Regulations for the use of IT for employees and individuals with access agreements at Nord University

This page outlines guidelines for the responsible use of Nord University's IT equipment.

All questions regarding the interpretation of these principles should be directed to IT Helpdesk.

• IT equipment provided to employees should be used for private purposes only to a limited extent, and the university is not responsible for any personal data stored on the device
• IT equipment and resources must not be used for commercial purposes or for activities unrelated to the university's operations
• The use of shared hardware and access to shared information entails a responsibility to use the systems and information legally and to always act responsibly. It is expected that everyone at the university respects the rights of others and uses IT equipment thoughtfully.

There are several information channels from the IT department to users (intranet, email, notices, user support tips, etc.). It is assumed that all users familiarise themselves with the information provided through these channels.

All employees at all levels are responsible for staying informed about the university's procedures and guidelines for information security and data protection, and must adhere to the confidentiality obligations outlined in the "Declaration and Confidentiality Agreement" applicable to Nord University.

All employees are also responsible for ensuring that sensitive information is not disclosed to unauthorised individuals.

Employees are also required to complete information security training, which is regularly made available by the employer.

Before using IT equipment (such as computers, printers, and software), each individual must familiarise themselves with the use of the relevant equipment and ensure that they have the necessary access and competence.

It is not allowed to process material that may be offensive or provocative to others – for example, defamatory statements or pornographic material.

The network/Internet should not be used to transmit information that is not work-related.

It is not allowed to attempt to gain access to computer systems that one is not authorised to access.

Snooping or unauthorised access to the employer's IT systems is not allowed. Searches and queries may only be made where there is a work-related need to perform these searches.

All use of IT systems at Nord will leave electronic traces, which are stored for a period to effectively manage, maintain, and troubleshoot the systems.

This logging may result in the detection of unintended activity/snooping in systems. This is part of the IT department's work routines and control measures to ensure the secure and stable operation of the network and IT systems.

Access and sanctions

1. The use of Nord University's IT resources that results in a violation of Norwegian law may lead to actions from the police and prosecuting authorities, in addition to independent sanctions from Nord University.
2. Serious violations of security regulations and these guidelines, as well as misuse, may result in criminal liability under Norwegian law. This also applies to misuse that causes the university financial loss or liability (such as illegal copying, internet use, etc.).
3. IT operations personnel may take necessary actions to ensure the availability, functionality, and integrity of Nord University's IT resources. If such actions affect the user's use of the IT resources, the user should, if possible, be notified in advance and in any case without undue delay and as soon as practically possible.
4. In the event of death, the applicable Nord University routine "Procedure when an employee dies" should be followed. It describes who and how access should be granted if applicable.
5. The university disclaims responsibility for the loss of data not stored on the university's IT servers.
6. Requests for access to an employee's email inbox should be submitted by the highest leader at the unit (at the department, faculty, or central administration division) in consultation with the head of the finance and HR department and the system owner. The decision regarding access is made by the head of the finance and HR department.

If you are unsure whether your use of the resources aligns with good practice and usage, ask the IT department.

Disclosure of information

Introductory Comments:

The use of information technology generates many traces and data, some of which are stored in Nord University's systems because they are needed to operate IT systems. This may be for detecting errors or issues, measuring resource usage, or improving performance. In any case, Nord University retains certain log information.
The logs are created for one purpose: to support the operation of Nord University's IT systems.

Other purposes, such as monitoring user behavior or proving whether they have committed criminal actions, are irrelevant to Nord University and are generally not a justification for the existence of these logs.

Their handling should follow the principle of purpose limitation, meaning they should generally not be used for purposes other than the original one. Applied to a question of disclosure, this would strongly favor a negative response.

The police and prosecuting authorities have the right to identify who used a given IP address at a specific time.

Secondly, there are more extensive rules that give them the right to secure logs, meaning they can order Nord University to retain specifically designated logs (but not disclose them), typically while awaiting a court ruling.

Nord/employer may grant access to information, logs, and backups to third parties when this is authorised by law or regulation, as well as upon presentation of a legal decision.

IT and network resources are limited. All users are responsible for using these resources efficiently, ethically, and legally.

It is not allowed for individuals to install programmes or make other changes to the IT systems without the approval of the IT department.

All use of computer resources and processing of personal data must comply with Norwegian law.

All employees must adhere to the guidelines governing the use of software and data processing. This applies to both licensed and unlicensed software, as well as data protected by copyright.

If there is a need for software, this should be clarified with the IT department, which has agreements in place and an overview of what is available at the university.

If software has been provided for home use as part of employment, it must be deleted from the home computer if the employment ends or the right to home use from the supplier ceases (e.g., Microsoft 365).

All equipment (e.g., personal PCs, USB drives, external hard drives) used in connection with the university's systems must at all times be checked for viruses and other malware

All users are assigned a personal user account with an associated password. The password should be kept confidential, chosen carefully, and treated in the same way as passwords for, for example, online banking.

Nord has activated two-factor authentication on all employee accounts in Microsoft 365.

If you suspect that someone else knows your password, it should be changed as soon as possible. It is not allowed to act anonymously, impersonate someone else, or use a false identity.

Employees must handle information in accordance with the university's guidelines for classification.

Information classified as yellow, red, or black must be secured in such a way that it does not come into the hands of unauthorizsd individuals

The information must not be stored on media that you do not have control over and must comply with the classification guidelines and storage guide for Nord University.

If working from home computers with Microsoft 365 or the intranet and associated services, you must be diligent about logging off the systems when you have finished your work.

The same applies if you are working on the university's equipment from home: you should ensure the machine is locked when not in use to prevent unauthorised access. Use WIN+L to lock the machine.

Emails sent should only be addressed to recipients who can be expected to have an interest in receiving them from you. The Nord University email account should not be used for personal purposes.

Information classified as Yellow and Red should not be sent via email without being secured/classified. Black information should not be sent by email. Group emails should be used with caution.

If emails are read on a phone or tablet, these devices must be secured with a password (PIN code, biometric) to prevent unauthorised access. Such devices should not be lent out. If the device is lost, it must be reported immediately to the IT department.

Be cautious when opening links and attachments from people you don't typically communicate with. Always check the link's address before clicking; if it seems suspicious, verify with the sender.

REMEMBER: STOP – THINK – CLICK

Storage of work-related information should be done in accordance with the storage guide for Nord University.

The IT department may, if necessary, perform reinstallation/formatting of any computer owned by the university without being responsible for the content stored locally on the machine, i.e., anything outside of OneDrive, Teams, etc.

Mobile devices must always be supervised or stored securely. Special caution is advised when traveling with the equipment or commuting to and from the workplace.

Never leave the equipment unattended in public spaces or in places where it could be easily accessed for theft.

Mobile phones containing information from Nord University, such as data files and emails, must be secured with a password/code. If the phone is lost, it should be reported to the IT department as soon as possible, who can assist in removing/deleting the device and its content.

Electronic/technical equipment such as portable hard drives, flash drives, and other portable storage media should be stored securely and kept under supervision when outside the workplace.

Electronic/technical mobile equipment deployed and used in the field and common areas, including shared IT equipment, must be secured against theft and vandalism in accordance with a risk assessment.

Electronic/technical equipment that is shipped or transported must be secured against transport damage and loss in accordance with a risk assessment.

If you plan to take IT equipment to a country outside the EU/EEA, this must be cleared in advance with the IT Helpdesk.

Nord University may respond to inappropriate behavior by imposing various disciplinary measures. This includes revocation of access to the university's data equipment and network, suspension, or expulsion.

The university reserves the right, without notice, to:

• Restrict users' access to data equipment and the network.
• Inspect, copy, remove, or otherwise modify any data file or system resource that undermines the authorised use of the equipment and may cause issues for the university.
• The university also reserves the right to periodically check any system and perform necessary controls to protect the data equipment. The university disclaims responsibility for any data loss that is not stored in the university's designated storage areas.

Serious violations of security regulations and these guidelines, as well as misuse, may result in criminal liability under Norwegian law.

This also applies to misuse that causes the university financial loss or liability (such as illegal copying, internet use, etc.).

If you're unsure whether your use of resources aligns with good practices, ask the IT Helpdesk.

When the employment relationship ends at Nord University, access to all data systems is deactivated on the termination date, and the account is deleted after 30 days.

If the employee has had access to a computer during their employment, backups of their email and OneDrive data have been made. These data will be available in the backup solution for 365 days.

If you have not had access to a computer, your data will be deleted 30 days after the end date.