1. The purpose of our procedure
This procedure supports the IT Acceptable Use Policy by outlining how Adelaide University manages access to, and use of, its IT systems and services. It promotes secure, ethical, and lawful user behaviour.
Please read this procedure in conjunction with our IT Acceptable Use Policy.
2. Who our procedure applies to
This procedure applies to all members of the Adelaide University community.
This procedure authorises the Chief Information Officer (CIO) to maintain associated protocols.
For cyber security controls and incident processes, refer to the Cyber Security Policy and Cyber Security Procedure.
3. Our IT acceptable use procedure
This procedure sets out user obligations and operational requirements to ensure the acceptable, secure, and lawful use of IT facilities at Adelaide University. Each section below is supported by detailed protocols, supporting plans, and reference materials that guide implementation.
3.1 Acceptable and unacceptable use of IT
3.1.1 All users of University IT are required to:
- use IT facilities only for authorised University purposes and approved incidental personal use
- avoid any behaviour that may bring the University into disrepute, expose it to legal liability, incur costs, or compromise security.
- immediately report any misuse or suspicious activity via the Adelaide University IT Services Hub or designated security contact.
3.1.2 The following activities are prohibited. Examples include, but are not limited to:
- Downloading or distributing pirated software or copyrighted material.
- Using IT systems for intimidation, discrimination, harassment, victimisation, bullying, gender-based violence and sexual harm, hate speech or illegal activities.
- Hosting unauthorised websites or platforms using University resources.
- Running crypto-mining or unauthorised commercial operations.
3.1.3 Users must not use unapproved or non-University-endorsed cloud platforms, artificial intelligence tools, or external applications to store, process, transmit, or analyse any University research data that includes personal, sensitive, health, cultural, or confidential information.
3.2 Security of devices and credentials
All users are responsible for protecting their devices and login credentials.
Refer to the Cyber Security Policy and Cyber Security Procedure for specific security control and incident management requirements.
3.3 BYOD and personal device access
All users connecting personal devices to Adelaide University systems must meet the following minimum standards:
3.3.1 Devices must be patched with current software and security updates.
3.3.2 Anti-malware must be active and up to date.
3.3.3 Any local or removable storage media containing Adelaide University data must be encrypted.
3.3.4 Devices must not be used to store or transmit unprotected sensitive Adelaide University data.
3.3.5 Users must disconnect any personal device upon notification from Cyber SecOps Team for non-compliance.
3.3.6 By connecting a personal device, users consent to Adelaide University taking limited actions necessary to protect University information, this includes verifying compliance posture while connected and removing Adelaide University data from the device if required.
The Information Technology Function may block any device that is compromised or does not meet minimum security standards, and access will only be restored once the issue is remediated. Adelaide University will only access or act on information on personal devices to the extent required to protect University systems and data, consistent with privacy obligations.
3.4 Communication tools and email use
All users of Adelaide University communication systems are required to use these services in a secure, professional and legally compliant manner that reflects the University’s standards and responsibilities. This includes, but is not limited to, email, Microsoft Teams, Zoom, and other messaging or collaboration platforms.
The following user groups must use approved university communication channels as follows:
3.4.1 Staff must use their Adelaide University-managed communication channels for all official communications with students, colleagues, and external stakeholders.
3.4.2 Students must use their Adelaide University-provided accounts and platforms when engaging in academic or administrative communications.
3.4.3 Third party users and contractors with system access must follow the same communication integrity and confidentiality standards.
3.4.4 Transmission of confidential or sensitive data must comply with the Information Classification and Handling Standard.
3.5 Obligations and governance
Communications must support appropriate identity verification, information security, and auditability.
Only Adelaide University-issued email accounts must be used for all University related communications involving student, staff, research, or administrative matters. Contractors or consultants who don’t have a University-issued email account, may request an account if communication is to be issued on behalf of the University. All Adelaide University communication platforms must be used in accordance with the Information Governance Policy and other applicable University policies and should reflect professionalism, respect, and purpose-specific usage.
Sending confidential or sensitive data must involve encryption or use of secure Adelaide University-approved tools (for example, OneDrive with permissions, and encrypted email attachments).
Adelaide University email addresses must not be used to register for personal services, platforms, or subscriptions unrelated to work (for example, Utility bills, eBay, Netflix, etc.)
Users must not engage in misuse of any communication tools. Examples include, but are not limited to:
- impersonation or identity misuse
- harassment or discriminatory content
- mass unsolicited messaging
- transmission of offensive or unlawful content.
3.6 Cyber awareness training requirements
3.6.1 Managers, supervisors, and system owners must ensure that:
- staff, affiliates, and third-party users complete Cyber Training and Awareness during onboarding and annually
- students requiring elevated system access (for example, research tools, admin dashboards) complete training before activation
- completion records are maintained by People and Culture (staff), Student Services (students), or Vendor Management (third parties). Where third-party engagements have not been coordinated through IT, then vendor management is the business unit’s responsibility.
3.6.2 All users subject to this requirement must:
- complete the assigned training module(s) via Adelaide University's learning management system
- stay informed about updated cyber security threats and user responsibilities
- acknowledge that system access may be restricted for non-compliance
- complete additional role-specific training where required , including for high-risk users, including research data custodians, system administrators, and distributed IT staff, as directed by IT Security.
3.7 Breach reporting and enforcement
All members of the Adelaide University community are required to report any actual or suspected IT security breach as set out in the Information Breach Procedure and the Privacy Policy.
3.7.1 Adelaide University upholds a zero-tolerance stance on non-compliance, with the following actions considered breaches of IT security:
- Unauthorised access to Adelaide University systems, accounts or data.
- Loss or theft of devices storing sensitive Adelaide University information.
- Malware infections, phishing attacks, or compromised credentials.
- Deliberate misuse of IT facilities, such as impersonation or harassment.
- Failure to comply with acceptable use obligations, including use of prohibited platforms or applications.
- Improper sharing or disclosure of confidential data.
3.7.2 Users (staff, students, contractors) are obliged to immediately report suspected or known breaches to:
- Adelaide University IT Services Hub
- their supervisor or course coordinator, where appropriate.
3.7.3 IT custodians must escalate all breach reports to the University’s Incident Response Team.
3.7.4 IT Services must triage, log, investigate, and respond to all IT security incidents in accordance with internal Cyber security and Incident Management protocols.
3.7.5 Depending on the severity and intent of the breach, any of the following enforcement actions may be taken:
- Temporary or permanent revocation of IT access privileges.
- Requirement to complete mandatory retraining (such as, Cyber Training and Awareness).
- Internal disciplinary procedures under relevant HR, student conduct, or contractor frameworks.
- Referral to legal, regulatory, or law enforcement authorities where required (for example, under the Notifiable Data Breaches (NDB) Scheme or State Records Act 1997 (SA)).
4. Distributed IT management
IT assets outside central IT management or control are known as Distributed IT and are subject to cyber security risk management protocols. Adelaide University takes a risk-based, standardised approach aligned with the Risk Management and Legal Compliance Policy to ensure that Distributed IT assets meet the same security and compliance standards as centrally managed systems.
Refer to the Information Breach Procedure and Cyber Security Procedure, for detailed steps and escalation pathways.
4.1 Breach reporting and enforcement
The following actions address management of cybersecurity for distributed IT:
- The Cyber Security GRC Team must produce and maintain the [Distributed IT Management Framework] and Distributed IT custodians must comply with it.
- A threat and risk assessment must be completed for each Distributed IT environment.
- Distributed IT custodians to ensure Distributed IT assets follow baseline cyber controls equivalent to centrally managed IT.
4.2 Responsibilities and accountability
Distributed IT assets are subject to the same cyber security policies, procedures, and standards as centrally managed systems. Leaders must:
- Apply the Cyber Security Policy, the IT Acceptable Use Procedure and relevant control standards.
- Perform and document risk assessments in line with the Adelaide University Risk Management and Legal Compliance Policy.
- Attend a one-time onboarding course that outlines their responsibilities under this procedure.
4.3 Compliance declaration and spot checks
4.3.1 Business areas with Distributed IT must:
- submit an annual declaration of compliance via the approved online form
- undergo periodic audits and spot checks conducted by the Cyber Security and Risk teams.
4.3.2 Audits may include technical testing (for example, penetration testing, vulnerability scanning), documentation reviews and physical inspections of Distributed IT assets.
4.4 Risk register monitoring
The Distributed IT custodian must:
- Confirm each Distributed IT area completes a threat and risk assessment.
- Track Distributed IT risks in the [University Risk Register] using the DIT- prefix.
- Escalate high or extreme risks to the Chief Risk Officer and coordinated with the CIO.
- Recommend centralisation of Distributed IT assets where security risks are excessive or controls cannot be met.
4.5 Compliance and monitoring
The Distributed IT Working Group will:
- Track compliance-declaration submissions.
- Maintain statistics on Distributed IT asset categories.
- Report compliance and risk trends to the Chief Technology and Security Officer (CTSO), the [Cyber Governance Committee] and the Audit and Risk Committee.
- Issue reminders and provide compliance support as needed.
- Ensure annual compliance declarations and audits must reference the IT Custodian role for Distributed IT.
5. Who holds a responsibility within this procedure
Refer to the Delegation Policy for all delegations at Adelaide University.
5.1 The CIO is required to:
- Oversee IT Acceptable Use strategy and ensure appropriate resources and governance are in place.
5.2 The Chief Technology and Security Officer (CTSO) is required to:
- Oversee the IT Acceptable Use program, standards, monitoring, and incidents.
- Respond, and has authority to, set minimum controls and require remediation.
5.3 Managers and IT custodians approving user access are responsible for:
- Ensuring a formal request and approval process is followed for each third-party use.
- Ensuring external access is time-bound, limited to authorised systems, and logged appropriately.
- Confirming that contractors, vendors, and external collaborators sign an [IT Conditions of Use Agreement].
- Ensuring third-party access is revoked once the engagement ends or no longer requires system access.
- Confirming privileged and administrative accounts must be reviewed at least quarterly to verify ongoing need and appropriateness of access.
- Ensure periodic access reviews (at least annually) are conducted for third-party accounts.
- Ensuring revocation at the end of engagement for third-party users.
- Confirming third-party access must be recorded and notified to central IT for oversight and compliance tracking, even where the engagement is not coordinated through IT procurement.
- Contractors and vendors are subject to the same acceptable use and cyber controls as staff.
5.4 Central IT is responsible for:
- Ensuring that development of new IT including new acquisitions conforms with architectural requirements, does not duplicate existing University IT and where applicable complies with the Procurement Procedure (login required).
- Ensuring contracts for new acquisitions comply with Legal Services Policy and Contracts and Agreements Procedure (login required).
- Administering the provision and de-provision of University user IDs and associated IT access in line with business rules developed with People and Culture and the Deputy Vice Chancellor - Academic, ensuring access aligns with employment, enrolment or affiliation status and enables timely access to University IT systems for learning, research, and administrative functions.
- Applying system-level safeguards, including user quotas (e.g., mailbox, storage or printing), and security controls such as multi-factor authentication and approved remote access methods. Unauthorised personal remote access, including unapproved desktop remote connections, is prohibited.
- Monitoring University IT systems as part of standard operations and maintenance, including logging activity and analysing usage data to protect system integrity, meet legal obligations and investigate potential breaches.
- Taking immediate action to safeguard the University network, including suspending user accounts, blocking traffic, or disconnecting devices if any actual or suspected threat to IT security arises.
5.5 The [IT Security Office] and authorised monitoring agents are responsible for:
- Conducting lawful monitoring of IT systems to ensure security, compliance, and performance.
- Maintaining audit logs of activity across systems, networks, and accounts.
- Notifying users via onboarding, system banners, and awareness campaigns that monitoring occurs.
- Ensuring all monitoring complies with applicable privacy obligations, the Freedom of Information Act 1997 (SA), the State Records Act 1997 (SA), and University internal audit protocols. Monitoring may be performed with or without prior notice to the user.
6. Definitions used in our procedure
Please refer to our Adelaide University glossary for a full list of our definitions.
Adelaide University community refers to a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary title holders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.
Acceptable use (IT) means the responsible, lawful, and appropriate use of university IT facilities for teaching, learning, research, administrative, or approved incidental personal purposes, in accordance with this policy.
BYOD (Bring Your Own Device) means the use of personally owned devices such as smartphones, tablets, or laptops to access university systems, services, or networks.
Cyber security means the protection of information systems and digital infrastructure from unauthorised access, disruption, modification, or destruction to ensure the confidentiality, integrity, and availability of information.
Declaration of compliance means the formal annual submission by area managers confirming their business area's adherence to the requirements of this procedure.
Distributed IT means any IT asset, system, or software acquired, managed, or operated outside the central IT unit, including research devices, cloud-hosted services, and Internet-of-Things (IoT) components.
IT custodian means the individual or function responsible for implementing, maintaining and operating the technical aspects of a system in line with Adelaide University’s security and compliance standards. For centrally managed systems, the IT custodian is the Chief Information Officer. For distributed IT environments, each area must nominate a distributed IT custodian.
IT facilities means all information technology assets, infrastructure, devices, networks, platforms, and software systems that are owned, operated, or supported by Adelaide University.
Monitoring (IT) means the authorised observation, logging, or analysis of user activity and system performance to ensure compliance, security, operational integrity, and legal obligations.
Personal use (IT) means limited, non-commercial use of university IT facilities that does not interfere with university operations or violate this or any other university policy.
Third-party use (IT) means temporary or ongoing access granted to non-university personnel for the purpose of fulfilling university-related tasks.
Unacceptable use (IT) means any use of IT facilities that breaches law, university policies, contracts, or expected standards of conduct. This includes harassment, illegal activity, unauthorised access, misuse of credentials, or use for personal profit.
7. How our procedure is governed
This procedure is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
Parent policy | IT Acceptable Use Policy |
|---|---|
Policy category | Corporate |
Policy owner | Chief Information Officer |
Approving authority | Vice Chancellor and President |
Procedure owner | Chief Information Officer |
Responsible officer | Chief Technology and Security Officer |
Effective from | 19 December 2025 |
Review date | 1 year after date this version is approved |
Enquiries | Interim Central Policy Unit/[Central Policy Unit] |
Replaced documents | None |