Sustainability Victoria (SV) is highly reliant on the information that is gathered processed and stored on its information and communications technology ("ICT") systems. The purpose of this policy is to give a clear statement to all ICT users of their responsibilities in maintaining an effective, secure and available ICT environment. Use of SV ICT systems is deemed as acceptance of this policy.
This policy applies to all users including permanent and fixed term staff, casuals, agency staff, contractors, consultants, board members, trainees and students on work experience, and any other people who have been granted access to SV ICT systems unless indicated otherwise (Users).
The policy applies to all devices that can be connected to the SV network, including but not limited to:
- All computers including laptops and desktops
- Mobile phones including smartphones
- Tablets that have been provided by SV
- Personally-owned portable devices connected to SV ICT resources such as USB drives and external hard disk drives and any other devices that store data
- Network resources including email and SV approved cloud storage systems.
This document will be reviewed every 12 months and any approved changes that are made will be reflected in the document change control section. Changes may also be made in the event that there are significant changes in SV ICT that require usage procedures and/or guidelines.
This policy is issued by the SV Business Information Technology Systems (BITS) team with the agreement of the Information Systems Steering Group (ISSG) and Executive Leadership Team (ELT). All Users of the SV ICT systems are required to comply with its requirements.
|Systems||Active Directory (AD), Bring Your Own Device (BYOD), cloud storage, customer relationship management (CRM), database applications, Direct Access, document management, email, finance software and applications, Helpdesk, internet, Intranet, InTune, operating systems on Smartphones and Tablet devices and any other that is specified from time to time, Outlook Web Access, Printing, Project Management Tools, Remote Desktop (RDS), SharePoint, Telephony|
|SV network||Local Area Network (LAN), Wireless Local Area Network (WLAN) and any other that is specified from time to time|
We are bound by the:
- Information Privacy Principles (IPPs) contained in the Information Privacy Act 2000 (Vic) in relation to the collection, disclosure, use and storage of personal information as set out in SV’s Privacy Statement
- Environment Protection Act 1970 - Section 60 Disclosure of Information outlines that disclosure of confidential information is an offence under the Environment Protection Act 1970 (Confidentiality of Information)
- Public Records Act 1973 (PDF)
- Copyright Act 1968 (Cth)
6. Policy statement
Through this policy, SV seeks to provide its staff with secure and timely access to the information and communications technology resources necessary for undertaking their duties. Unacceptable use of ICT resources may have an adverse impact on this goal.
It is the responsibility of all Users to comply with this policy. Directors and Line Managers are responsible for ensuring that all visitors, contractors and consultants have read and understood this policy. Users should notify the BITS Team if they are aware of any breaches of this policy being committed by other persons.
It is a condition of use of the SV ICT network that Users agree to familiarise themselves and comply with this policy. Any use of the ICT network is deemed acceptance of this Policy.
Acceptable use, we are bound by the VPS code of conduct
7.1 SV's ICT systems are tools to be used for the purpose of work-related activities.
7.2 Notwithstanding Point 1, SV accepts the use of its ICT systems for personal use provided that the use is not excessive and does not result in a breach of this Policy. It should be noted that this is a privilege and not a right, and SV reserves the right to remove this privilege without notice.
7.3 Users of SV ICT environment and systems must not create, send, store, access, use, solicit, publish or link to:
- Offensive, obscene, profane or indecent images or material including gambling or pornography (other than for properly authorised, supervised and lawful business or research purposes)
- Material likely to cause annoyance, inconvenience or distress to some individuals or cultures
- Discriminating or sexually harassing material or messages that create an intimidating or hostile work environment for others
- Defamatory material or material that makes misrepresentations or could be otherwise construed as misleading
- Material that infringes on the intellectual property (including copyright) of another person or organisation
- Malicious software such as viruses, worms, or data harvesting software
7.4 SV's ICT systems must not be used in the conduct of a personal business or unauthorised commercial activities. Limited personal commercial activities may be allowed if prior authorisation is gained from BITS.
7.5 SV's ICT systems must not be used for any illegal activity such as creating, accessing or sending chain letters, pyramid schemes, spam, or attacking other computer systems.
7.6 Any file sharing software (i.e. BitTorrent) is not permitted.
7.7 SV ICT systems are not permitted for downloading or storage of music or video content except where it deemed for the purpose of work-related activities.
7.8 All intellectual property in all material created by Users using SV's ICT systems is immediately assigned to SV on creation.
7.9 Users must not deliberately corrupt or destroy ICT facilities.
7.10 Users must not install or connect unapproved hardware to SV's network.
7.11 Use of ICT facilities is subject to the full range of laws that apply to other communications. Users must not:
- Infringe copyright laws - such as convert a CD to another format; download a film, music or software from the internet; upload audio or video files, software or commercial photographs to SV website and make these available to the public; store copyright material on SV computers or servers or SV ICT facilities; send copyright material to others using SV email (without the express permission of the legal owner).
- Violate software licensing agreements;
- Copy trademarks or logos belonging to another party without their express written permission;
- Impersonate another individual or engage in misleading or deceptive conduct
- Publish statements that could harm another person/s or entity/s reputation. Photographs and cartoons can be considered defamatory if they hold someone up to ridicule or contempt;
- Disclose private or confidential information.
7.12 Staff are to be aware that any intellectual property (IP), generated from any pieces of information created using SV systems, belong solely to SV unless otherwise specified
7.13 Staff are not to use SV systems to commit an IP infringement
Access and accounts
7.14 All individuals who require access to SV's ICT systems must be properly identified by means of a unique account and verified by an authentication process using their network login credentials. All SV staff will be issued with a username and password for the network and a telephone extension number and PIN code.
7.15 User account will be locked out if 3 invalid login attempts have been made and will be unlocked on request by lodging a request by calling the SV Helpdesk.
7.16 Ongoing Users are required to change their passwords every 60 days. A pop-up notification will automatically be generated 5 days before the password expiry date. Users should follow the prompts to change their password before the expiry date to prevent the account being locked out.
7.17 Users are expected to keep their account details private and secure. Sharing of passwords or making passwords visible may be considered a breach of this Policy.
7.18 Users will access SV's ICT systems at a level appropriate to their position and role within the organisation as authorised by Managers. Users will maintain the confidentiality of information they have access to.
7.19 The appropriate classification and storage location for electronic documents is a matter of judgement by staff and Managers.
7.20 All visitors, contractors and consultants are entitled to access SV's ICT systems to a level that is required for them to fulfil their duties. Visitor, contractor and consultant access to the systems must be prearranged with the BITS Helpdesk
7.21 Users may have their access suspended immediately where there is a suspected breach of SV policy (this Policy, or any other).
7.22 Staff working in the BITS area must not use their access to the ICT environment or its systems to gain access to restricted/privileged information or to manipulate data or systems without prior authorisation.
7.23 All electronic data is subject to the same record management and freedom of information requirements as paper-based equivalents and must be treated as such.
7.24 All SV staff laptops have Direct Access installed which will enable full connectivity to the SV systems when being used externally, provided an internet connection is available. Applicable data charges apply based on the user's connection as determined by their respective Internet Service Provider (ISP).
7.25 SV staff can connect to SV systems externally, using non-SV computers, via Citrix access authenticating via their network login credentials. Applicable data charges apply based on the user's connection as determined by their respective Internet Service Provider (ISP).
7.26 When Users no longer have a relationship with SV, their account will be disabled for a period of 30 days prior to being permanently deleted. Any extension to this period must be expressed in writing by the authorised manager to BITS.
7.27 Exiting staff are advised to create an Automatic Reply, in Microsoft Outlook, informing of their departure from SV and alternative contact details (where applicable).
7.28 If the exiting staff member's mailbox is required for a period longer than 30 days from their exit date, the current manager must request this in the Exit Checklist provided by People & Culture.
7.29 All exiting staff and current managers must ensure that the any IT equipment is returned to BITS by close of business on the staff member's exit date from SV. If the equipment to be retained for any period beyond the exit date the manager must request this in the Exit checklist provided by People & Culture.
7.30 SV has multiple wireless services available for Users to enable connectivity to the SV network internally and externally.
7.31 All staff laptops have been enabled to automatically access the SV wireless network when not docked at their desks in the office
7.32 Staff working off-site temporarily may borrow wireless USB broadband air cards, to connect to the internet, for the duration of their time away from the office. These need to be booked as a resource via Microsoft Outlook. The USB broadband air cards are also available for work use off-site when using a non-SV computer.
7.33 SV staff members are responsible for the wireless broadband dongles in their possession and should ensure that use is strictly for business related access.
7.34 Appropriate measures should be taken to prevent loss, theft and/or misuse of the wireless broadband dongles.
7.35 Contractors and visitors to the SV office have the ability to access the internet through SV Guest wireless network. Access needs to be requested by a staff member, at least 24 hours prior to the required time via a Helpdesk request. The requestor will receive instructions to pass on the visitor that will assist with connecting their equipment to the SV Guest wireless network
7.36 Staff are responsible for ensuring that any of their visitors using SV wireless access acknowledge that their internet use is strictly for business related access and that the privilege is not abused
Equipment and storage
7.37 SV provides a server hosted document management system (SharePoint) with appropriate levels of security measures to ensure data security and file management. It is expected that all SV sensitive data is stored on SharePoint in the first instance to prevent loss
7.38 It is the user's responsibility to store files in SharePoint in a manner that is relevant to its security requirements by ensuring that only intended parties have appropriate access enabled
7.39 To preserve SV's standard operating environment (SOE), and ensure compliance with licensing obligations, Users may not modify the standard configuration of their allocated IT equipment without the explicit permission of the BITS Team. This includes, but is not limited to, the installation of software, connection of unapproved electronic devices such as music players, mobile phones or networking devices.
7.40 Personal portable devices such as mobile phones, smart phones, tablet PC's and PDA's can only be connected to the SV wireless environment (BYOD).
7.41 The use of approved personal equipment such as USB drives and external hard disk drives on SV's ICT systems is undertaken at the User's own risk. It is not recommended that corporate data be stored on portable devices to minimise the impact of risk to the data.
7.42 The usage of cloud-based storage solutions such as Dropbox and Google Drive, to store or transmits company sensitive information or data is not permitted. Exceptions can be made with the express approval of BITS and this must be obtained in writing.
7.43 All staff have cloud storage on Microsoft's OneDrive for Business for SV staff. It is the user's responsibility to ensure that company sensitive information or data is not stored unnecessarily in the cloud.
7.44 Use of SV internet resources for personal purposes (e.g. internet banking) is undertaken at the User's own risk.
7.45 Users must not use SV Internet resources to download entertainment software, videos, music or games, or to play games over the Internet.
7.46 Users may not upload any software licensed to SV or data owned or licensed by SV to the Internet without prior explicit authorisation from BITS.
7.47 Use of User IDs and passwords may be required to access specific websites, these User IDs and passwords are not to be distributed outside SV.
7.48 Users are to be aware of email limits that are enforced on the size of messages transmitted.
7.49 All inbound and outbound emails will be "parked" if the total size exceeds 25Mb. The email will be released during non-business hours to prevent network congestion.
7.50 SV's email system will not transmit inbound or outbound messages that exceed 25Mb. (Please speak to BITS regarding alternative approved file sharing options)
7.51 Communication intensive operations such as large file transfers, video streaming and large group emails should be minimised to ensure the performance of SV's ICT systems for other Users is not adversely affected. Wherever possible, Users should schedule communications-intensive operations for out of core business hours.
7.52 Any extraneous streaming of media (audio or video) such as Internet radio or television stations is not permitted, except when specifically authorised for business purposes such as viewing sessions of Parliament.
7.53 SV uses Microsoft Skype for Business as its telephony solution within the office. Staff members are issued with a Skype for Business profile that is integrated with their telephone extension numbers and uses their network login credentials to authenticate.
7.54 All staff members are supplied with Skype for Business optimised headsets to enable the making and receiving of calls within Skype for Business.
7.55 Meeting rooms and Quiet rooms have designated Skype for Business handsets for telephony. Each room has a Skype for Business profile associated with it.
7.56 Staff may log onto the handsets to use their Skype for Business profiles and authenticate through their extension numbers and PIN codes.
7.57 Microsoft Skype for Business also provides staff access to instant messaging, presence, video conferencing and collaboration.
7.58 Staff may use Skype for Business to host teleconferences or video conferences with external users. The attendees have the option to join the meeting via Skype for Business (for full video and audio) or by dialling into the conference for the audio part only.
7.59 SV will take reasonable steps to protect its ICT environment and data from unauthorised and unacceptable use and ensure that accurate and complete information is accessible only to authorised Users. Reasonable steps include the configuration of computers and laptops to have a password enabled screensaver that activates after a set period of User inactivity.
7.60 Users are expected to take reasonable steps to help protect SV's ICT environment.
7.61 Users must either log off or leave the computer locked when leaving their workstations unattended.
7.62 Users must not allow another person to utilise their Username and Password combination.
7.63 Similarly, a User must not attempt to initiate or operate a computer session by using another person's Username and Password.
7.64 Username and password combinations are considered as a User's identity, much the same as a PIN or internet banking password. As such these should be protected against identity theft.
7.65 Users must ensure that material is classified and stored appropriately based on the confidentiality of its contents to ensure that it may only be accessed by relevant Users.
7.66 Users are responsible for reducing the possibility of theft, loss or damage to ICT facilities and equipment (including laptops, ICT portable devices, data storage facilities and loan pool equipment) and SV data (stored on personal portable devices, in hard copy or otherwise) when away from the office (note that out of office use of SV ICT facilities is not covered by SV insurance) as follows:
7.67 All information, including files and software, held on SV computers or any ICT facilities is considered the property of Sustainability Victoria and must be treated with confidentiality. Private or confidential information must not be placed where it may be accessible to people who do not have authority to access that information. Out-dated information is to be appropriately archived.
7.68 Users are responsible for ensuring that all SV data is stored in the electronic Document Management System (SharePoint) or the appropriate network drive (not on the laptop) so that the data is backed up through the automatic backup procedure.
7.69 The use of SV's ICT systems is regularly monitored by the BITS staff to check for compliance of this policy. Degradation of system performance may result in a detailed examination of system logs and reports to identify and resolve issues.
7.70 SV reserves the right to inspect any and all files stored in SV's ICT systems, including individual computer hard drives, email accounts and personally-owned portable devices to ensure compliance with this Policy.
7.71 Degradation of system performance caused by inappropriate use of SV ICT systems by individuals will be referred to the Director of Corporate Services and Manager of People & Culture for further action
8.Breach of policy
Depending on the nature of the inappropriate use of SV ICT systems, non-compliance with this Policy may result in disciplinary action, or termination of employment or contract.