Conditions governing use of remote connection tools to access computers

Remote connection tools are available to IT support staff, for the purpose of maintaining and supporting the operation of computer systems for members of the University. Such tools can only be used in accordance with the following conditions.

User Support

Remote support tools have been configured so that a user has to give permission to the remote support session taking place. When a support session is initiated by Remote Control Support Staff, the system will ask for the respective user’s permission to proceed. By offering this authorisation it gives our users the ability to control the support session and ensure that their privacy is being respected.

Remote control sessions may be recorded for training and quality control purposes. Such recordings will held securely with access to them restricted to limited members of IT staff. Under normal circumstances recordings will be deleted after 90 days. However, recordings may be retained for longer periods when they are required to demonstrate how to resolve unusual faults or problems.

IT Support staff who are granted use of the remote control facility are required to abide by the conditions of this Protocol. Any failure by them to do so could result in action being taken against them in accordance with University proceedings:

1. Remote connection privileges will only be granted to IT support staff who have been delegated as Remote Control Support Staff.

2. Remote control tools have been made available purely for the maintenance of IT systems and services. They must not be used to verify that users are adhering to policies that govern the use of those systems, and they will not be used to investigate alleged criminal activity or claims of misconduct.

3. Remote connections to a third party device will only be made by Remote Control Support Staff, and only in response to a recognised user's request for support, made through normal incident and service request procedures. Any Remote Control Support Staff who is unsure of their jurisdiction concerning any machine is to seek appropriate authorisation and advice before proceeding with remote access.

4. Before taking control of a device, the Remote Control Support Staff must contact the user before they perform the operation.

5. The user must be advised to close any windows containing potentially sensitive material before their device is controlled remotely.

6. Remote Control Support Staff, who are granted remote access, undertake not to browse the systems that they access, or attempt to gain access to data or areas of computers that are not associated with an incident or service request.

7. On accessing a device remotely, any member of Remote Control Support Staff who stumbles across data that they consider to be confidential is to immediately advise the user of this and if required, quit the session until the data has been closed.

8. Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, Remote Control Support Staff must not attempt to make the content readable without specific authorisation from the owner of the file.

9. Remote Control Support Staff must not, without the specific permission of the file owner, perform activities that could result in the loss or destruction of information.

10. Remote Control Support Staff will not deliberately alter or add any data on a third party device. If it is necessary to make changes to user files, it should be done so in a way that preserves the information within the files. If a change is made to user file or file store, then the affected user will be informed of the change and the reason for it as soon as possible after the event.

11. Remote Control Support Staff commit to maintain confidentiality, and undertake not to disclose to anyone any information that is viewed or accessed when performing Remote Control activities. All Remote Control Support Staff agree to follow the University’s Information Protection Policy.

12. The user must be told when the remote control session has been closed, and the outcome of the work performed.

13. Any user who participates in the remote control service, who believes that the Remote Control Support Staff has failed to abide by any aspect of this policy, should report the matter in the first instance to the University's IT Assurance Team.

14. Anyone who, having reported a failure of a Remote Control Support Staff to abide by this policy, feels that their complaint has not been satisfactorily addressed by the University's IT Assurance Team, should appeal in accordance with the University's grievance procedures.

15. It may also be necessary for Remote Control Support Staff to remotely access a machine without following the above process, when the machine in question is creating network problems, or is considered to be a risk to the remainder of the network eg. a virus outbreak or a compromised machine being used to attack other devices. In such circumstances, authority will first be obtained from the University IT Assurance Team.

Systems Maintenance

1. In addition to using remote control tools to assist the end-user with a problem, such tools may also be used by IT staff to perform system maintenance and remote security operations. In such circumstances, Remote Control Support Staff will be logged in to the device using a Systems Administrator account so no user data will be visible and as such no user permission is required.