Consequences of IT Service Abuse
Consequences of IT service abuse in brief
The University's IT service rules bind and obligate all users of IT services and systems. Including you.
The term 'IT service abuse' refers to service use in a manner that is against the IT service rules or applicable laws. All detected cases of abuse must be reported to the Chief Information Security Officer.
In case of suspected abuse, the University can restrict the user's access to services for the duration of the related investigation. Depending on the severity and intentionality of the act, service abuse can lead to consequences within the University or be reported to the police.
The Chief Information Security Officer may restrict access to IT systems during the investigations of a security violation.
Consequences of IT service abuse
IT service abuse means activities that are against the University's IT service rules or Finnish laws.
This document outlines the measures applied to the suspected party when a case of IT service abuse has been detected or there is justified reason to suspect such abuse. The measures range from restricting access rights during the investigation of a suspected abuse case to implementing actual consequences after the abuse has been confirmed.
The University can restrict access to IT services during abuse investigation
When a breach of IT service rules has been detected or there is reason to suspect one, the University can decide to set access rights restrictions to the user in question. Access rights are restricted whenever there is justified reason to suspect that a user has abused the services and that the continued use of his/her rights would harm the investigation of the case or hinder damage control. When necessary, the user is invited to a hearing.
The decision to restrict access rights is made by the ICT Manager or the Chief Information Security Officer. The restrictions are implemented by the service's system administrator.
In urgent cases, the system administrator can independently set access restrictions for a maximum of three days, and this must be immediately reported to the Chief Information Security Officer.
When necessary, a user's workstation can be disconnected from the network.
The access restrictions can be removed once the investigation is completed, if the restoration of the user's rights does not pose an evident risk.
Consequences
In minor cases of abuse, the user receives a notice of improper activity.
A user found guilty of IT system abuse can be deemed liable to pay compensation for the abused resources (e.g. servers or network), direct damages and the costs of investigating the abuse.
Consequences to students
Consequences applicable to students include a temporary loss or restriction of usage authorisation, administrative actions by the University (written notice, temporary suspension), or reporting the case to the police (if the act is punishable under a law).
Consequences concerning usage authorisation are determined by the ICT Manager or the Chief Information Security Officer. The term of restricted authorisation does not include the time spent investigating the case. Written notices are issued upon the decision of the University Rector, and suspension decisions are made by the University Board. If a student is suspended, his/her IT system usage authorisation is revoked for the duration of the expulsion.
Consequences to staff members
Consequences applicable to university staff members include labour-law actions (written notice, dismissal, termination of employment contract) or reporting the case to the police (if the act is punishable under a law).
The user's access to certain systems can be temporarily or permanently denied due to the lack of confidence caused by the abuse. Consequences concerning usage authorisation are determined by the ICT Manager or the Chief Information Security Officer.
Consequences to other users
Consequences applicable to users with roles other than degree student or staff member include the cancellation or restriction of usage authorisation or reporting the case to the police (if the act is punishable under a law).
The user's access to certain systems can be temporarily or permanently denied due to the lack of confidence caused by the abuse. Consequences concerning usage authorisation are determined by the ICT Manager or the Chief Information Security Officer.
Examples of IT service abuse
- Unauthorised handling of material subject to the Criminal Code and Copyright Act.
- Material subject to the Criminal Code includes, for example, child porn, zoophilia, extreme violence, racist material and agitation
- handling includes the possession and distribution of such material.
- Material subject to the Copyright act includes music, videos, comic strips, movies, games and software.
- Handing over user IDs includes
- revealing your password to another user
- leaving the workstation session open so that another user can continue using it under your ID.
- Compromising the confidentiality of information includes
- disclosing information that is classified as secret or otherwise protected by law to an unauthorised person (for example, handing over server user data)
- neglecting the information security of confidential information (passive negligence)
- intentional breaches of confidentiality (active offense)
- breaching the Personal Data Act.
- Negligence of personal information security includes
- Leaving your password on sight
- neglecting to use the university's back-up copy procedures.