Rules for the use of College IT Services

James Hargrave
James Hargrave
  • Updated

Council Policy SJC-ITS-6 IT Acceptable Use Policy - Revised June 2025

1. Introduction

This IT Acceptable Use Policy sets out the responsibilities and required behaviour of users of the College’s information systems, networks, and computers.

The College network is provided to support the academic, research and administrative needs of the college together with reasonable domestic use by resident and non-resident members of the college community.

Our network is part of the Cambridge University Data Network (CUDN) which itself is part of the wider UK academic network (JANET). 

As such in addition to this policy all users must abide by the University of Cambridge Acceptable Use policy, this can be found at: https://help.uis.cam.ac.uk/policies

There is a useful summary of the policy and key actions for users available at:

https://help.uis.cam.ac.uk/policies/acceptable-use-policy

Users must also abide by the JANET acceptable use policy

2. Scope

All staff and members of the College (Fellows, staff, Junior Members, and associates), members of other institutions who have been granted access to use the College’s facilities, together with any others who may have been granted permission to use the College’s information and communication technology facilities are subject to this policy. 

3. Policy

3.1 User Identification and Authentication

College Members may be provided with accounts on both the University and the College systems. This policy will cover the Colleges responsibilities with regards to:

  • University CRSid Accounts
  • Accounts required for College business

University Department accounts (if different from CRSid) are subject to the Departments acceptable use policy. 

3.1.1 User Accounts

The College uses University issued user accounts (called CRSids) to authenticate access to both college and University systems. Some users are also issued legacy college accounts for access to certain systems.

The College’s IT department act as “gatekeepers” to University CRSid’s. The IT Department will assist with password resets, account creation and termination. The IT Department controls University account access to College systems & information and can assist with any issues accessing University systems.

Undergraduate CRSid’s are created before you arrive so that you can have access to your @cam email and can log in to access reading lists and any other information your College or Departments shares with you before you arrive. You will receive an email from the Student Registry in late August, giving you instructions for completing the student registration process before going on to get your CRSid, email account and set up your own University account password.

Postgraduates will be contacted by their department about how to collect their IT Accounts, including you CRSid.

Fellows will usually have accounts created by their University department 

Staff accounts will be requested by IT and Digital Services.

For further guidance on University accounts please see the University CRSid Web pages https://help.uis.cam.ac.uk/crsid

Each member will be assigned a unique username for their individual use. This username may not be used by anyone other than the individual user to whom it has been issued. 

Each member will be assigned an associated account password which must not be divulged to anyone, for any reason. This password must not be used as the password for any other services, including for College accounts providing privileged access (such as administrative accounts for finance or HR systems), or any external services. Individual members are expected to remember their password or to use approved password management software and to change a password if there is any suspicion that it may have been compromised. 

College members must use multi-factor authentication (MFA) if available as a requirement to authenticate to university and College systems. 

In addition to a password, authentication methods may include use of an authentication app on a mobile phone or tablet, a one-time code sent to a phone or a phone call.

All administrative or highly privileged accounts must have multi-factor authentication enabled where available. 

Each member will also be assigned a unique email address for their individual use and some members may also be given authorisation to use one or more generic (role based) email addresses. Members must not use the College email address assigned to anyone else. 

3.2. Personal devices

Personal devices may be connected to the College network subject to the following:

  • Users are responsible for ensuring that their machines are secure, and that software is kept patched and up to date – this includes both the operating system and applications
  • Users must abide by all instructions issued by IT and Digital Services and disconnect any device from the network if told to do so
  • Devices must not use a disproportionate or unreasonable amount of network resources (particularly bandwidth) – the IT Department will contact any users who are doing so, and they must reduce usage, or their devices will be disconnected from the network

College members may connect a reasonable number of devices to the College network for their academic, administrative, research and domestic needs. In general, we would regard reasonable as:

  • One desktop computer or workstation (but not any kind of server or network attached storage)
  • A laptop computer (or two laptops if the user does not have a desktop machine)
  • Phones and tablets
  • One gaming console
  • Smart TV or streaming device

IT and Digital Services reserves the right to ask users to disconnect and remove devices if in the judgement of the Director of IT and Digital Services the number of devices is unreasonable.

Users must not connect any routers, switches, or wireless access points to the College network. IT and Digital Services may disconnect all your devices from the network if you do. 

3.3. Public facilities

Users must treat the public computing facilities with respect and ensure that they are available for other members of the college. In particular:

  • Users must not attempt to install any software on public machines
  • Users must not attempt to circumvent the mechanism by which charges are applied to the use of some facilities, for example printing.
  • All faults with College computer equipment should be reported to the IT Helpdesk. Members of the College should never attempt repairs themselves.
  • Cables must not be disconnected from public machines for example to allow you to plug in your own devices

Users of computer equipment must additionally observe any rules relating to the location in which it is installed. In particular, users of the equipment installed in the Library must observe the Library rules.

3.4. Commercial Use

The College Network must not be used for commercial purposes or private financial gain without the permission of the Director of IT and Digital Services. Depending on the circumstances further approval might be required from the University.

3.5. Unattended Equipment

Computers and other equipment used to access University or College facilities must not be left unattended with the device logged in and unlocked. Members must ensure that their computers and other devices are locked before being left unattended. Care should be taken to ensure that no restricted information is left on display on the computer or other device when it is left unattended.

3.6. Misuse

The JANET Acceptable Use Policy states that JANET may not be used for any of the following activities – this applies to the CUDN and the College network:

  • the creation or transmission (other than for properly supervised and lawful research purposes) of any offensive, obscene, or indecent images, data or other material, or any data capable of being resolved into indecent images or material;
  • the creation or transmission of material which is designed or likely to cause annoyance, inconvenience, or needless anxiety;
  • the creation or transmission of defamatory material;
  • the transmission of material such that this infringes the copyright of another person;
  • the transmission of unsolicited commercial or advertising material;
  • deliberate unauthorized access to facilities or services locally or on other networks;
  • deliberate activities with any of the following characteristics:
    wasting staff effort or networked resources, including time on end systems accessible locally or via other networks and staff effort involved in the support of such systems;
  • corrupting or destroying another user's data;
  • violating the privacy of other users;
  • disrupting the work of other users;
  • using the network in a way that denies service to other users (for example, deliberate or reckless overloading of access links or of switching equipment);
  • continuing to use an item of networking software or hardware after being asked to stop doing so because it is causing disruption;
  • other misuse of networks or networked resources, such as the introduction of viruses.

Port scanning (the scanning of another machine to determine which services are running) is regarded as a hostile action; it is commonly used by malicious hackers attempting to find vulnerable systems. Port scanning therefore causes unnecessary worry and is prohibited, whether the target machine is on the CUDN or elsewhere, unless specifically authorized by the Director of IT and Digital Services.

3.7. Breach of rules

Infringement of any of these rules constitutes a disciplinary offence and appropriate action may be taken. For students serious or repeated breaches will be reported to the Dean. For staff disciplinary action may be taken

Sanctions may include temporary or permanent deprivation of access of computer facilities. Access may be withdrawn during investigation of an alleged offence.

4. IT Security Rules

4.1 Devices

College staff and college officers must use provided university managed devices for college business.

Where fellows, affiliates and others use devices provided by the University, but which are not university managed devices, usage must comply with Rule 4.2 – this applies to devices that might be managed by a Faculty or Department

Users may also use devices that are personally owned but such usage must comply with Rule 4.2

The Director of IT and Digital Services may by exception authorise in writing exceptions for a particular individual user/device which may be subject to conditions.

Legacy desktops and laptops (non-University managed devices owned and provided by the College) must not be used. They must be returned to IT and Digital Services and either re-issued as University managed devices or disposed of.

4.2 Personally owned or unmanaged devices

When using any device other than a University Managed device users must:

  • Transact college business only using web applications and Microsoft Office 365 applications
  • Not synchronise or permanently save college files to the device
  • Remove any college data from the device on the request of IT and Digital Services and when you leave the college
  • Stop using any device immediately for college business if told to do so by IT and Digital Services
  • Keep any such devices and applications patched up to date
  • Ensure the device requires authentication to access and is locked when not in use
  • Not use any devices that cannot receive security updates
  • Connect such devices only to WiFi or to network sockets provided for fellows (such devices may not be connected to the staff network)

4.3 Storage of Files

All college documents must be stored on Office 365 or on services and applications provided and approved by IT and Digital Services.

No college documents or data may be stored on Google Drive, Dropbox, Outlook or other cloud services without the approval in writing of the Director of IT and Digital Services. Such approval will state the names of authorised users, the service(s) authorised for use and the time period the authorisation is for.

4.4 Email

All college business transacted by email must use accounts on the University managed Office 365 service using cam.ac.uk email addresses. 

4.5 Loan Devices

All devices provided for loan to staff, students, fellows and visitors for use in college meeting rooms or for other purposes must be provided and managed by IT and Digital Services and require users to authenticate using a CRSid and password. 

Any devices currently managed by departments for this purpose must be returned to IT and Digital Services.

Change Log

2.0

Changed Section 1 to link to new University acceptable use policy

Changed Section 3 to reflect change to use University Office 365 tenancy by the College

Added additional section 4 “IT Security Rules” to ensure security compliance after migration to Office 365 and new university managed devices 

Changed department name and job tiles to reflect new IT and Digital Services department


Version 2.0
Approved by Council 19 June 2025

James Hargrave
Director of IT and Digital Services

Related articles