Undertaking & Acceptable Use Policy of VTC IT Resources

 

  1. Introduction

    1. Purpose
      The purpose of this "Undertaking & Acceptable Use Policy of VTC IT Resources" is to ensure that all use of the VTC IT resources is proper, secure, efficient and consistent with the objectives of VTC.

    2. Scope
      This document, together with all other prevailing policies, guidelines, best practices and standards as may be announced by Information Security Committee (Infosec Committee) or promulgated on VTC Information Security website from time to time (hereafter collectively referred to as the "Policy"), governs the use of VTC IT resources by staff, students, alumni, guests, and any other persons who have been given access to VTC IT resources (hereafter collectively referred to as the "users").

    3. Policy Statement
      The Policy might be reviewed and updated by VTC from time to time to incorporate changes as VTC might deem necessary or appropriate. Those changes are effective as and when they are announced or promulgated.

      Use of VTC IT resources constitutes acceptance of the Policy. Without prejudice to VTC's other rights and remedies against users who fail to comply with the Policy, VTC may suspend or terminate access to VTC IT resources temporarily or permanently without notice. VTC may take disciplinary action and report the case to the relevant authorities.

      The access to VTC resources is a privilege rather than a right which may be revoked at any time by VTC.

  2. Definitions

    VTC IT resources are provided by VTC to its users for performing activities which support the normal operation of VTC, including but not limited to academic, teaching and learning, research, consultation and administrative activities (hereafter collectively referred to as the "Authorized Purposes").

  3. Principles for Use of VTC IT Resources

    Users must abide by the principles below while using VTC IT resources. Non-compliance will be considered as improper use of VTC IT Resources.
    1. Users shall use VTC IT resources in an effective, ethical and lawful manner.
    2. Users shall use VTC IT resources solely for supporting Authorized Purposes. Users must not use them for any illegal or unauthorized purposes.
    3. User shall avoid violating any applicable laws or regulations.
    4. Users shall avoid interfering the normal operation of VTC IT resources and the work of other users of VTC IT resources.
    5. The right to access VTC IT resources do not imply the right to resell or transfer the rights to others. Users shall not:
      • Allow unauthorized users to access VTC's systems or network; and
      • Transfer VTC owned applications or data to unauthorized users.
    6. Users shall not provide false or misleading information in order to obtain access to VTC's IT Resources.
    7. Users shall not damage or attempt to damage VTC IT Resources.
    8. Users shall avoid any wasteful use of VTC IT resources.
    9. Users must not compromise the confidentiality, integrity and availability of VTC information and data.
    10. Users shall not participate in any unauthorized reading, altering, intercepting of, electronic eavesdropping on, any network communications over the network or data kept on systems on the network.

  4. User Rights and Responsibilities

    Users have the following rights and responsibilities:
    1. Users are responsible to follow the Policy, both in letter and in spirit. Users shall observe and adhere to relevant VTC IT Policies and applicable laws and regulations, including but not limited to the ordinance related to copyright, data privacy, and computer crimes. Offenders could be subjected to disciplinary actions and/or civil/criminal liabilities.
    2. Users are responsible for any activities initiated with VTC IT resources.
    3. Users are responsible for selecting a secure password/authentication and keeping the password secret at all circumstances.
    4. Users are responsible for protecting their own files and data from being read, written and/or recorded by other users. Users shall not download applications/data files, or open attachments from unknown sources.
    5. Users are responsible to report any system security violation, or suspected system security violation to Information Technology Services Division (ITSD) as soon as possible.
    6. Users are responsible to take adequate security measures to protect VTC IT resources from physical damage or loss.
    7. Users have the right not to be harassed while using VTC IT resources, no matter physical, verbal, electronic, or any other forms of abuse.

  5. Copyrights and Licenses

    1. The installation, modification and/or use of any software in the user's office computer without proper licensing are strictly prohibited.
    2. Copyrighted works, including copyrighted Internet resources, shall only be used for lawful purposes. Reproduction or public distribution of copyrighted works is strictly prohibited without the consent of the copyright owner or licensing body. Users are liable for legal consequences concerning infringement of copyright that may arise.
    3. Transmitting any material that may infringe the intellectual property rights or proprietary rights of others, e.g. trade mark, copyright, patent, right of publicity.

  6. Monitoring use of VTC IT Resources

    1. Purpose of Monitoring
      The use of VTC IT resources may be monitored for the following purposes:
      1. Transmitting any material that may infringe the intellectual property rights or proprietary rights of others, e.g. trade mark, copyright, patent, right of publicity.
      2. Provide necessary information for VTC management to ensure proper and effective use of VTC IT resources
      3. Identify and address threats to the VTC IT environment for continuous improvement
      4. Detect policy violations or weaknesses

    2. Scope of Monitoring
      VTC reserves the rights to log any user activities on VTC IT resources.


    3. Use of Information Gathered from Monitoring
      Logs and recorded information of VTC IT resources collected during monitoring process will be used for ensuring compliance with VTC policies. Log files will be kept for and be erased after a specific period of time (usually 1 year), unless further retention is necessary for legal processes, disciplinary actions, or investigation of suspected breaches of VTC policies. VTC reserves the right to access the logs and recorded information. Access to the logs and recorded information shall be restricted to authorized personnel on a need basis. The request to access the logs and recorded information shall be authorized by Heads of Operational Units.


  7. Enforcement

    Disciplinary actions according to the prevailing disciplinary rules may be taken against the users for improper use of VTC IT resources depending on the seriousness of the case. Any cases involving violation of the laws and regulations of Hong Kong will be referred to relevant authorities for further actions. The VTC may suspend or terminate the use of VTC IT resources where necessary.

  8. Relevant Laws and Regulations

    Users shall observe and strictly follow applicable laws and regulations, including but not limited to:

    1. Cap. 106 The Telecommunication Ordinance
      • Section 27A - Unauthorized access to computer by Telecommunications
    2. Cap.200 The Crime Ordinance
      • Section 59 and 60 - Interpretation on misuse of a computer
      • Section 161 - Access to computer with criminal or dishonest intent
    3. Cap. 210 The Theft Ordinance
      • Section 11 - Explanation on burglary to include unlawfully causing a computer to function other than as it has been established on behalf of its owner to function
    4. Cap. 486 The Personal Data (Privacy) Ordinance
    5. Cap. 528 Copyright Ordinance
    6. Cap. 593 Unsolicited Electronic Messages Ordinance

    Any breach of the law will be reported to relevant authorities and VTC will take appropriate actions as required by the relevant authorities.

  9. Interpretation of the Policy and Enquires

    This document is not exhaustive. The final authority for interpreting this Policy lies with Infosec Committee. It is the responsibility of users to contact Infosec Committee, in writing, regarding questions of interpretation. To err on the side of caution, questionable use of VTC IT resources should be considered as "not acceptable" and hence be avoided, unless and until Infosec Committee has approved of such use and made the corresponding changes to this Policy.

    For enquiries on the policy, please contact the Infosec Committee by infosec@vtc.edu.hk.



Appendix A: IT Facility or Service Specific Policy

Policy specific to some VTC IT resources are outlined. All users of the VTC IT resources are also governed by the policy shown as follows and shall be aware of it.

A.1 Computer and Network Account (CNA)

CNA is the key for users to access VTC IT resources. CNA users shall read this policy carefully before activating their CNA. By activating a CNA, it means that user have read, understood and agreed to observe the Policy.
  1. CNA is non-transferable and users are not allowed to permit other people use their accounts.
  2. CNA users shall immediately report any system security violation, or any suspected system security violation to their local technical support / representatives.


A.2 VTC Network Usage

VTC Network refers to the network (including wired and wireless network) in all VTC premises provided by VTC for users to perform activities related to the Authorized Purposes.
  1. Downloading, uploading or circulating multiple large files irrelevant to the Authorized Purposes is strictly prohibited.
  2. Experiments on the network which will lead to exhaustive flooding of its available bandwidth should be avoided. Networking experiment for Authorised Purposes should be done in an isolated environment to avoid impairing the healthy state of VTC Network.
  3. Installation of unauthorized Internet connection (e.g. dial-up, broadband Internet access), server (e.g. DHCP server), network equipment (e.g. modem, switch), remote access software (e.g. terminal service) and wireless access point introduces security holes to the VTC Network. If such activities are required for authorised teaching, learning, consultation or administrative purposes, they should be implemented at an environment isolated from the VTC Network.


A.3 Email Service

VTC Email is one of the official communication channels among staff and students. It must be used for the Authorized Purposes only. VTC email accounts shall not be used for other purposes such as:
  1. Register public websites, such as forum/discussion group, social networks, photo or video-sharing platforms, chat rooms or auction sites
  2. Conduct commercial activities, such as marketing or business transactions
  3. Send irrelevant or chain mails to a large number of recipients
  4. Broadcast messages which are likely to harass or offend others

User must apply their best efforts in making sure that his/her email and all the mail attachments are free of virus, Trojan horses, worms or any other harmful or deleterious contents. Users are advised to back up important messages and attachments, and delete outdated messages and attachments.
VTC reserves the right to access the content of emails held in a user's mailbox when there is reasonable suspicion of violation of the VTC's policies.

The request to access the content of emails shall be authorized by senior management not lower than DED level and execution of such access shall only be done by the personnel authorized by the Chairman of Information Security Committee.

    A.3.1 Broadcast Mail/Mass Mail

    The mass mailing/mailing list function is made available to facilitate authorized communications between users and not for any other purposes. Users must not abuse this function. As a guiding principle (the numerical references are solely for guidance and shall not prejudice VTC's discretion in deciding whether this Policy has been breached), a user shall be deemed (subject to contrary proof) to have abused this function/the VTC IT resources if he/she conduct any of the following:
    1. Send an email to more than 100 recipients in a single email
    2. Send an email under this function with email size (including attachments) exceeding 500 Kbytes
    3. Send an email to a recipient, who has indicated his/her objection to receiving the email, or fail to promptly remove/unsubscribe such a recipient from the massing mailing/mailing list.

    It shall be the sole responsibility of the sender to obtain the consent of the recipient before sending these emails and promptly honor the recipient's request to unsubscribe.


    A.3.2 Fake/Anonymous Mail

    Users should send emails with the email address assigned by VTC. Sending email in the name of other users (i.e. Fake email) and/or sending anonymous email shall be considered as an act of dishonesty and may result in disciplinary actions, subject to the circumstance and judgement of VTC.


    A.3.3 Indecent Mail

    1. Sending SPAM email (unsolicited bulk commercial email, whether internally or externally) wastes the VTC IT resources and may cause negative impact to VTC's image and such activity shall be strictly prohibited.
    2. Emails should be written with proper language and observe common courtesy. Senders should not harass the email recipients with bad language.
    3. Sending out chain letters, broadcasting/circulating messages, disseminating messages that contain statements of personal attack/criticisms or unverified incidents/rumors or any other forms of network communications that harass or offend other users of VTC network, and the use of false identities/ email addresses are considered irresponsible use and shall be avoided.


A.4 Video Conference, Messaging and Collaboration Services

  1. Users are advised to be aware of the security implications of virtual meetings and their responsibilities when using video conferencing technologies so as to keep the communication secure.
  2. Collaboration devices should be separated from VTC internal network. If connection to VTC internal network is necessary, the collaboration devices should be managed according to all established VTC information security policies.
  3. Users shall observe and follow the best practices on using collaboration services (e.g. OneDrive, SharePoint, Office Online, etc.) and avoid uploading confidential and/or indecent materials to the online workspace.


A.5 Printing Service

  1. The printing service provided by VTC are not intended for users' personal use or any other non-work/academic related printing or copying.
  2. Users are advised to pick up their printer output promptly to avoid theft or unnecessary disposal.


Last updated: 3 August 2020