ISMS - IT Guidelines
§ 1 Scope of the guidelines
1.1 These guidelines apply to all IT equipment and all IT systems that are available at Conexus, this also includes private equipment and private systems used in the context of Conexus.
1.2 The guidelines must be available electronically. The latest version can be found at all times on the ISMS - Governing documents. They can also be obtained by contacting IT user support.
1.3 Every user is obliged to keep himself updated and informed about the applicable guidelines, any supplements and local additions.
1.4 Questions regarding the interpretation of the guidelines can be directed to IT user support.
1.5 Before each individual user gets access to and the opportunity to dispose of equipment and/or systems at Conexus, there must be confirmation that the person in question has familiarized himself with the applicable guidelines.
§ 2 Purpose and lawful use of IT equipment and systems
2.1 IT equipment and IT systems must only be used for the purpose for which they are intended. The equipment/systems must not be used commercially or for activities that are not connected to the business around Conexus. Nor should it be used for political or religious agitation.
2.2 The Conexus equipment/systems must not be used for anything that conflicts with Norwegian/international legislation and the rules and regulations that apply at Conexus.
2.3 Users must identify themselves with a username and password when logging in. Users must neither hide their identity nor pretend to be someone else.
2.4 Users are obliged to familiarize themselves with the user manuals, documentation etc. in a proper manner in order to reduce the risk that ignorance may create a risk of operational disruptions or loss of information (data), programs or equipment.
2.5 Users must not distribute or inform about their own or other people's login information. It is not permitted to use someone else's equipment/system without the consent of the person who disposes of it.
2.6 If a user becomes aware that their own or other people's information has gone astray, they must take measures to ensure that more information or data is not lost. Examples of this could be that someone has gained access to your or someone else's account, in which case you should contact IT-Brukerstøtte.
§ 3 Privacy and security
3.1 A user account is strictly personal, you must not let other people use your account.
3.2 Every user is responsible for his own account, files and equipment, and must himself take precautions to prevent others from using this without permission. Such precautions include, but shall not be limited to, judicious choice of passwords and limiting the sharing of information.
3.3 The user is obliged to prevent unauthorized access to, among other things, data, equipment or systems. This also includes that students or outsiders cannot be given access to employee information or equipment/systems.
3.4 The user must not use or attempt to gain unauthorized access to other people's information, data or other information without special permission. This also includes if other users with or without intention have made this available.
3.5 Data of value must be stored in places where backups are taken. IT user support can inform you at any time about which locations are included in the backup.
3.6 Users must not use equipment/systems in a way that may bother or appear offensive to others. This includes abusive obscene e-mails or discussion posts.
3.7 If you receive e-mail or are on websites or the like that may seem unsafe and share, download or retrieve information from, you must contact IT user support before continuing. You yourself are responsible for being aware of where you collect or share information and whether it is safe to collect/share the information.
3.8 Conexus allows the use of own/private equipment to run with the company systems. You yourself are responsible for ensuring that your own/private equipment is in order and that its use does not conflict with the guidelines laid down in this document.
3.9 You yourself are responsible for keeping malware such as viruses and the like out of the compaly systems with the equipment you dispose of or take with you and use with Conexus equipment/systems.
§ 4 Misuse
4.1 The company IT resources are limited and users must show consideration for each other.
4.2 Access to IT resources at the company is not a matter of course, in the event of misuse or unreasonable use this may lead to restrictions on access for all users. You have the right to say what you want to whomever you want, but Conexus is not obliged to offer you equipment/systems to do this. When using Conexus equipment/systems, for example e-mail or other things you use for publishing and communication, Conexus will automatically have some responsibility for the content or tone of the message. "be polite and brief" is a good rule of thumb for such messages.
4.3 Users shall not:
4.3.1 destroy IT equipment or IT systems. This also includes equipment in auditoriums, meeting rooms and common areas.
4.3.2 One must not destroy or change data belonging to other users.
4.3.3 One must not limit or prevent authorized use of equipment/systems, either with or without the use of knowledge of special passwords or loopholes in the system.
4.4 Users must not:
4.4.1 Using accounts of other users
4.4.2 Impersonate someone else.
4.4.3 Seek to discover or break other people's passwords or encryptions.
4.4.4 Attempt to gain access to additional resources or rights.
4.4.5 Accessing the system where the necessary authorization has not been granted.
4.4.6 Undermining access restrictions.
4.5 It is not permitted to change the system setup or remove the basic program without special permission from the system administrator.
§ 5 Respect for copyright matters
5.1 The user undertakes to respect copyright, i.e. the rights of others to copyright-protected material. It is not permitted to use Conexus equipment/systems to convey or store copyright-protected material in conflict with the copyright holder's interests.
5.2 Users who have gained access to licensed software are not allowed to share the software or the license key or anything else that may be affected by or contravene the provisions.
§ 6 Confidentiality
The Service Operations employees have a duty of confidentiality with regard to information about the user or the user's business that they acquire through the performance of their work. The exception is matters which may represent a breach of the regulations and which must be reported to superiors.