Acceptable Use Policy

Acceptable Use Policy of the University of Groningen for University Computer Systems

DISCLAIMER: The current document is a translation of the corresponding and official Dutch version (called ''Gebruiksregels Universitaire Computersystemen''), which was endorsed by the board of the University of
Groningen. The current document is provided solely as a service to non-Dutch speaking members of the University. In all situations where the meaning of the current document is unclear or ambiguous, the Dutch document should be used for purposes of disambiguation.

Author: University of Groningen
Established: by the Board Sep. 29, 2009
Version: 1.2
 
This document contains the general rules for using the computersystems of the University of Groningen, the ``Acceptable Use Policy'' (AUP) of the University of Groningen.

The current document was derived from existing AUPs as used by various other universities. For the construction of the current document the following AUPs were consulted:
 

  • Boston University Information Technology: Conditions of Use and Policy on Computing Ethics,  September 1, 1988;
  • University of California at Los Angeles (UCLA): SEASnet General Information (23 oktober 1990);
  • Oregon State University: Policy on Acceptable use of University Computing Facilities, January 25, 1991;
  • Princeton University: 1992-1993 Guidelines for use of Campus and Network Computing Resources.

The above mentioned documents can be requested from the Security Manager of the Center for Information Technology. In particular UCLA's Acceptable Use Policy was used as a basis for the current document.

This document contains the generic usage policy; both for internal and external users (students, personnel, guests) as well as systems managers. For these target groups more specific acceptable use policies, derived from the current policy, are available as well.

This document uses the following terminology:
 

  • Computersystems: ICT (information and communication technology) systems in general. Not only computers, but also peripherals such as printers or specialized systems such as routers.
  • Terminal: a generic term for any `ICT apparatus'.

Responsibilities of the User and of Systems Security Personnel

User Responsibilities

Users of the university computer systems should realize they are not the only users of these computers. Many computers are multi-user systems, and the users of these computers belong to a community. Therefore, the ground-rule on which this AUP is based is similar to the ground-rule on which traffic is based: the users of the university computer systems may not endanger these systems, nor may they hinder other users.

Some implications of this ground-rule are that users are not allowed to send unsollicited email or try to obtain or use other users' passwords; neither occasionally, nor `for fun'.

Privacy of accounts:

Access to university computer systems is only granted to individuals. Using other people's accounts or access-rights will result in  the discontinuation of one's account.

Any unauthorized use of an account should be reported immediately to the security manager of the Center of Information Technology.

Copying  software:

Software made available on the university computer systems may be used subject to applicable licenses and copyrights. Any software stored on the university computer systems may not be copied for use elsewhere, unless explicit and written permission was granted by proper authorities. Conversely, using illegally obtained software is not allowed on university computer systems.

Using the  university computer systems:

Using the university computer systems, including hardware, software and
computer network facilities is only allowed in accordance with the nature of the provided account. Any use of the university computer systems is always restricted to research or education. Any commercial use of the university computer systems is not allowed, unless  explicit and written permission was granted by proper authorities.

Access information security:

By obtaining access information (e.g., usernames, passwords) third parties may gain access to the university computer systems. Even in this case the registered user of an account is liable for any access or abuse of the university computer systems. In order to minimize the probability that unauthorized parties obtain
your password, adhere to the following rules of thumb:
     

  • Keep your access information secret: don't hand this information over to friends or acquaintances.
  • Don't type your  password when somebody watches you type.
  • Change your password every now and then. Opinions differ about the optimal interval for password changes, but everyone working in the field of security advocates to change passwords every once in a while. Changing ones
    password very often isn't necessary, but a password should be changed at least once a year.
  • Do not use personal data about yourself, your friends or relatives when constructing your password.
  • Do not use existing words or abbreviations (like rcrug of ppsw).
  • Use lower- as well as uppercase letters, use digits and punctuation characters when constructing your password.
  • Some examples of hard to guess, but easy to remember passwords (well, up to now, as they are now listed in this document):
               o  1irC&D `it is raining cats and dogs'.
               o  6^twT.  `barking up the wrong tree'.                    

Report holes in security:

All multi-user systems are vulnerable to security breaches. If you find a flaw in a system's security setup you should report this to the security manager. It is not allowed to exploit the discovered weakness in the security setup of university computer systems. By informing the security manager of any weakness you have found, you effectively help to optimize the reliability of the university computer systems, while preventing misunderstandings at the same time (do you exhibit intellectual curiosity or are you purposely exploiting a security hole?)

Using games:

On various university computer systems games were made available. Enjoy them in a responsible way. If you notice that somebody is waiting for your terminal it is very impolite to keep using your terminal for playing games. Terminate your session without being asked, and let others use your terminal. Prevent the situation that the other person has to ask you to leave your terminal.

The abuse of facilities and privileges

Abuse of facilities and privileges is illustrated by, but not restricted to, the following examples. Users of the university computer systems are expected to prevent and fight any abuse of the university computer systems in the spirit of this AUP. The examples provided below should be interpreted as illustrations, not as an exhaustive list.

It is not allowed:
 

  • To modify or to remove hard- or software without having obtained prior permission from proper authorities;
  • To use university computer systems, or to use any software or stored data without having obtained prior permission from proper authorities;
  • To send any email using other people's names and/or addresses, or to read or distribute other people's mail without having obtained their consent in advance;
  • To alter IP-addresses or other identifying data of university computer systems (e.g., by using spoofing);
  • To violate software and/or copyright licenses that are applicable to the software and/or data that are stored on the university computer systems;
  • To harrass or hinder other users of the university computer systems;
  • To gain access to, or to distribute any information stored in the university computer systems without having obtained prior permission of the owner of such software or data;
  • To hamper or to deny access to the university computer systems by sending extremely large bodies of email, either to local destinations or to destinations outside of the university. Analogously, it is not allowed to abuse university computer systems by, e.g., submitting extremely large print-jobs, storing extremely large amounts of data, or executing programs using grossly inefficient algorithms or requiring excessively large resources;
  • To distribute or to make available any information, irrespective of its form, owned by the university, without having obtained written permission by the owner in advance;
  • To distribute or to make available obscene, aggressive, discriminating or threatening information.

When there are clear indications that an account is being abused, systems managers may be ordered to inspect the contents of information stored in, going to or leaving that account (cf. section `Responsibilities of systems managers', below).

Responsibilities of systems managers

Systems managers have the same rights and duties as other users of the university computer systems. However, the sensitive nature of their positions naturally leads to additional security related requirements.


  • Systems managers should ensure that the users of their systems have access to the software and hardware they require for their normal work at the university. Requests for the installation of software should always be considered conditional to the assigned nature of the particular university computer systems. E.g., a systems manager of a computer not intended to serve up webpages cannot rightfully be asked to install a webserver on that particular computer.
  • The systems manager is responsible for the security of the system itself, and will take care of, in cooperation with the security manager, the installation and maintenance of the required and available software.
  • In order to uphold and maintain the integrity of `RUGnet' in- and outbound traffic is constantly monitored. All information about this traffic is  using automatic means.
  • All information collected to analyze in- and outbound traffic is destroyed after at most six months except in cases where a legal obligation exists to retain the information for a longer period. In those cases the University of Groningen applies the legally acceptable minimum storage period.
  • All information obtained about in- and outboud traffic is also analyzed using automated means and is aimed at the analysis of malware like viruses, trojan horses and worms.
  • Except for the exceptional situation described below (abuse of an account) systems managers will not perform any content-analysis of the information within RUGnet.
  • The systems manager will consider any information about the system, as well as any information stored in the system as confidential.
  • In special situations the systems manager can be required to submit specific information (data, software) for further investigation, in order to solve any problems that were encountered while using the data or software. These requirements may involve security scans. Such scans are only performed subsequent to an authenticated request made by the relevant department or user of the system(s) involved.

When there are clear indications that an account is being abused, systems managers may be ordered to inspect the contents of information stored in, going to or leaving that account. Content-inspection is only allowed when the
following conditions hold true:
 

  • There must be a clear and verifiable indication that the account is abused. For example, a complaint was received from a trusted CSIRT-team, or a complaint has reached the university through normal legal procedures.
  • The responsible systems manager must have received an authenticated order to start a content inspection from both the Head of the Juridical Department (ABJZ) and the director of the Center of Information Technology. An
    authenticated order is either a written and signed letter or an electronic message bearing a verifiable signature (e.g., a GPG signed electronic mail).  

Consequences of abusing the University computer systems

Abusing university computer systems may result in disciplinary action.

If there are strong indications that university computer systems are or have been abused, and if the abuse can be traced down to a person who is associated with the university (the suspect), then at last one of the following steps should be taken to ensure the safety and integrity if the university computer systems:
 

  • The board of the faculty or department responsible for the suspect is informed of the situation;
  • The access rights of the suspect may be restricted or suspended, awaiting the results of the investigation. The suspect may file an objection to this restriction or suspension with the chair of his/her department;
      o  Data files and media of the suspect are investigated;
      o  The board of the University and the board of the applicable faculty or the director of the department responsible for the suspect is informed about the (suspected) abuse.

Legal articles to this AUP (in Dutch)

  • Artikel 7.57 h WHW (artikel 7.57a (oud) WHW)
  • Huisregels en Ordermaatregelen Rijksuniversiteit Groningen.

Last modified:February 14, 2014 15:38
Also available in: