/
ISPF_022 - IT Acceptable Use

ISPF_022 - IT Acceptable Use

Owned by Matthew Mulligan
Last updated: Jan 24, 2024
10 min read

ISPF_022 – Information Security Standard – IT Acceptable Use

Version

Approved by

Approval date

Effective date

Next review date

1.1

Information Governance Committee

1 March 2023

1 March 2023

1 March 2025

Standard Statement

 

 

 

 

 

 

 

 

 

Purpose

 

 

 

 

 

 

One of the challenges facing the Seventh-Day Adventist Church today is enabling employees to work productively while also ensuring the security of the IT network and, crucially, the data on it. Given that technology is continually changing, employees play a significant role in IT security. Information Communications Technology (ICT) resources are provided to improve and enhance the conduct of Church business and functions. Using information technology, accessing information, and communicating electronically can be cost-effective, timely and efficient.

 

All users of Church ICT resources are expected to exercise responsibility, use the resources ethically, respect the rights and privacy of others and operate within the laws of the State and Commonwealth, including anti-discrimination and sexual harassment laws, and the rules and policies of the Seventh-Day Adventist Church.

 

This standard sets out the minimum rules for acceptable use of the Seventh-Day Adventist Church information systems and services for individuals that have been authorised to use or access the Church information systems. It also expresses the commitment of the Church to providing and maintaining a secure, effective, and reliable IT infrastructure and services to support its operations.

 

 

 

 

Scope

 

 

This standard applies to all users of the Seventh-Day Adventist Church Information and Communication Technology resources including but not limited to staff (including casuals), consultants and contractors, third parties, volunteers, and visitors to the Church. This standard also applies to users connecting personally owned devices such as laptop computers, smartphones, and tablets to the Church network, and/or storing any Church data on such devices.

 

Standard

 

 

Contents

 

 

Controls

 

General Principles

 

The Seventh-Day Adventist Church’s ICT resources exist and are maintained to support the work of the Church. Improper use of the ICT resources through the Church’s network may compromise the information’s confidentiality, Integrity, and availability.

 

Users must take responsibility for using IT Facilities and Services in an ethical, respectful, secure, and legal manner, having regard for the objectives of the Church and the privacy, rights and sensitivities of other people.

 

Materials and data produced, stored, and destroyed using the Church’s ICT resources are to be managed subject to the relevant Church policies, including the Data Security and Intellectual Property Standards.

 

The Church accepts no responsibility for loss or damage, consequential loss or damage, or loss of data arising from the use of its ICT resources or the maintenance of its ICT resources.

 

General Conditions of Use

 

Users are authorised to use Church IT Facilities and Services when assigned a User Account subject to the conditions in this standard.

 

Users must take reasonable steps to ensure the security, confidentiality, integrity and availability of all Church related information and data stored or received, including measures to prevent loss of information and loss or leakage of account credentials.

 

Users should be aware that personal use of the Church’s ICT resources may result in the Church holding personal information about the user and/or others which may then be accessed and used by the Church to ensure compliance with this, and other policies.

 

All users must take care to access the Church’s ICT resources, including email, only from secure or trusted computers, and to lock computers or log out of sessions before leaving any computer unattended.

 

Many IT Facilities and Services require authentication in order to access. Access is often further controlled based on roles, which are linked with the username of a User Account.

 

Users must use IT Facilities and Services only in the manner intended for their role.

 

Users must not share their User Account or password or other authentication credential. Users must not use an account assigned to somebody else. This does not apply where authorised IT support staff are conducting their duties and the User has provided their credentials in the course of receiving support.

 

Users must set up the self-service password reset capability to enable themselves to reset a forgotten or expired password.

 

Restrictions on Use

 

Users must not use the Church’s ICT resources in a manner that is harassing, discriminatory, defamatory, vilifying, abusive, rude, insulting, threatening, obscene or otherwise inappropriate.

 

Users must not use the Church’s ICT resources in such a way to cause embarrassment or loss of reputation to the Church.

 

Users must not use the Church’s ICT resources to collect, use, or disclose personal information in ways that breach the Church’s Privacy and Information Access Policy.

 

Users must not use the Church’s ICT resources for the purposes of gambling and access, store, or transmission of pornographic material of any sort.

 

Users must not use the Church’s ICT resources for unauthorised profit making or commercial activities.

 

Users must not use the Church’s ICT resources to attempt to gain unauthorised access to any computer service. The use of another person's login, password or any other security device is not permitted.

 

Users must not exploit any vulnerabilities in systems (except authorised staff when checking security of systems as part of their duties) or use any technology designed to locate such vulnerabilities or circumvent security systems.

 

Users must not attempt to create or install any form of malicious software (for example worms, viruses, sniffers, malware, ransomware) which may affect computing or network equipment, software, or data as part of the Church’s ICT resources, or which seek or gain access to data or user accounts for which the user is not authorised.

 

Users must not facilitate or permit the use of the Church’s ICT resources by persons not authorised by the Church.

 

Users must not extend the Church network by introducing an unauthorised hub, switch, router, wireless access point, or any other service or device that permits more than one device to connect to the Church’s network.

 

Where access to an ICT resource of the Church is protected by a password, a user must not make their individually assigned password available to any other person.

 

Users must not change operating system configurations, upgrade existing operating systems, or install new operating systems on Church owned and managed devices.

 

Email and Internet Security

 

Each user is responsible for any digital content that they store on their Church devices or sent over the Church e-mail or Internet services. No communications (including e-mail) may be sent which intentionally hides the identity of the sender or represents the sender as someone else or claims authority of representing someone on their behalf unless explicitly authorised.

 

You must contact the Adventist Technology IT Service Desk without delay, if you receive digital information you are not authorised to receive, or the information appears illegal or otherwise questionable.

 

You must not:

 

Create / send email under another’s name (forgery).

 

Create / send / forward: electronic chain letters, unsolicited broadcast emails (“Spam”), obscene, abusive, fraudulent, threatening, or repetitive messages.

 

Open web links or instructions provided by email, unless you are certain of their origin and function.

 

Send any messages that support illegal or unethical activities.

 

Download large files without permission (“hogging” bandwidth).

 

Send emails containing passwords in clear text.

 

It is acknowledged that despite the Church’s efforts to the contrary, ICT users may be subject to unendorsed content such as Phishing, Malware and/or other illicit/malicious links or files. It is often the case that such content will utilise social engineering methods to encourage users to unwillingly provide malicious actors access to ICT resources or provide the malicious actors with information such as User Login IDs, Passwords and/or other Personal Identifiable Information, often via the use of fake or misleading websites.

 

Adventist Technology will endeavor to deploy appropriate security controls and procedures to protect users of ICT services from known Malware, Viruses, Phishing, or illicit/malicious content where feasible and deemed appropriate by Church policy.

 

Due to the rapidly changing nature of Malware, Viruses, Phishing or illicit/malicious content, the Seventh-Day Adventist Church cannot guarantee protection from all such content. Each user is responsible for applying due diligence and care in the use of ICT services. The Church will provide appropriate support and guidance and require the following:

 

You must:

 

Attend Security Awareness training (online or in person) and complete and keep current any associated assessment, as requested by the Church.

 

Seek advice if you have any IT Security questions or have concerns. Specific contact information can be found on the Church Intranet. Alternatively contact Adventist Technology IT Service Desk.

 

Report a suspected malicious or suspicious email or Church web site as a security incident immediately to the Adventist Technology IT Service Desk.

 

You must not:

 

Open a suspicious email link. If you have a concern, report it.

 

Open a website or application claiming to belong to the Church if you are unsure of its authenticity (Phishing schemes often impersonate an official website to trick a user into revealing their login credentials). If you have a concern report it.

 

Open a Seventh-Day Adventist Church website or application that does not have a Church domain name. If unsure, report it.

 

Open and enter your username, password, credentials, or personal information into any link (website) that you receive in email, regardless of who they claim to be.

 

The Seventh-Day Adventist Church will never send links to forms requiring them to:

  • Change your password (e.g.., click email link to fix issue)

  • Validate your details (e.g., Confirm your Date of Birth)

  • Update User information (e.g., Provide your Home Address)

  • Log in to fix a full mailbox quota (e.g., Click email link to fix issue)

  • Log in to validate your email account (e.g., Click email link to fix issue)

  • Log in to fix a problem with email account (e.g., Click email link to fix issue)

It is also extremely unlikely that other organisations such as Banks, Motor Registry Authorities, Police, Post Office, Council, Utilities (such as Telecommunication, Gas, Electric etc) would ever send such a request. You are encouraged to distrust such requests and contact the Adventist Technology IT directly.

 

Users have a responsibility to be vigilant and know how to protect themselves and IT Facilities and Services. Users must undertake regular Cyber Security Awareness training when required and comply with the Cyber Security Standard – ISPF_002 Cyber Security Standard.

 

Managed computers that are compromised will be reset to the standard image and software reinstalled by Adventist Technology IT support staff.

 

All software on devices must be kept up to date to ensure known security vulnerabilities are fixed.

 

The Church uses various network and device security controls to help protect from cyber-attacks. Occasionally these controls may interfere with user experience, Users must not subvert nor attempt to subvert any security control.

 

Access to a User Account may be temporarily suspended if the account is suspected to be compromised and is posing an unacceptable risk.

 

Attackers use the web to target Users. Users must take care when browsing webpages. The following actions help protect against web attacks:

 

Browsers and all plugins must be kept up to date with security fixes.

 

Unnecessary browser plugins should be avoided.

 

Before authenticating to a website or entering private data, the security padlock and the legitimacy of the site address should be checked.

 

Software must not be installed if prompted. Software should only be installed if the User is authorised to do so and has deliberately downloaded the software from a trustworthy source.

 

Users must not give means to a third-party to access IT Facilities and Services without approval from the Adventist Technology IT Team.

 

Personal Device Usage (including BYOD)

 

Personal device usage includes, but is not limited to, personally owned desktops, laptops, mobile devices, smartphones, tablet devices and any wearables. Users must ensure that usage of personal devices both on the Church network and when handling Church data meets all the applicable requirements of this Standard and the BYOD Procedure.

 

When using personal devices to connect to the Church network, Users shall ensure that these devices have up-to-date security patches and anti-virus software is installed. Refer to ISPF_016 Remote Working & Bring Your Own Device Standard procedure for further details.

 

Monitoring Usage of ICT Resources

 

Subject to any law or written agreement to the contrary, the Church reserves the right to view, modify, copy, move, delete, or otherwise handle as it sees fit the data and information assets stored on and accessed through the Church’s ICT resources, irrespective of any ownership or other rights claimed over the data or information assets.

 

Consistent with generally-accepted business practice, the Church may audit and monitor the use of its ICT resources. The Church may also look at and copy any information, data, or files (including non-Church material) created, sent, or received by users using, or while connected to, the Church’s ICT resources. Users are responsible for all activities originating from their account, including all information sent from, requested, solicited, or viewed from their account as well as publicly accessible information placed on a computer using their account.

 

In accordance with the Information Security Policy Framework guidelines, the Church will take reasonable precautions to protect the security and privacy of its users’ ICT accounts and ICT Resources. Consistent with these purposes, the Church will normally only access an employee’s records in the following circumstances:

 

When an employee is unexpectedly absent from work (for example, on sick leave or annual leave) and access is required for legitimate business purposes (for example, work continuity) or work health and safety reasons (for example, where there are reasonable concerns about the individual’s health and safety).

 

When the Church reasonably suspects that an individual(s) is not complying with this Standard, other Church policies or procedures (e.g. Code of Conduct), or legislation.

 

For use in legal proceedings or as required by law (e.g. to comply with a Notice to Produce or subpoena).

 

For IT security purposes (e.g. to protect networks or data stored on the network).

 

 

Consistent with this approach, access to an employee’s records will only be granted with the approval of the Chief Information Officer and/or the Director, Human Resources (or their nominee in circumstances of absence). Access to the records will be provided to an appropriately senior person nominated by the Chief Information Officer and Director, Human Resources.

For more information refer to the Seventh-Day Adventist Church Information and Communication Technology (ICT) Resources Policy and ISPF_008 Logging and Monitoring Standard.

 

Enforcement

 

All Users of the Church’s ICT Resources should be aware of this standard, their responsibilities and legal obligations. Non-compliance with the provisions of this standard may result in action under the Church’s policies, code of conduct or enterprise agreements, and may also result in referral to a statutory authority and/or agency. Sanctions may include warning, counselling, disciplinary or legal action.

 

The CIO (or delegate) is responsible for monitoring use of the Church’s ICT resources. If the CIO (or delegate) deems that an identified use of equipment or services is inconsistent with any terms specified in this Policy, such use may be investigated by the Church. The CIO (or delegate) may withdraw access to the Church’s ICT Resources commensurate with managing the risk of the activity while the investigation is in process.

Control Exceptions

All exemption requests must be reviewed assessed and approved by the relevant business stakeholder.

References

 

  • ISO27001 Security Standard and the Principles of Australian Government Information Security Manual.

  • Data Classification Standard

  • Data Handling Guidelines

  • Information Security Guidelines – NSW

  • Privacy and Personal Information Protection Act 1998

 

Accountabilities

Responsible Officer

Information Governance and Cyber Security Manager

Contact Officer

governance@adventist.technology

 

Supporting Information

Parent Document Policy

 

Related Documents

 

Relevant Legislation

File Number

 

 

 

 

 

Related content

ISPF_002 - Cyber Security
ISPF_002 - Cyber Security
Adventist Technology Policies
More like this
ISPF_016 - Bring Your Own Device
ISPF_016 - Bring Your Own Device
Adventist Technology Policies
More like this
Adventist Technology User Guides Home
Adventist Technology User Guides Home
Adventist Technology User Guides
More like this