Acceptable Use of Information Technology

1.   Overview

1.1      At a glance

This policy defines the acceptable way Sydney Water's Information Technology is to be used by You. 

A breach of this policy may lead to disciplinary action in accordance with Sydney Water's Disciplinary Policy.

1.2      Scope

This policy applies to all users (including staff, agency hires, consultants and contractors) of Sydney Water's Information Technology.

1.3      Objective

To manage and protect Sydney Water's information assets and to support and enable the use of Sydney Water's Information Technology.

Any use of Information Technology is subject to audit and monitoring; personal use is not considered private. Monitoring will be conducted in accordance with Workplace Surveillance Act (NSW) and relevant Sydney Water policies (Section 4.3).

1.4      Personal Accountabilities 

• You must not use Sydney Water's digital systems or technology to access, send or store any material of an offensive, obscene, pornographic, threatening, abusive, unlawful or defamatory nature including use of, or sharing of illegal or copyright content (defined as 'Inappropriate Content', 'Inappropriate Internet Sites' and 'Inappropriate Purposes'). 
• You must adequately secure digital assets when they are left unattended (e.g. lock your screen or when offsite keep it out of sight). 
• You must protect Sydney Water's and Sydney Water's Partners' information and information systems. This includes information: held on computers, mobiles, cloud services, non-Sydney Water devices, transmitted over the Internet, published to the web or released to third parties. 
• You must ensure that portable storage media (e.g. Tablets, laptops, PDAs, mobiles, removable hard drives, etc.) that contain Sydney Water information is secured. This may be via password protection or encryption of the information or the device. 
• You will not connect non-Sydney Water technology (including phones, tablets, laptops) to our communications network (wired or wireless) when in the office. The public Sydney Water network (iSONAR) is an exception. 
• You must not use business systems or applications for personal use. For instance, looking up anyone in a business system such as a billing or customer service system for no business reasons (e.g. out of curiosity) is strictly prohibited.
• You must not attempt to circumvent, disable, bypass, exploit or misuse any information and communications technology controls, unless authorised to do so. 
• You must always identify yourself clearly as the sender of any electronic message and you are not to misrepresent yourself as someone else using Sydney Water Information Technology resources. 
• You must never send or receive or allow someone to send or receive Sydney Water business emails or conduct Sydney Water business via your private email account (e.g. Gmail, Yahoo, Live). 
• You are not permitted to auto forward Sydney Water corporate email to non-Sydney Water email accounts.
• You must never set up, create, upload or download Sydney Water information assets to a non-authorised system (e.g. Dropbox, Google Drive, cloud-based services, removable storage device (e.g. USB), etc.). 
• You must not subscribe to or sign up to unapproved cloud services or applications (e.g. Slack, GoToMeeting, Salesforce.com, Adobe Creative Cloud, ServiceNow, etc).  
• You may only use an electronic image copy of a person's written signature with their prior permission for the specific business purpose for which it is authorised.
• You may only use Social Media in accordance with the Media and Social Media Policy.
• You are not permitted to add a non-Sydney Water email address into the Sydney Water email service.

2.        Policy in detail

2.1      User ID and Password

• You must not disclose or share your password.  
• You must not use your Sydney Water password on any Internet sites.  
• You must not use another person's login, password or any other security device.  
• You must not allow another person to use your ID or to use a computer session that you have initiated, except if the use is under your full supervision.
• You must not use a generic user ID unless authorised to do so.

2.2      Spam, Viruses and Vulnerability Management

• You must not open any files or attachments from unknown, suspicious or untrustworthy sources (e.g. email attachments).
• You must ensure your Sydney Water device is regularly rebooted (turned off and then back on again) so that it can receive system and application updates. 
• You must not deliberately or recklessly introduce any form of computer virus (e.g. via email, Internet browsing or USB device).

2.3      Information Security Incident

You must report an information security event immediately to your Manager and then Sydney Water Digital Business if you know or suspect any: 

• user not abiding by Sydney Water security policies
• unauthorised access or disclosure
• misuse of information assets
• falsification of information (e.g. unauthorised change)
• theft, damage, or destruction of information assets
• inappropriate use of Sydney Water digital assets 
• observed security weakness
• loss of digital assets (such as laptops, authentication tokens, mobile phones)
• suspect material such as emails, macros, USB devices, etc. 

2.4      Personal Use of Sydney Water Technology Resources

You may use Sydney Water information and communication technology for occasional personal use (e.g. Internet banking) if this use: 

• does not generate security risks to Sydney Water 
• complies with all relevant laws and standards 
• does not create the appearance of impropriety 
• does not put at risk, violate or infringe on the rights and property of Sydney Water or others 
• does not consume excessive time or resources, or impede normal use of the service 
• does not interfere with individual productivity 
• does not impede any business activity
• is not for the access, storage or transmission of inappropriate content 
• is not to forge or alter the data.  
• is not for subscribing to electronic mailing lists or Internet services using your Sydney Water email address, unless it is business related. 

2.5      Software or Mobile Applications

• You are not permitted to use unauthorised mobile Apps to store, transfer or communicate Sydney Water data or information.
• You are permitted to use a Sydney Water supplied mobile phone to download applications from the approved mobile App stores (Google Play and Apple App store) only, but you are not to permitted to use the mobile app to store, transfer or communicate Sydney Water data or information unless it has been approved for that purpose.
• You are not to download, install or use any unauthorised or unapproved software on any Sydney Water computer, laptop or tablet. 
• You are not permitted to develop or use your own Software or mobile Apps on a Sydney Water device without Digital Business approval.
• You must adhere to the Sydney Water Delegations manual for purchase of any mobile App or software.
• You are responsible for the data and contacts on the Sydney Water mobile (including photos). 

2.6      You Acknowledge

• All Sydney Water information or information held or processed by a Sydney Water digital asset is subject to legislation including; information requests under the NSW Government Information (Public Access) Act 2009 (GIPA Act) and the ICAC Act and is admissible in court (including emails). 
• All information generated by or processed by Sydney Water ICT assets and services, including backup copies is the property of Sydney Water, subject to applicable laws, regulations or contracts. 
• Connecting a Sydney Water computer, laptop or tablet to another device or network (e.g., tethering, hot spotting or Wi-Fi) is allowed where it is for work purposes and a Sydney Water network is unavailable.  
• You will not connect a Sydney Water device to another device or network where the purpose to do so is to circumvent Sydney Water security. 
• That you will not attempt to read other persons' email without their express permission or authorisation and must not engage in unauthorised use or forging of email header information. 
• When using Sydney Water's voice or conferencing (including landline telephones, mobile devices such as mobile phones and smart phones, associated services such as voicemail and short message service (SMS), video conference facilities or other meeting and conferencing services), you must adhere to professional standards of behaviour and business communication etiquette.
• Sydney Water may impose quotas including print, file storage, email and Internet download.  
• All equipment supplied by Sydney Water remains the property of Sydney Water. 
• All public mobile Apps are unsupported by Sydney Water.
• Sydney Water will not back up data stored locally on any of your Sydney Water issued devices.

2.7      End User Computing

• Digital Business will select, fund, and procure one (1) End User Computing (EUC) device for each Sydney Water staff and agency hire. Contractors, at the discretion of Sydney Water, may be provided an EUC device. 
• You must promptly return your Sydney Water ICT devices (e.g. EUC, Mobile Phone, etc.) to your Manager on termination of your employment or contract with Sydney Water. 
• Additional standard EUC devices can be procured by Digital Business on behalf of any business group which has the need and required funding.
• Standard and non-Standard EUC devices must be approved in accordance with the Delegations Manual and procured by Digital Business.
• Non-standard devices require a business-related need that is beyond the capability of a standard device.
• Purchase, replacement and lifecycle management costs for non-standard devices or devices replaced during lifecycle shall be incurred at the point of purchase by the relevant business group including operational costs for device management. 

2.8      Mobile Phone Provisioning

You may be provided a Sydney Water mobile phone where: 

• You are required to be available via phone contact in or out of normal working hours (e.g. on call, work at multiple Sydney Water locations) or for safety reasons. 
• You are a contractor, approved at the discretion of Sydney Water. 
• You have been provided a mobile device at the discretion of your manager.  You are not eligible if you require phone or network contact on an occasional basis.

2.9      Mobile Phones and SIM provision

• All standard Sydney Water mobile phones are registered on Sydney Water's mobile device management service.
• You are responsible for the mobile phone and/or SIM and all use and activity associated with the device (e.g. data and voice usage).
• At a minimum, mobile devices must be protected by a password or PIN. Information stored on these devices should be kept to the minimum required to allow efficient out-of-office working.
• Use of a Sydney Water supplied mobile phone and/or SIM is to be used for work purposes only. 
• Limited reasonable personal use of the device and/or SIM is allowed, usage is monitored, and any excessive use or abuse of the service may lead to Disciplinary Action. 
• International roaming is turned off and requires authority to have it turned on. 
• In the event of a loss, theft, breach of policy or user exit, Sydney Water will delete data from the device. 

2.10   Bring Your Own Device (mobile phones and tablets only)

• BYOD is only supported on mobile platforms: iOS, Android mobile or Windows mobile. 
• All device, voice, data and support costs associated with BYOD services are the responsibility of the user, including any loss or damage incurred.
• All BYOD will be registered with Sydney Water's mobile device management service.
• In the event of a loss, theft, breach of policy, virus or malicious activity or user exit, Sydney Water may delete data from the device. This means the contents of your personal phone can be wiped.
• Sydney Water is not responsible for the loss of personal data on BYOD devices.

2.11   Remote Access

Sydney Water provides a remote access service to employees that work remotely from a Sydney Water office. Where you have Remote Access privileges you are responsible for:

• all device, voice and data costs associated with remote access
• any costs associated with using a non-Sydney Water device for remote access, including support costs or cost for loss or damage to your non-Sydney Water equipment
• the device's operating system being kept up to date
• all actions performed (in a remote access session) with your user ID
• the security and care of the remote access token
• ending the remote session
• deleting all copies of Sydney Water files on a non-Sydney Water device at the end of a Remote Access session. 

2.12   Information Handling, Confidentiality, Classification, Privacy and Records

• You must adhere to Sydney Water's Information and Records Management Policy and Sydney Water's Privacy Policy.
• Emails should not be used to send highly sensitive and confidential information unless appropriate security measures, including password protection, are in place. If you are in doubt about whether you need to do this, ask your Manager or contact Business Connect.

2.13   Exceptions

To request an exception to this policy a Risk Action Plan indicating how and when compliance with the policy will be achieved, or a Risk Assessment, reviewed, reassessed and approved, must be developed. This must be developed in accordance with the Sydney Water Risk Management Framework. 

If you have any questions or require confirmation on any of these policy statements, please contact your Manager or Business Connect.                       

3.        Definitions

4.        Context

4.1      Accountabilities

4.2      Training and competencies

4.3      References

5.        Ownership

5.1      Change history