1. General

1.1. HSRC information resources are provided for the express purpose of conducting the business and mission of the Council.

1.2. HSRC information resources must not be used to engage in acts against the mission and purposes of the Council, intimidate or harass, degrade performance, deprive access to a Council resource, obtain extra resources beyond those allocated or to circumvent computer security measures.

1.3. Information resources must not be used to conduct a personal business or used for the exclusive benefit of individuals or organizations that are not part of the HSRC.

1.4. Obscene materials must not be intentionally accessed, created, stored or transmitted other than in the course of academic research where this aspect of the research has the explicit written approval of an Executive Director (ED) of the HSRC.

1.5. Management, staff, researchers, interns, contractors, guests or other users (Collectively called “users”) must:

1.5.1. not copy or reproduce any licensed software except as expressly permitted by the software license,

1.5.2. not use unauthorized software copies on HSRC-owned computers or

1.5.3. use software known to cause problems on HSRC-owned computers.

2. Information Services (IS) Privacy

1. Users, shall have no expectation of privacy regarding any data residing on HSRC computers, servers or other information resources owned or held on behalf of the HSRC regardless of whether the data was generated as the result of acceptable (including Incidental use as described below) or unacceptable use of the HSRC ’s information resources.

2. All files, documents and messages in any format and other data residing on HSRC computing resources or held on behalf of HSRC are owned by the Council in accordance with the abovementioned Regulations and are subject to access by the institution without notice in order to comply with public information requests, court orders, subpoenas or litigation; or for any other purpose consistent with the duties of the Council. Users should have no expectation of privacy in any such data.

3. Data Protection

1. Data shall be accessed in order to comply with one’s duties at the HSRC on a need to know basis. Users of Council information systems must not attempt to access data or programs contained on systems for which they do not have authorization.

2. All critical Council data (electronic files) must be saved on network servers to ensure backup of the data. All data, including research data, should be backed up for disaster recovery reasons.

3. All records (electronic or paper) must be maintained in accordance with the HSRC Records Retention Policy and any applicable legislation that may be in force in the Republic of South Africa.

4. Virus Protection

1. All computers connecting to the HSRC network must run current (updated) and authorized virus protection software. Virus protection software must not be disabled or bypassed.

2. Computers found to be infected with a virus or other malicious code shall be disconnected from the HSRC network until deemed safe by an authorized member of the HSRC IT Department.

5. Electronic Mail (e-mail)

1. Delivery of e-mail is not guaranteed.

2. The following electronic mail (e-mail) activities are prohibited by HSRC policy:

2.1. Using email for purposes of political lobbying or campaigning except as permitted by the abovementioned Regulations.

2.2. Posing as anyone other than oneself when sending e-mail, except when authorized to do so by the owner of the e-mail account.

2.3. Reading another user’s e-mail unless authorized to do so by the owner of the email account, or as authorized by policy for investigation, or as necessary to maintain services.

2.4. Use of e-mail software that poses a significant security risk to other users on the HSRC network.

2.5. Sending or forwarding “chain” letters.

2.6. Sending unsolicited messages to large groups except as required to conduct HSRC business.

2.7. Sending excessively large messages or attachments unless in performance of official HSRC business.

2.8. Sending or forwarding email that is likely to contain computer viruses.

6. Confidential or Protected Information

1. Users shall not disclose confidential information except to authorized parties as required to accomplish authorized business functions in support of institutional objectives.All personal information shall be dealt with in terms of the Protection of Personal Information Act, Act 4 of 2013.

2. All confidential or protected information transmitted over external networks or saved on HSRC servers must be encrypted in accordance with the HSRC Encryption Policy Guidelines.

3. This information must not be sent or forwarded through non- HSRC e-mail accounts provided by other Internet Service Providers, and must not be knowingly transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols and security techniques are utilized.

7. Incidental Use of Information Resources

1. Incidental personal use of e- mail, Internet access and other information resources by an employee is permitted by HSRC policy but is restricted to employees (it does not extend to family members or other acquaintances).

2. It must not interfere with normal performance of an employee’s duties, must not result in direct costs to HSRC and must not expose the Council to security risks.

3. Storage of any non- work related e-mail messages; voice messages, files and documents within the HSRC e-mail system must be nominal (less than 10% of a User’s allocated mailbox space).

4. Non- work related information must not be stored on network file servers.

8. Internet Use

1. Software for browsing the Internet is provided to authorized users for business, education or research.

2. Due to network maintenance and performance monitoring and to ensure compliance with applicable laws and policies, user activity may be subject to logging and review.

3. E-mail or postings by users of the HSRC network resources to news groups, “blogs”, “chat rooms” or “social networks” must not give the impression that they are representing, giving opinions or making statements on behalf of the HSRC unless authorized.

4. Users should use a disclaimer stating that the opinions expressed are their own and not necessarily those of the HSRC.

5. Personal commercial advertising must not be posted on the HSRC web sites.

9. Portable and Remote Computing

1. All computers and portable-computing devices using HSRC information resources must be password protected using the “strong” password standard adopted by HSRC to prevent access by unauthorized parties. At a minimum, such passwords are to be changed at least four times a year, or immediately if there is suspicion that the password has been compromised.

2. Employees accessing the HSRC network from a remote computer must adhere to all policies that apply to access from within the local area network.

3. Remote computers are subject to the same rules and security related requirements that apply to LAN connected computers.

4. Unattended portable computing devices must be physically secured.

5. HSRC travelling staff using HSRC portable devices must ensure the security of these devices at all times. Areas of note are:

5.1. always lock your portable devices in the boot of car or out of sight,

5.2. never carry a backup device in the same bag as portable computer,

5.3. never squeeze carry-on bag in the overhead bin of an airplane as computer screen may be broken.

6. If it is determined that required security related software is not installed on a remote computer or that a remote computer has a virus, is party to a cyber-attack or in some way endangers the security of the HSRC, the account and/or network connection will be disabled. Access will be re-established once the computer or device is determined to be safe by an IT Department representative.

7. Users must not divulge HSRC, remote connection parameters anyone.

8. If critical HSRC data is stored on portable computing devices it must be backed up to a network server for recovery in the event of a disaster or loss of information.

9. Special care should be taken to protect information stored on laptops and other devices, and in protecting such devices from theft.

10. Passwords

1. In order to preserve the security of HSRC information resources and data, every HSRC computer/network account, password, any personal identification number (PIN), digital certificate, security token (e.g. Smartcard, key generator, etc.), or any other similar information or device used for identification and authorization purposes must not be shared.

2. Each user of HSRC resources is responsible for all activities conducted using his or her user account(s).

3. Digital certificate passwords used for digital signatures must never be divulged to anyone.

4. Users must not circumvent password entry through use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software. Exceptions may be made for specific applications (like automated backup) with the approval of the HSRC IT Department. Any exception situation must include a procedure to change the passwords and must adhere to security policies for password construction. (For more information, see the HSRC Password Policy and Guidelines.)

11. Security

1. Security programs or utilities that reveal or exploit weaknesses in the security of a system or that reveal data by circumventing established authorization procedures and systems should not be downloaded and/or used, except as authorized by HSRC IT Department. For example, password cracking programs, packet sniffers, or port scanners on HSRC information resources shall not be used.

2. Users must report any identified weaknesses in HSRC computer security and any incidents of possible misuse or violation of this agreement to an immediate supervisor, department head, or the IT Help Desk.

3. Where technically feasible, all PC’s, laptops, portable devices and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 15 minutes or less to prevent unauthorized access to the device.

User Acknowledgment

I acknowledge that I have received and read the HSRC I nformation Resources Acceptable Use Policy (AUP). I understand that I must comply with the Policy when accessing and using HSRC Information Resources and my failure to comply with the Policy may result in appropriate disciplinary action and/or action by law enforcement authorities.