University of Jyväskylä information systems usage policy

The rules established by the university dictate how the university's information systems are used and maintained.

Table of contents

University of Jyväskylä information systems usage policy

The university provides a diverse range of information systems for students and staff. Their use is an essential part of study and research. The rules established by the university dictate how the university's information systems are used and maintained.

The rules for using the information systems are outlined in the "Information Systems usage policy". It specifies what activities are allowed and what is prohibited. The "Consequences of Misuse of Information Systems" policy outlines the consequences of misuse and how access rights can be restricted.

The use of email by students and staff at the university is guided by the "Email policy". This policy details the responsibilities when using the university's email. It particularly guides the use of email for work and administrative purposes.

The "Information systems maintenance policy" policy describes what administrators can and cannot do when maintaining systems. Administrators must respect user privacy and are bound by confidentiality and non-exploitation clauses regarding the information they encounter in their work.

Implementation and updates of the rules

These university information systems usage rules come into effect on December 1, 2019, and replace the previous corresponding rules.

The rules are updated as necessary to ensure they align with the provided services and legislation. Changes are handled through the co-determination procedure. The need for changes is monitored by the university's chief digital officer.

Terms used in the rules

Access Right The right granted to a person to use a specific service.
User account An identifier used to uniquely identify a person when using an information system.
Information system In these rules, this refers to an individual ICT device or hardware owned by the university or connected to its systems, the university's communication network, the software and services operating on the aforementioned, and the data contained therein.
Owner of the information system The owner is the university unit for whose activities and data processing the system has been acquired and who determines those authorized to use the system.
IT policy violation The use of an information system in violation of the rules governing its use or in violation of the law.

These usage rules apply to everyone who uses the university's self-produced information systems or externally acquired services, as well as the university's devices and connections. Users include the university's students, teachers, researchers, and other staff, as well as others who use the services with the university's permission.

The university provides reliable and secure information systems for university members to use for studying, research, and other work. Users of these systems must commit to using the services responsibly in accordance with these and other rules issued by the university. Violations of these and other rules governing the use of information systems will result in consequences in accordance with the university's information systems sanction policy. Compliance with the rules is monitored by the responsible persons of the information systems and the heads of units.

User rights and responsibilities

The university strives to keep the information systems it provides accessible and ensures their security to the best of its ability. While backups of information systems are made to protect against hardware failures, users are responsible for archiving their own data.

The university maintains and uses information systems while respecting privacy.

Compliance with rules

The university's information systems are intended as tools for tasks related to studying, teaching, research, or administration within the university. Limited personal use of the systems is allowed as long as it does not interfere with other uses or violate the rules governing the use of services. To ensure privacy protection, personal material must be kept clearly separate from work-related material.

The user is responsible for all use of the university's information systems made with their access rights or devices. Users must protect their usernames from unauthorized use. The user's responsibility for misuse of their account ends once they have reported the theft of their credentials.

Shared resources must be used in such a way that all authorized users have the opportunity for reasonable and proper use. Systems or the communication network must not be overloaded, and services must not be unnecessarily reserved.

Personal devices can be connected to the university's communication network if the connection is made in designated network areas and in accordance with the university's instructions. Detailed procedures for connecting personal devices to the network can be found in the digital services guidelines.

Setting up a service visible on the communication network on a workstation, server, or other similar device always requires the permission of the information system owner. Decisions on services needed for teaching and research are made by the relevant faculty.

Users are obligated to maintain confidentiality regarding the content of the systems, their usage methods, security level, and features when the purpose of the information systems, the regulations, instructions, or applicable rules require it.

Prohibited Use

The use of university information systems for illegal or unauthorized activities is prohibited. This includes activities such as searching for security vulnerabilities, unauthorized decryption, copying or altering communications, or attempting to penetrate information systems. Exceptions to this are activities related to teaching and research, provided they are conducted in accordance with the unit's plans.

Personal network devices, services, or other systems may not be connected to the university's general network without explicit permission from the digital services. It is prohibited to use technical methods or devices that can redirect data or communication traffic or cause disruption to the normal functioning of the infrastructure. For example, the use of personal DHCP services or routers is prohibited.

Parts or features of the information systems that are not explicitly made available for general use may not be used. This includes tools intended for maintenance or functions that are restricted by system settings.

The use of information system services for political activities (such as election campaigning) is prohibited. Exceptions are university elections, activities of student organizations related to the student union, and staff trade unions.

Commercial activities or advertising are not acceptable uses of information systems for personal purposes. However, the university may grant exceptions to this rule.

Copyright-protected software may not be used or copied in violation of license terms.

Information systems access rights

Obtaining access rights to the university's information systems is based on belonging in the university community. The owner of the information system may grant access rights for special reasons to individuals not belonging to the university community. The information system owner decides what access rights the user receives for the system. Access rights are granted by providing a username or making the service available.

The university may offer services that anyone can register to use. Registered users are subject to the same usage rules as other users. The service provider is responsible for terminating access rights when the justification for access ends.

A prerequisite for obtaining access rights is that the user commits to complying with these rules and other related instructions and regulations. The user must familiarize themselves with the usage instructions and rules related to the system in advance.

Access rights may not be transferred to others. If there is reason to believe that a password or other identifier has been disclosed or compromised, the password must be changed or the identifier usage must be immediately blocked.

Access rights are temporary and end when:

  • the person's student or employment relationship or other agreement ends,
  • the granted temporary access rights expire,
  • the person's role changes in such a way that there is no longer a justification for access to the information system service.

Access rights may be restricted if there is a justified suspicion of misuse or if their use has compromised security.

The user must remove personal emails and files before the access rights to the information system expire. The university will delete files and the mailbox after a notice period determined by the university following the end of the account use or access rights. An employee must transfer work-related messages and files to a person agreed upon with their supervisor. This also applies to students who have participated in, for example, research groups.

The user must delete software licensed for home use as an employee or student benefit upon the termination of the employment or student status.

User Accounts

Access to the information system is most often verified with a username and password. Usernames are personal, and the university strives to ensure that the same username can be used for all information systems.

Usernames must not be shared with others. The user is responsible for all activities conducted under their username.

Usernames must be protected with a strong password or as otherwise instructed. If a password or other identifier is suspected to have been compromised, the password must be changed or the identifier usage must be immediately blocked.

Digital Services can issue group accounts for use by multiple people for specific purposes, such as for course use in computer labs.

  • The applicant for the group account is responsible for ensuring that the account is used only for the intended purpose. 
  • Each user of the group account is responsible for their use of the group account. 

Consequences of information system misuse

Information technology violations include the use of university information systems in violation of the rules or regulations governing their use or in violation of Finnish law.

This policy describes the actions taken against individuals when an information technology violation is detected or reasonably suspected. The actions are divided into restrictions on access rights during the investigation of the violation and potential defined consequences for the violation.

The primary purpose of this policy is to describe the actions and consequences that may result from the misuse of information systems. Potential consequences are handled by the university in accordance with information security principles, applying case-by-case consideration. If the university deems the information technology violation to also constitute a crime, the matter may be referred to the authorities, whereupon any consequences will ultimately be decided by a competent court.

Restriction of access rights during investigation

Restrictions are decided when an information technology violation is detected or suspected. Access rights are restricted whenever there is reasonable suspicion that the user has committed a violation and it is possible that the access rights could hinder the investigation or the minimization of damages. If necessary, the user will be called for a hearing, and the user always has the right to be heard in the matter.

The decision to restrict access rights is made by the director of the unit that owns the information system or a person designated by them. The restriction is implemented by the service administrator.

In urgent cases, the administrator can independently restrict access rights for up to three working days, and must immediately notify the owner of the information system or the university's Chief Information Security Officer.

If necessary, the user's workstation or other device can be disconnected from the network.

Restrictions can be lifted after the investigation is concluded, provided that restoring access rights does not pose an apparent risk.

Sanctions imposed on the user can be appealed to the supervisor of the person who decided on the sanction.

Consequences

In minor cases, the user will be reprimanded for inappropriate conduct.

As a consequence of an information technology violation, the user may be held liable for the misuse of resources (such as servers or networks), immediate damages, and the costs incurred from investigating the misuse.

The severity of the consequences is influenced not only by the seriousness of the violation but also by the degree of intent behind the action.

Consequences for students

Consequences for students may include a reprimand by the unit director, monitoring of activities based on the user account, restriction of access rights, administrative actions by the university (written warning, temporary suspension), and filing a criminal report (for acts defined as punishable by law).

The decision to issue a written warning to a student is made by the university's rector, and the decision for temporary suspension is made by the university's board. The individual's access rights are revoked during the suspension period.

The decision to file a criminal report is made by the Chief Digital Officer, based on the preparation by the university's legal counsel.

Consequences for staff 

Consequences for staff may include the university's employment-related actions (written warning, termination, dismissal) and filing a criminal report (for acts defined as punishable by law).

Access rights to individual systems may be temporarily or permanently revoked due to misuse. Decisions regarding access rights are made by the Chief Digital Officer or the director of the unit that owns the service. Employment-related actions for staff are decided by the rector. The decision to file a criminal report is made by the Chief Digital Officer, based on the preparation by the university's legal counsel.

Consequences for other users

Consequences for users who are not part of the university staff or degree students may include the removal or restriction of access rights and filing a criminal report (for acts defined as punishable by law).

Access rights to individual systems may be temporarily or permanently revoked due to misuse. Decisions regarding access rights are made by the Chief Digital Officer or the director of the unit that owns the service. The decision to file a criminal report is made by the Chief Digital Officer, based on the preparation by the university's legal counsel.

Table of consequences for violations of usage rules

The table below presents possible consequences for actions that violate the usage rules. It is not an absolute rule but provides a basis for considering the appropriate consequences.

In all cases, the loss of access rights to individual systems due to misuse can be considered, either temporarily or permanently.

Severity of violation Degree of deliberateness
  Ignorance, incompetence, mistake, accident, negligence Carelessness, intentionality, recurrence
  Students Staff Students Staff
Severe violation (an act punishable as an offense or crime according to the law) Reprimand, restriction of access rights Restriction of access rights, written warning File a criminal report, temporary suspension, restriction of access rights File a criminal report, initiate termination of employment process
Violation (severe misuse or endangerment of security) Reprimand and guidance Reprimand and guidance Consider filing a criminal report, written warning, restriction of access rights Consider filing a criminal report, written warning, consider initiating termination of employment process
Minor violation (inappropriate conduct or misuse) Discussion and guidance Discussion and guidance Reprimand, activity monitoring Reprimand, written warning

Examples of severe violations include the unauthorized handling and disclosure of confidential information, hacking and intrusion into information systems, and malicious activities such as disrupting communication networks or spreading malware.

Examples of violations include the improper use of hardware contrary to guidelines, sharing user credentials by, for instance, disclosing a password to another person, compromising the confidentiality of information by, for example, unlawfully disclosing personal data, unauthorized copying or distribution of copyrighted material, and unauthorized installation of devices or software that control network traffic.

Examples of minor violations include neglecting personal cybersecurity/privacy, such as careless use of a username, leaving a password visible, leaving confidential documents exposed, unauthorized commercial or political activities like using email for personal marketing, and violating access control guidelines, such as giving keys to another person.

Email policy

Scope of the rules 

The email rules apply to the use of all email services provided by the university. In these rules, "staff" refers to all employees and other individuals in a contractual relationship with the university (e.g., researchers working with grants and emeritus/emerita professors) as well as university units.

Email addresses 

Email addresses are categorized as organizational addresses, personal addresses, or mailing list addresses. Personal addresses are further divided into work addresses or study addresses.

  • Work addresses are used for personal job-related tasks. 
  • Organizational addresses are used for transaction services and communication that emphasizes the organization's role. An organizational address must have a responsible person. Clients are instructed to always contact through the appropriate organizational address. The use of an organizational address for personal communication is prohibited. 
  • The university and student communication is conducted through the study address provided by the student to the university. If the student is also employed by the university, they must use their work address or organizational address for job-related tasks. The university provides an address for the student if no other address is used. 
  • Mailing lists are used for group communication. Each list must have a responsible person whose duties include possible moderation, regular maintenance, and removal of unnecessary lists. 

An organizational address should be used solely for organizational matters.

The university determines the email addresses and their format.

The university may publish email addresses outside the university.

  • A student may prohibit the publication of their email address outside the university. A staff member may request to block the publication of their work email address outside the university only for a justified reason. 
  • An email address will not be published if the person has been granted a security ban.

Confidentiality of emails

The university treats emails sent to and from personal addresses as private, respecting confidentiality. However, emails sent to and from work addresses may have confidentiality exceptions as described in section 4.9.

If a person receives an email intended for someone else, they are obligated to maintain confidentiality and must not use or disclose the content or the existence of the email.

  • The rules for handling incorrectly addressed work emails are in section 4.4. 
  • All other emails sent to the wrong address should, if possible, be returned to the sender and deleted from the recipient's mailbox. 

The obligations to forward and return emails do not apply to malware messages or spam.

Email use policy

Duty to ensure security and privacy 

Email users must consider the suitability of email for transmitting different types of information. Unencrypted email is comparable to a postcard in terms of security. Users should also consider what kind of information to store and to what extent email can be used for storage. Protecting personal data is especially important when dealing with confidential or sensitive personal information, such as health information of students or staff. Unprotected email is not suitable for handling such information. Although a social security number is not confidential, transmitting it via unprotected email is not recommended.

Responsibility for monitoring email quota 

Email users must monitor the sufficiency of the space allocated to their mailbox. A full mailbox can prevent the reception of new emails.

Responsibility for ensuring message delivery 

If the delivery of a message is particularly important, it should be sent well in advance of any deadline, and the sender should request the recipient to acknowledge receipt of the message.

Mass emailing requires permission 

Mass emailing that is justified for the university's operations (e.g., research, marketing of university services) is possible, but its implementation must be agreed upon in advance with the university's digital services.

Handling email when access rights expire 

Email access rights are temporary. Users must save any needed messages and attachments before their access rights expire. Once access rights end, the email address will be removed from mailing lists.

When access rights expire due to the end of an employment relationship, the employee must manage their email as described in section 4.7.

Use of work and organizational email

Regulations governing email handling

The handling of work-related email at the university is governed by Finnish legislation, the university's archival formation plan, and other university-issued guidelines on information handling.

Forwarding prohibition

To ensure information security, privacy, and information management, the forwarding or automatic redirection of organizational or work emails outside the university is prohibited and may violate, for example, the Personal Data Act. Permission to forward or redirect emails to a specified service may be granted for a justified reason (see the section on deviations from email rules for more detailed instructions).

External email services not approved by the university must not be used for university-related work tasks.

The use of external email services from the university network can be technically restricted for compelling reasons, such as if the security risk posed to the university becomes too high.

Acknowledgment requirement

If the message involves digital correspondence, the recipient must promptly send an acknowledgment to the sender. Digital correspondence include the initiation and completion of a matter, its processing (including decision-making), and notifying the decision.

Forwarding obligation under the administrative procedure act

An email mistakenly sent to the university or its employees that does not fall within their authority must be forwarded to the competent authority or entity in accordance with Section 21 of the Administrative Procedure Act (434/2003), and the sender must be notified of the transfer. If forwarding is not possible, the email should be returned to the sender.

The obligations to forward and return emails do not apply to malware messages or spam.

Handling email during absences

Personal email addresses must be managed during absences. An automatic out-of-office reply can be used to inform about the duration of the absence and the contact person handling tasks during the absence. It is recommended to use the unit's organizational address as the contact point. Emails can also be directly forwarded to the person handling tasks during the absence.

Handling email when employment ends

When employment ends, the employee must save any needed private messages and messages belonging to the employee under copyright, and arrange with their supervisor for the transfer of work-related messages to the university. If the employee ceases to perform their duties before the end of the employment, either the employee or their supervisor may request to immediately block the reception of emails.

Handling organizational email addresses

The responsible person must ensure the regular and proper handling of emails sent to the organizational address and comply with the archival formation plan, even during their absences.

  • Emails sent to an organizational address belong to the employer. 
  • Received emails must be responded to promptly. 
  • The response must indicate that it is a reply to an email sent to the organizational address. 

Use of work email for personal communication

It is recommended to use an email address other than the university's work address for personal communication. If a work address is used for personal communication, the restrictions of the information systems usage rules and the following guidelines must be observed.

  • The employee can protect their privacy by clearly separating personal emails from work emails. This applies to both incoming and outgoing messages. 
  • If a person is both a student and an employee, communication related to these roles should be conducted using the email address associated with the respective role

University's right to access work email

The university may access and open an employee's email in cases and in the manner defined in Chapter 6 of the Act on the Protection of Privacy in Working Life. The university strives to avoid the need to access and open an employee's emails. Employees have the following options available:

  • Primarily use the organizational address for work-related communication. 
  • Set up an automatic out-of-office reply that provides the name and address of the person handling tasks during the absence. 
  • The employee can consent to another employee receiving their emails during absences. 

Use of encryption 

Encrypted email traffic should be stored in a clear text format in a secure location or, if necessary, re-encrypted so that it is accessible to all parties handling the matter.

If sending separately encrypted attachments, the passwords or keys required to open them should be delivered to the recipient via another communication method, such as a text message to a verified phone number.

The transmission of confidential information via email should be avoided. If it is necessary, such information must be sent encrypted. Detailed instructions on data classification and handling are provided separately.

Service production and maintenance

Maintenance can intervene in email traffic

The reason for intervention may be to ensure the service level or security of the email system. Intervention and usage monitoring are guided separately in the information systems maintenance regulations.

Emails received by the university-controlled email service are filtered

All email traffic is checked using automatic content analysis, and

  • messages and attachments containing malware are automatically deleted,
  • attachments containing executable code are automatically deleted,
  • the transmission of harmful, large, or numerous attachments may be restricted.

Additionally, emails may be marked or deleted without notice if they

  • come from known spam-relaying servers, or
  • are classified as spam based on automatic content analysis.

External email service providers used by the university follow their own filtering practices to secure email communication.

Receiving email ceases when access rights end

The university does not accept messages sent to the individual's email address but automatically informs the sender of the address's inactivity. At the same time, all possible message redirections linked to the email address cease to function.

Other directives

Deviation from email rules

Permission to deviate from email rules can only be granted based on a written application and for a justified reason. The Chief Digital Officer can grant permission for deviations. The permission may include conditions, restrictions, and additional responsibilities.

Monitoring

The monitoring of email rules is the responsibility of IT management and supervisors, each within their respective areas.

In cases of violations of these rules, the procedures outlined in the University of Jyväskylä's consequences for the misuse of information systems will be followed.

Admin rights and responsibilities 

In these rules, maintenance refers to keeping information systems operational and secure, making necessary changes or repairs to the information systems, managing user accounts and access rights, and monitoring and logging the performance and use of information systems.

In these rules, an information system or system refers to an individual ICT device or hardware owned by the university or connected to its systems, the university's communication network, the software and services operating on the aforementioned, and the data contained therein.

The owner of a university information system is the university unit for whose activities and data processing the system was acquired, and who determines who has the right to use the system. The owner of the material may also be the creator, according to copyright law. The system owner's duties include managing and maintaining the system. The system owner can arrange for the maintenance of the system with another entity, such as the university's digital services.

An administrator refers to all individuals responsible for the technical maintenance of the university's information systems and other IT support staff who, along with them, are responsible for maintenance-related activities and user support and guidance. Broadly speaking, an administrator refers to any person with superuser rights to the system.

Admin rights

Administrators have comprehensive rights to inspect the state of information systems to ensure their functionality and, if necessary, intervene in the operation of the systems, the use of the information systems by an individual user, and the user's data within the information systems.

To combat security breaches and eliminate security incidents, administrators have the right to take necessary actions to ensure security. Security incidents are handled according to the security incident management guidelines.

To ensure that the special rights of administrators do not conflict with the legal protection of system users, the use of special rights by administrators is regulated by guidelines and regulations, primarily based on Finnish legislation and the University of Jyväskylä's information systems usage policy. Security principles concerning administrators are recorded in the university's security policy and information security principles.

These rules bind all university administrators, including students if they maintain an information system connected to the university network. The student union sets the maintenance rules for the Kortepohja student village network.

Admin responsibilities 

The unit must document the information systems or system entities it owns, classify them by importance, and designate their administrators and maintainers. The owner is responsible for creating descriptions in accordance with the data protection regulation.

The system owner and ultimately the unit director are responsible for ensuring that the system complies with the law, good maintenance practices, and the university's current rules and policies. The system owner is responsible for maintaining the information system. Maintenance tasks are distributed among several individuals with different access rights whenever possible. Necessary log data is collected for administrator actions as well.

The system owner is not responsible for the content of users' personal materials; the user is responsible for the legality of their materials and protects them according to the university's guidelines. However, the system owner has a legal right and obligation to intervene in the user's materials if there is a justified suspicion of security threats or legal violations.

If an administrator is suspected or found to have misused their special rights, the unit director will be contacted, who will decide on further and protective actions with the Chief Digital Officer according to the consequences for misuse of information systems rule.

Administration of outsourced information systems

If an information system used by the university is maintained by an external entity, the actions of administrators are regulated by an agreement between the provider and the system owner. The aim is to agree with the provider that the principles outlined here are followed in the maintenance of the system. The goal of the agreement is to ensure that the maintenance of the system is at least at the same level as that of a system maintained by the university itself.

Operating principles

Good maintenance practices 

Information systems must be maintained in accordance with good maintenance practices. Good maintenance of information systems involves planned, responsible, and professional maintenance that considers the good information management practices stipulated in the Act on Information Management in Public Administration.

Respect for privacy 

The administration of the university's information systems takes into account the rights of users and their communication partners to privacy and confidentiality of communications. However, the university, while respecting these fundamental rights, has the right to determine the content and purpose of its own information systems. This also applies to the traffic on the university's owned communication network. The purpose of use is further regulated in the university's information systems usage rules or system-specific rules.

When a user requests an administrator to handle their email or other files, the administrator must verify the user's identity in an appropriate manner, such as through a valid ID, unless they are familiar with the user. It is not necessary to verify the user's identity when addressing general technical or similar issues related to operations, as long as no message or data content is disclosed to the user.

When an administrator needs to contact a user, they can do so via the phone number or email address found in the personnel and student information systems. However, if there is reason to believe that the user account is compromised, email should not be used.

Confidentiality obligation 

Administrators are bound by confidentiality and must not exploit information they become aware of in the course of their duties if it is unrelated to their work tasks. Non-public work-related matters may only be discussed with individuals or authorities who are subject to the same confidentiality obligation and whose work tasks are related to the matter at hand.

Administrators may be required to sign a confidentiality agreement if the systems they maintain require it.

Operating practices 

Identities and passwords

An administrator does not need a user's password to perform their duties and should not request it from the user.

If troubleshooting requires the temporary use of a user's identity, either the user must be present to enter their password into the authentication service, or the administrator must use their special privileges to access the user's identity. The latter must be reported to the user as soon as possible. The identity must not be used for longer than necessary to resolve the issue.

In these situations, the administrator must verify the user's identity in an appropriate manner.

Superuser rights should only be used when necessary for maintenance tasks.

Restriction of access rights 

The restriction of access rights during an investigation procedure is defined in the consequences for misuse of information systems.

Email handling

The secrecy of personal letters, phone calls, and other confidential messages is inviolable according to the Finnish Constitution, unless otherwise provided by law. Email is comparable to a letter in this regard. Email is confidential unless it is intended to be received by the general public.

The normal handling principles of email are regulated in the email handling rules.

An administrator may need to open files containing users' emails in the following situations:

  • At the user's request. The request can be made, for example, in a situation where the email inbox does not open with the programs available to the user. The permission applies only to that specific instance. If the user requests information about the contents of the mailbox, the administrator must absolutely verify the identity of the requester.
  • When the email system is unable to deliver the message due to incomplete or corrupted structure. In this case, the administrator is allowed to examine and correct the technical header information of the message, but should, as much as possible, avoid reading the text content intended for the recipient.

The administrator also has the right to remove from the email queue messages that endanger the operation of the email system or that are evidently unnecessary due to a technical error.

Handling other files

The administrator does not have the general right to read or otherwise handle the content of files owned by users.

However, the administrator has the right to handle files in the following situations:

  • When the user has given permission to do so to resolve an issue.
  • With a specific written request (e.g., if the performance of university duties is in danger of being impeded due to an absence, files owned by an absent employee/student that are protected from others may need to be handled. The unit supervisor, or equivalent, can authorize the administrator to grant access to the necessary files to a designated person).
  • If the user account holds programs or configuration files that disrupt the operation, security, or privacy of other users of the system. In this case, the administrator can check the content of the program files and, if necessary, prevent their operation.
  • If there is a justified reason to suspect that the user account has been compromised and that it holds files or programs that pose a threat or danger to the university's functionality or security.
  • If the administrator suspects that the account is in the wrong hands, the administrator has the right to temporarily disable the account. The general principle is to try to contact the user before taking action, but protective and corrective measures may need to be taken immediately before contact.
  • If there is a justified reason to suspect that the account holder has engaged in misuse and it can be assumed that certain files owned by the user contain evidence of misuse.
  • The administrator has the right to temporarily disable the account in the case of misuse. The user's misuse is handled according to the university's information systems usage rules and the consequences for IT violations policy.
  • The administrator has the right to block access to web pages that are against the law or the university's information systems usage rules.
  • When the protection of the files otherwise allows it.

The administrator must inform the owner of deleted or modified files and web pages.

In addition to the above, the administrator always has the right to:

  • Read and modify initialization files, mail forwarding or sorting files, and other files affecting the system's operation located in users' home directories, if they are found to threaten the system's operation, security, or user privacy. If the necessary change cannot be made without losing the user's own modifications, the old version created by the user is moved to another name, and the user is informed of the change.
  • Ensure that there are no illegal or system-threatening files on shared disk areas. Such files include malware, copyright-infringing recordings, or materials deemed illegal by the Criminal Code.
  • Destroy files intended for temporary storage on disk areas manually or automatically according to predefined principles. The deletion principles must be available for users to view, but there is no need to inform users of deletions made according to these principles.

Monitoring directories and file listings

Processing directory structures, file names, modification dates, sizes, protection levels, and other file-related information is part of normal maintenance, performed according to good maintenance practices.

If it is found that the protection of a file or directory is too weak given its nature, the administrator has the right to change the protection to an appropriate level.

The administrator is bound by confidentiality. In performing maintenance tasks, efforts are made to avoid unnecessarily displaying the names of files and the like.

Monitoring programs and processes

The administrator, together with the system owner, defines which software is available in the system. Programs can be prohibited or disabled if their use is not necessary for university operations and they pose a threat to service level or security. The decision is made by the system owner.

The administrator monitors the programs running on the information systems as part of normal maintenance.

The administrator may change the execution priority of a running process if it consumes system resources unreasonably.

The administrator may terminate a process if:

  • The process operation is clearly disrupted,
  • The process hampers the operation of the system with excessive load and is not justified by the system's intended use, or
  • The process is associated with software whose use is against the system usage guidelines and regulations. In this case, the user is informed about the termination of the process and the related regulations.

Monitoring the communication network

The administrator of the university's communication network monitors traffic within the university network and external connections using network monitoring programs and log data. This is done to ensure a reasonable service level and security, as well as to manage the cost-effective use of external connections.

When monitoring traffic, the focus is on the volume and methods of communication, not the content. Monitoring of source and destination machines is statistical and does not target individual users. However, traffic can be more closely monitored for a specific system when investigating anomalies, such as those causing particularly high loads. Automatic intrusion detection systems may analyze all traffic.

The administrator may contact the responsible person for a machine causing a high volume of traffic or other anomalies to investigate potential disruptions or misuse.

The communication network administrator is authorized to block network connections or the use of a specific service to a machine or part of the network,

  • that generates traffic threatening the service level or security of network traffic,
  • if there is a justified reason to suspect that the machine or machines are in the wrong hands or infected with malware,
  • that violates the information systems usage rules, or
  • that is not properly maintained, particularly with regard to security.

In all cases, the responsible administrator of the machine or network segment must be contacted immediately after traffic has been blocked.

Technical analysis of information systems, services, and devices

Digital services can use analysis tools to investigate the security status of a service or device, the visibility of services, or other technical details related to system operation. Analysis can be targeted at systems within the university network or those outside the university network but under the university's responsibility. Actions may include vulnerability scans.

Handling of log data

The university's information systems record log data to document system operations, investigate potential disruptions or misuse, and collect billing information. At the university, log data is normally used only for technical tasks by administrators bound by confidentiality and to facilitate billing.

Data storage

As part of maintenance, the provider of information system services must ensure the backup of their systems. Backups must be stored appropriately, and the administrator must ensure the readability of the backups. Data on backups should be handled with the same principles as the corresponding data in information systems. The destruction of backups must be carried out in a manner that does not compromise the confidentiality of the data contained within them.

Monitoring the maintenance rules

The monitoring of these rules is the responsibility of the university's IT management and the owners of the information systems of other relevant university units. Violations of the rules are handled according to the consequences for misuse of information systems.

See also

Information Security

On this page you will find information on data security.

Information security for staff

Tips and advice for personnel on information security.

Information security for students

A quick guide for students on information security.