Rules for the Safe Use of IT Equipment, Drives, and Software

1. In the event that a user processing personal data, hereinafter referred to as the "user," utilizes IT equipment, they are obliged to secure it against destruction or damage. IT equipment is understood as: desktop computers, monitors, printers, scanners, photocopiers, laptops, tablets, smartphones, and other electronic equipment used for official purposes.
2. The user is obliged to report any loss, misplacement, or destruction of IT equipment entrusted to them on each occasion.
3. Unauthorized installation, uninstallation, opening, or dismantling of IT equipment, installation of additional devices (e.g., hard drives, memory modules), or connection of any unapproved devices to the IT system is prohibited.
4. The user is obliged to prevent unauthorized persons (e.g., visitors, clients, employees of other departments) from viewing data displayed on computer monitors – the so-called "Clean Screen Policy."
5. Before temporarily leaving the workstation, the user is obliged to activate a password-protected screensaver ("WINDOWS" + "L") or log out of the system or program. If the user fails to do so, the system will automatically activate the screensaver after 5 minutes.
6. Upon completion of work, the user is obliged to: 1) log out of the IT system and, if required, subsequently switch off the computer equipment; 2) secure the workstation, in particular all magnetic and optical media on which personal data are stored.
7. The user is obliged to delete files from media/drives to which other users unauthorized to access such files have access (e.g., when sharing computers).
8. If the user is authorized to destroy media, they should PERMANENTLY destroy the medium itself or permanently delete data therefrom (e.g., by destroying DVD discs in a shredder or destroying a hard drive/USB flash drive, e.g., with a hammer).
9. Users of portable computers on which personal data are stored or which have access to personal data via the Internet are obliged to comply with these security regulations.

Permissions Management – Procedure for Commencing, Suspending, and Terminating Work

1. Every user (e.g., of a desktop computer, laptop, network drive, programs in which the user works, electronic mail) must have their own individual identifier (login) to log in.
2. The creation of user accounts along with permissions (e.g., for a desktop computer, laptop, network drive, programs in which the user works, electronic mail) is performed at the instruction of superiors and carried out by IT specialists – administrators.
3. The user may not independently change their permissions (e.g., become an administrator on their computer).
4. Every user has their own individual identifier. Allowing other persons to work on another user's account is prohibited.
5. The use of a shared account by multiple users is prohibited.
6. The user (e.g., of a desktop computer, laptop, network drive, programs in which the user works, electronic mail) commences work using an identifier and password.
7. The user is obliged to notify IT specialists – administrators of any attempts by an unauthorized person to log into the system, if the system signals such an attempt.
8. In the event that the user blocks the system during an attempt to log in, they are obliged to notify IT specialists – administrators thereof.
9. Launching any application or program at the request of another person is prohibited, unless that person has been verified as an employee of the IT Centre. This applies in particular to programs sent via electronic mail or indicated in the form of an internet link.

Password Policy

1. Passwords should consist of a minimum of 12 characters.
2. Passwords should contain uppercase letters + lowercase letters + digits (or special characters).
3. Passwords must not be easy to guess. They should not be commonly used words. In particular, the following should not be used as passwords: dates, names and surnames of close persons, names of pets, popular dates, popular words, typical sequences, e.g., "123456", "qwerty".
4. Passwords should not be disclosed to other persons. Passwords should not be: written down on pieces of paper or in notebooks, affixed to the computer monitor, kept under the keyboard or in a drawer – in places accessible to unauthorized persons.
5. In the event of password disclosure – it must be changed immediately.
6. Passwords should be changed every 90 days.
7. If the system does not enforce password changes, the user is obliged to change the password independently.
8. The system user may change their password while working in the application.
9. The user undertakes to keep the password confidential, even after it has expired.
10. Using the same or similar passwords on internet services as in the University's IT system is prohibited.
11. Using the same password as a security measure for access to different systems is prohibited.
12. Defining passwords in which one part remains unchanged and the other changes according to a predictable pattern (e.g., "Anna001", "Anna002", "Anna003", etc.) is prohibited. Passwords in which any part constitutes a name, designation, month number, or other guessable key should also not be used.

Rules for Taking Media Containing Personal Data Outside the University Premises

1. Users may not take removable electronic information media with recorded personal data outside the University premises without the consent of the employer/contracting entity. Such media include, e.g., removable hard drives, USB flash drives, CD or DVD discs, Flash memory devices.
2. Personal data taken outside the University premises must be encrypted (e.g., encrypted drives, password-protected files).
3. Secure transportation of paper documentation must be ensured, e.g., in backpacks, briefcases, or bags.
4. Reputable courier companies should be used.
5. In the event that documents are transported by an employee/contractor, they are obliged to secure the transported documents against loss, theft, or any damage.
6. When transferring media containing personal data outside the University area, the following security rules shall apply:
   1. the addressee should be notified of the shipment;
   2. personal data should be encrypted before sending, and the password provided to the addressee by other means;
   3. secure deposit envelopes should be used;
   4. the shipment should be sent via courier.

Internet Usage Rules

1. The user is obliged to use the Internet for official purposes.
2. Saving any illegal programs or files downloaded from unknown sources to the computer's hard drive and launching them is prohibited. Such files should only be saved with the prior consent of a person authorized to administer the IT infrastructure (e.g., IT Systems Administrator - ISA) and only in justified cases.
3. The user bears responsibility for damage caused by software installed from the Internet.
4. Accessing websites that present information of a criminal, hacking, pornographic, or other nature prohibited by applicable law is forbidden (most websites of this type have malicious software installed that automatically infects the computer's operating system with malware).
5. The autofill forms and password saving options in internet browser settings should not be enabled.
6. When using an encrypted connection via an internet browser, attention should be paid to the appearance of the appropriate icon (padlock) and a web address beginning with the phrase: "https:". For certainty, one should "click" on the padlock icon and check whether the certificate owner is a reliable owner.
7. Particular caution should be exercised in the event of a suspicious request or demand to log in to a website (e.g., a bank's website, social networking portal, e-shop, email service) or to provide logins, passwords, PINs, or payment card numbers via the Internet. This particularly applies to requests for such information allegedly from a bank.
8. Unauthorized connection of modems, mobile phones, and other access devices to computers is prohibited. Connecting to the Internet using such devices when the user's computer is connected to the University network is also prohibited.
9. Any problems related to the IT infrastructure should be reported to authorized persons from the IT Centre.

Electronic Mail Usage Rules

1. Sending personal data via email outside the University may only be carried out by persons authorized to do so.
2. When sending personal data outside the University, files should be sent encrypted/compressed (e.g., using the 7-Zip program) and password-protected, where the password should be communicated to the recipient by telephone, SMS, or in another appropriate form.
3. If files are password-protected, a minimum of 12 characters is required, i.e., uppercase and lowercase letters, digits, or special characters.
4. Users should always pay particular attention to the correctness of the recipient's address for the document.
5. It is recommended that when sending personal data by email, the user includes in the message a request for confirmation of receipt and acknowledgement of the information by the addressee.
6. Users should not send "non-professional" emails in the form of "chain letters," e.g., holiday greetings addressed to 230 people.
7. When sending emails to multiple external recipients simultaneously, the "Blind Carbon Copy - BCC" method must be used. Sending emails in such a situation using the "Carbon Copy - CC" or "To" option constitutes a breach of personal data protection rules.
8. Users should periodically delete unnecessary emails.
9. Official email accounts are separate from private email.
10. Official email is intended for the performance of official duties and is the property of the employer/contracting entity, who may use monitoring tools in this regard.
11. Sending official correspondence to the private mailboxes of employees or other persons is prohibited, except for the performance of official duties.
12. Users have the right to use email for private purposes only occasionally and this should be limited to the necessary minimum – in justified cases.
13. The use of email for private purposes may not affect the quality and quantity of work performed by the user, nor the proper and diligent performance of their official duties.
14. Users of electronic mail are prohibited from configuring their email accounts to automatically forward messages to a private address.
15. When using email, users are obliged to respect industrial property rights and copyright.
16. Users do not have the right to use email for the purpose of disseminating content of an offensive, immoral, or inappropriate nature with regard to generally accepted rules of conduct.
17. Without the consent of the employer/contracting entity, the user does not have the right to send messages containing personal data concerning the employer/contracting entity, its employees, visitors, clients, suppliers, or contractors via the Internet, including using a private electronic mailbox.

Antivirus Protection

1. Users are obliged to scan files introduced from external media with an antivirus program, if the antivirus system has such a function.
2. Disabling the antivirus system while the IT system processing personal data is operating is prohibited.
3. In the event that system infection is detected or messages appear such as: "Your system is infected!", "install antivirus software," the user is obliged to immediately inform an authorized person from the IT Centre of this fact.

Sharing Data on Google Drive

1. Sending personal data using Google Drive outside the University may only be carried out by persons authorized to do so.
2. When sending personal data outside the University, files should be sent encrypted/compressed (e.g., using the 7-Zip program) and password-protected, where the password should be communicated to the recipient by telephone, SMS, or in another appropriate form.
3. If files are password-protected, a minimum of 12 characters is required, i.e., uppercase and lowercase letters, digits, or special characters.
4. Users should always pay particular attention to the correctness of the recipient's address for the document.
5. When using file sharing, users are obliged to respect industrial property rights and copyright.
6. Users do not have the right to use Google Drive for the purpose of disseminating content of an offensive, immoral, or inappropriate nature with regard to generally accepted rules of conduct.