle the VTC's information, adequate security measures must be implemented according to VTC’s Information Security Policy. Users must make sure that his/her email and all the mail attachments are free of virus, Trojan horses, worms or any other harmful or deleterious contents.



Monitoring use of VTC IT Resources


Purpose of monitoring

VTC adopts various measures to log and monitor use of VTC IT resources for the following purposes:

1.      to maintain a stable IT environment for academic and business activities in VTC

2.      to provide necessary information for VTC management to ensure proper and effective use of VTC IT resources

3.      to ensure the integrity and security of confidential or proprietary academic and business information

4.      to monitor compliance of this Policy


Scope of monitoring

VTC reserves the rights to log any user activities on VTC IT resources. The log may contain (but not limited to) CNA ID, date, time, email recipient address, email header, URL of website, etc. For email services, VTC reserves the right to access the content of emails held in a staff/student mailbox when there is reasonable suspicion of violation of the VTC’s policies.


Use of information gathered from monitoring

Logs and recorded information of emails collected during monitoring process will be used for ensuring compliance with VTC’s policies. Log files will be kept for and be erased after a specific period of time (usually 1 year), unless further retention is necessary for legal processes, disciplinary actions, or investigation of suspected breaches of VTC’s policies. VTC reserves the right to access content of logs and recorded information. Authorization to access the logs and recorded information is restricted to authorized staff of the ITSD or Computer Centres at operational units. Access to contents of emails requires the authorization of the Chairman of Infosec Committee or senior management.



Right of Authorized ITSD/Computer Centre Staff


Users are expected to take reasonable measures themselves to ensure their use of the VTC IT resources are conformed to the above best practices and Regulations. That being said, Infosec Committe is responsible for overseeing this Policy and acting on complaints of breaches of this Policy.

Without prejudice to the provisions under the Personal Data (Privacy) Ordinance, in case of suspected violation of this Policy, authorised staff of ITSD or Computer Centres at operational units shall have the right to access, use or disclose the personal data of the user concerned, suspend his/her use of VTC IT resources for investigation purposes, and/or where the circumstances warrant, to report the case to relevant authorities and to take appropriate actions as required by relevant authorities.


 

Interpretation of the Policy and Enquires


This document is not exhaustive. The final authority for interpreting this Policy lies with Infosec Committee. It is the responsibility of users to contact Infosec Committee, in writing, regarding questions of interpretation. To err on the side of caution, questionable use of VTC IT resources should be considered as "not acceptable" and hence be avoided, unless and untial Infosec Committee has approved of such use and made the corresponding changes to this Policy.

For enquiries on the policy, please contact the Infosec Committee by infosec@vtc.edu.hk

 

 

Last updated: 2014-May-2