Conditions of Use of Computer Services

Updated: February 2002

By using Departmental computer services, you agree to abide by the conditions of use as outlined in the following pages and as otherwise determined by the policies of the Department.

Failure to comply with the conditions of use may result in disciplinary action and can result in significant penalties, including dismissal.

Acceptable use of Computer Services

The Department of Human Service's computer services are provided for the conduct of the business of the Department. They must not be used for any purpose that breaches any law, infringes the civil rights of any person or that breaches the Victorian Public Service Code of Conduct. They may be used for reasonable communication between employees and/or their industrial representatives and for limited and occasional non-business use as defined in these 'Conditions of Use'.

It is prohibited to use the Department's computer services for:

• Accessing computer systems, applications, databases or files that the user is not authorised to use.
• Accessing, storing or sending material that is defamatory, obscene, indecent, offensive, discriminatory or harassing, including pornography and other sexually explicit material.
• Unauthorised distribution of confidential, personal or private information.
• Downloading or storing unauthorised computer software (including games) or any material that breaches copyright law.
• Knowingly interfering with or damaging the computer services of the Department or any other person, including creating, downloading, opening or sending a virus or other malicious code.
• Obtaining personal profit or gain, including the conduct of outside business activity.

Acceptable Security Practices

Staff are required to take reasonable steps to protect the Department's computer systems and the information they contain.

Acceptable information security practices include:

• Passwords should not be shared. They should not be based on personal names or recognised words or recycled and they should be kept confidential.
• Staff should use clear desk and clear screen practices appropriate to the sensitivity of the information they handle. Screen savers and screen locks should always be used to prevent unauthorised viewing or access.
• Sensitive or private information must not be sent by email unless it is protected appropriately according to the sensitivity of the information.
• Sensitive information must not be stored on the hard disk of a PC or notebook unless it is appropriately protected as it may be accessible to other users and is not recoverable following hardware failure or theft.
• Staff should take care to protect remote access PCs, notebook computers and hand-held appliances, such as Palm Pilots, from theft or unauthorised access.
• Staff should effectively manage computer storage that is under their control including the timely archiving and disposal of files.
• Staff should take care when disposing of information. Electronic memory devices such as diskettes, CDRom and hard disks must be erased or destroyed before disposal.

Acceptable Use of the Internet

Additional rules regarding the use of internet services are:

• Web based applications must not be used to share private or confidential information unless approved secure transmission and storage arrangements are implemented.
• Purchasing via the Internet is only permitted by staff authorised to undertake this function using approved e-procurement procedures on approved sites and using approved purchasing applications. The use of Corporate Card through these applications is subject to the terms and conditions of Corporate Card use as ratified and acknowledged by each cardholder.
• Computer software must not be downloaded from the internet unless authorised by the Director, Information Services.
• Internet services should not be used for streaming (eg radio or television type transmissions) or other resource intensive activity unless authorised by the Director, Information Services.
• Downloading, storing or distributing computer hacking or password cracking tools is prohibited.
• Internet services must not be used to download any product that may place the user or the Department in breach of copyright law. This includes music, images and software that are copyright protected. Internet services must not be used for any purpose that may bring the Department into disrepute or that may convey a personal opinion as representing the views of the Department.
• Non-business use of the internet is restricted to limited and occasional browsing and minor transactional activity such as banking and bill paying, and:
  
  • Should not exceed 15 minutes in any day or a total of 60 minutes in any week and should occur in the person's own time, at times acceptable to the person's line manager.
  • Must comply with general standards of use as expressed in these Conditions of Use or other Departmental policy.
  • Must not include personal 'for profit activity' including the conduct of a personal business and may not be used to advertise personal property for sale other than through a corporately sponsored 'Trading Post'.
  • Must not be used for on-line gambling.
  • Only material that is directly related to the business of the Department may be saved on the Department's network.
  • Downloading computer software, games, videos and music for personal use is specifically prohibited. This includes software plug-ins where these are required to enable personal transactions such as banking or bill paying.
  • Participation in personal chat rooms or internet discussion groups is prohibited.

Acceptable Use of Email

Additional rules regarding the use of email are:

• Email must not be used for any purpose that may bring the Department into disrepute.
• Email must not be used to send confidential or private information to users outside the Department's secure network unless the information is protected as appropriate to the sensitivity of the information.
• Email must not be used to send or pass-on pyramid or chain mail or to knowingly distribute hoaxes.
• Email sent and received in the course of business activity should be treated as a public record and included in Departmental record keeping systems as required by Departmental policy and law.
• To prevent mail-storms (continuously bounced mail), users should not set message forwarding to an email account that is external to the Department's network.
• Inappropriate messages received unsolicited from another person should be reported to the IT Service Centre. Such material must not be retained or stored on the Department's computer systems.
• Non-business use of email should be restricted to 'limited and occasional' use and:
  • Should occur in the person's own time at times acceptable to the person's line manager.
  • Should be short (not exceeding a single page of plain text).
  • Should only be addressed to a small number of recipients (not more than 10).
  • Must not include attachments such as games, music, video or executables.

Installation of Software and Hardware

The installation of inappropriate software and hardware poses serious risks to the Department's network.

Hardware

• Servers and network switching equipment must not be connected to HSNet unless specifically authorised by the Director, Information Services.
• Modems must not be connected to an HSNet connected workstation unless specifically authorised by the Director, Information Services.
• All other computer hardware connected to HSNet:
  • Must be approved by the applicable Information Services Manager, and,
  • Must meet product and version standards as established by the Director, Information Services.

Software

• All software installed on Departmental workstations or network appliances should meet product and version standards as established by the Director, Information Services, where these apply.
• All software installed on Departmental workstations must be for the conduct of the business of the Department.
• Hacking and password cracking tools are prohibited unless specifically authorised by the Director, Information Services.
• All software must be installed in accordance with the software licence agreement. Licences and agreements are to be kept by the Manager responsible for the installation. Software for which a licence agreement cannot be substantiated should be removed.

Monitoring of Computer Services

• The Department respects the privacy of staff and will endeavour to ensure that routine monitoring and systems maintenance activities intrude as little as possible on their privacy. Only suspicious activity, likely to contravene the policies of the Department, will invite closer scrutiny.
• Routine monitoring and screening of computer services is conducted to identify security risks such as unauthorised access, viruses and prohibited or otherwise suspicious activity.
• Back-up tapes are taken to enable restoration of services and activity logs kept for the purpose of systems management, these may be used to investigate alleged misuse of computer services.
• Computer systems administrators will not access data stored by other users without good reason, will limit access to the minimum necessary for proper administration and will not share or disclose any data discovered other than as permitted under the policies of the Department.

Reporting of Information Security Incidents

• Information security incidents should be reported to the local Information Systems Manager (ISM) or to the IT Service Centre on 131765, at the earliest opportunity.

Investigating Misuse

• Employees who breach the Department's information security policies may have network privileges terminated and may be subject to a discipline investigation as per the Department's Discipline Policies. The serious misuse of computer services may result in warning counselling or dismissal.

Exemption from Conditions of Use

The Director, Information Services may provide an exemption to the Conditions of Use of Computer Services for a compelling business need. Applications for exemption must be approved in writing prior to the conduct of any prohibited activity.

Limitation on the Conditions of Use

No part of the Conditions of Use of Computer Services shall be taken to restrict the rights of any staff member as provided for by law or industrial agreement.

Authorisation and Updating

The Conditions of Use of Computer Services are authorised by the Director, Information Services and apply to all persons using the computer services of the Department of Human Services. The Conditions of Use are reviewed twice yearly. The date of the last update is displayed on the front page. Any change affecting the meaning of the Conditions of Use will be displayed in blue until the next scheduled update.

Further Information

Information about the Department's security policy and practice is available on KnowledgNet or from the Information Security Manager on (03) 9637 4536.

Conditions of Use for Secure ID Tokens

The SecureID Token that has been issued to you is a security device and must be protected. Your PIN (personal identification number) and the periodically changing code displayed on the token, are used in conjunction with your username & password to provide a higher level of user identification for certain systems you will access.

The Department of Human Services (DHS) expects that you will take proper care and protection of your SecureID Token and associated PIN, and your eBusiness Username and associated Password.

By accepting the SecureID Token and PIN, you agree to abide by the following Conditions of Use:

• Your eBusiness Username, Password and PIN number must be kept confidential, must not be shared, and must not be stored with or on your SecureID Token.
• Your SecureID Token is to be stored in a secure location.
• You must immediately inform the IT Service Centre (13 17 65) if you believe your SecureID Token is lost or stolen, or the confidentiality of your PIN has been compromised.
• You must follow the standard log-off procedure when each session of use is complete.

In addition, you agree to the:

• “Conditions of Use” of the Department’s computer systems and “Monitoring of Computer Services” as published during login to eBusiness; and or
• “Conditions of use for RSA Enabled Computers”, for users of RSA services.