Use of the Institutional Data
1. PURPOSE AND SCOPE
The purpose of this document is to establish the guidelines for using Information Technology (IT) resources provided by Sabancı University such as computers, software, websites and digital documents, information and databases. In this document, Sabancı University will be referred to as “University” and all users of IT resources, regardless of their access methods and locations, will be referred to as “Users”.
1.1. Institutional Data and Authorization
Unless specified to the contrary, all information, reports, software, software codes, database records and documents that are created in the academic and administrative processes of the University, are made available by various means and methods, cannot be disclosed without permission, and may result in material or reputational damage to the University if disclosed or lost are considered “Institutional Data”. Included are all personal data of students and employees, software codes, financial information, official documents, agreements, guidelines, procedures and project documents. Users who have a need to know and need to share are specifically designated on the relevant systems, computers and networks. Authorized users are required to comply with the provisions of University guidelines, procedures and regulations when working on Institutional Data.
1.2. Inappropriate Use
Users are expected to utilize IT resources in accordance with University principles and goals. Although the authorized use of the resources is not actively monitored, users will be responsible for the consequences of inappropriate use as defined below. Inappropriate uses fall in two categories according to their occurrences and impact.
a) Persistent or deliberate violations that directly impact the technology infrastructure: Including spreading viruses, exploiting security gaps, sabotaging, preventing access, information theft, etc.
b) Violation of University rules and/or the law by utilizing resources operated and provided by the University: Including disparaging, harassing or insulting a person or institution via email, using the information network to harm a third party, etc.
1.3. IT Department
The IT Department plans, operates, supports and ensures the security of University IT resources. You may contact the IT Helpdesk at (216) 483 9200.
1.4. Related Regulations and Laws
The University regulations and laws to be referred to with respect to the subject matter herein include, but are not limited to, the following:
· IT – IT Resource Use Procedure
· IT – Access Management Procedure
· Law numbered 5651 on Internet Publications and the Prevention of Crimes Committed by Internet Publications
· The Employment Law numbered 4857
· The Turkish Criminal Code numbered 5237
2. RESPONSIBILITIES OF THE UNIVERSITY
The University maintains security, disaster recovery and business continuity measures (antivirus, backups, firewalls, etc.) on user computers, servers and the network, and notifies users of these measures.The University is required by law to disclose all activities on its network to public authorities upon requests to be made by the related authority. Access rights of users are not restricted or monitored, but all access records are kept to be used as evidence when necessary.
3. RESPONSIBILITIES OF THE USER
3.1. Safekeeping Institutional Data and Sharing When Required
Information exchange within the University must be restricted with users that have a need to know. Institutional Data must be kept on File Servers, File Management Systems, Institutional Applications and Databases, which are maintained and operated by the university and are monitored for security. To the extent possible, Institutional Data must not be reproduced on offline media (DVDs, portable memories and disks, e-mails, printed documents, etc.) and taken outside the University. If the need arises, the data should be crypted properly all measures to prevent unauthorized access to the portable device and the disclosure of the Institutional Data, and said material must be destroyed after use to prevent further access. Users are responsible for taking measures to prevent the unauthorized use of sensitive data and their exclusive access rights by third parties when they leave their computers unattended (for example, computer passwords must not be shared, password-protected screensavers must be used and doors must be kept locked).
3.2. Remote Access to the University Network
Computers provided by the University should be the preferred method of remote access to the University network. To the extent possible, shared computers or networks (cybercafés, other institution networks, public computers, etc.) must not be used to access the network. If the need arises, the connection must be checked for security, encryption (SSL) methods should be used and passwords must not be stored. In case of suspicious events, immediately change all University passwords and contact the IT Helpdesk.
3.3. Sabotage, Information Theft, Unauthorized Actions, Negligence
The University has the right to take measures to prevent any deliberate actions or negligent damages against its information systems, user and institutional information (information theft, deletion, defacement, etc.), and seek legal action and recourse against such attacks if and when they occur. Access records stored on University systems will be considered evidence in legal procedures.
3.4. Configuration and Security Definitions
Even when technically practicable, users should not reduce the security levels of default software and computers delivered with default security configurations. These include MS Internet Explorer and MS Outlook security zone settings, antivirus settings, operating system updates, personal firewalls, BIOS settings and other hardware and software settings. Software that facilitate access to institutional and personal data and make computers more vulnerable to security attacks (including MSN, torrent software, file sharing protocols, etc.) must not be installed on University computers.
3.5. Reporting Security Incidents and Vulnerabilities
Users are expected to be sensitive to security incidents and vulnerabilities. Users are responsible for reporting any security vulnerabilities or the loss or theft of any critical institutional data, documents and equipment in their possession to the IT Helpdesk as soon as possible.
4. RESOLVING INCIDENTS OF INAPPROPRIATE USE
In case of direct attacks on University IT resources (hacking attempts, service interruption, data theft, etc.), the IT department will take emergency measures to prevent additional loss and to resolve the issue. This may result in the suspension of access rights for related users until the issue is investigated and resolved. Upon investigation, the user may be issued a warning or disciplinary action may be initiated pursuant to University rules and regulations in order to compensate for damages and prevent reoccurrence. In cases of mostly content-related inappropriate use arising out of the inappropriate use of University IT resources, access records that evidence such misuse will be given to the related authorities
upon the request of public authorities.
I have read and understood the foregoing.