Instructions for Use of IT Systems

Introduction

These instructions describe the guidelines for using IT systems at organizations where KulturIT AS is responsible for its operation and delivery of IT services. These organizations and locations are hereby referenced as “the employer”.

Kultur IT AS represents the IT department, on behalf of the employer and all users of KulturIT AS are bound by security and privacy legislation.

The instructions apply to all users, consultants, and temporary workers, and must be read and signed before access to IT systems is granted. The signed document must be submitted to the administration of the employer for safekeeping.

When using online resources and the employer’s services, you are a representative of the employer’s organization, and your actions may be as actions by the employer. You are therefore responsible for acting in a manner aligned with the employer's cultural values. Remember that information sent via email or posted online can be misused by others. So, remember to exercise caution when sending or sharing sensitive information.

Figur

1. Use of IT Systems

1.1 The IT systems are intended for work-related purposes. Limited private use, such as email and internet access, is permitted if it does not interfere with work tasks. Any private emails should preferably be stored in a separate folder labeled “Private,” and private calendar entries in Outlook should be marked as private. This helps the employer distinguish between work-related and personal content if access to your account is necessary.

1.2 It is strictly prohibited to use your email account to forward or store pornographic, racist, or other illegal or offensive material. If you receive such content, contact the employer so they can consider blocking the sender. It is also not allowed to browse websites or download content of this nature.

1.3 All work-related information must be stored in the centralized data store, e.g. OneDrive, file server or other central systems.

1.4 Your home directory and OneDrive should primarily be used for personal, work-related information that you want to keep. These areas should not be used to store non-work-related data.

1.5 Printouts must be retrieved from the printer as soon as the job is complete, and where applicable and possible password protection should be used for sensitive printouts.

1.6 Immediate supervisors are responsible for ensuring that access to information follows the principle of need-to-know and should notify the authorized orderer within the organization about the creation of changed/removed/new accesses.

Figur

2. Access to Email and Other Electronically Stored Material

In certain situations, the employer may access the user’s email inbox and personal/home directories. These rules are outlined in the Norwegian Working Environment, LOV-2005-06-17-62, Chapter 9. This is further regulated in regards employer access to user’s email and other electronic materials, in FOR-2018-07-02-1108.

Conditions for such access are:

To maintain the daily operations or protect legitimate interests of the employer

There is a justified suspicion of gross misconduct by the user that could lead to termination or dismissal

The employer is not allowed to monitor use of electronic equipment (including internet usage) unless the purpose is to manage the IT network or investigate security breaches

The user must be notified and allowed to comment before access is granted. The notification must include reasons for access and inform the user of their rights. The user may object according to Article 21 of the GDPR.

The user should, as far as possible, be present during the inspection and may be assisted by a union representative or another person.

If access is conducted without prior notice, the user must be informed in writing afterward, including the reason, method used, accessed content, and findings.

Access must be performed in a way that avoids altering data and ensures auditability.

Opened emails/documents deemed unnecessary or irrelevant should be closed and any copies deleted.

These rules also apply to access to the user’s personal area on the organization’s network and other communication tools provided for work use.

Figur

3. Training

You must receive necessary training before using the information systems. If you believe you have not received adequate training, inform your immediate supervisor.

Figur

4. Username, Password, and Screensaver

4.1 You will receive a username and initial password from KulturIT AS.

4.2 Login passwords are strictly personal and must not be shared. This is a personal responsibility.

4.3 Be especially cautious of “social engineering,” where outsiders attempt to gain access to passwords by contacting you with a fake need. Never give out your password over the phone.

4.4 Passwords must contain uppercase, lowercase, numbers, and symbols, and be at least 12 characters long. The last 10 passwords must not be reused.

4.5 If you suspect a compromise, change the password immediately and report the incident to your supervisor and KulturIT AS.

4.6 A password-protected screensaver must be used when leaving your workstation briefly. The system activates the screensaver after 15 minutes of inactivity, but you are advised to actively lock your workstation.

4.7 Always log out before leaving the machine to others or finishing work for the day.

4.8 Be cautious using “Remember password/username” features in browsers, as this information may be accessed by others using the same PC.

4.9 The IT department and employer will never ask for your password. Do not send passwords via email. If necessary, share passwords via SMS or other secure Company-approved services.

4.10 KulturIT AS strongly recommends using two-factor authentication (2FA) on all available services, including third-party services used for work purposes.

5. Antivirus and Operating System Updates

5.1 Antivirus software is updated automatically.

5.2 The operating system is automatically updated for critical security updates.

Figur

6. Internet Use

6.1 Users are allowed to access the internet and send/receive email from work-issued PCs.

6.2 It is prohibited to download pornographic or copyrighted material (e.g., images, music, films, software) or any content that violates the law.

6.3 Always be cautious when downloading content from unknown websites or providing personal information on web pages. This can be misused and lead to increased spam. You have no guarantee that a person or website is who/what they claim to be.

6.4 File sharing services (e.g., Dropbox) other than those installed or approved by the employer and KulturIT AS are not permitted due to associated security risks.

6.5 High-bandwidth services, such as internet radio, TV, or video streaming, should be limited to avoid impacting work-related network traffic.

6.6 KulturIT AS may log internet and email traffic to ensure regular operations and for tracking in the event of security breaches.

6.7 It is not permitted to attempt to bypass security mechanisms, e.g., by disguising unauthorized services through other services.

Figur

7. Email

7.1 All email (incoming and outgoing) must go through services provided by KulturIT AS. It is not permitted to store or fetch work-related email via external services. Private email accounts must not be used for work purposes.

7.2 If you receive a suspicious email from an unknown sender with attachments, do not open the attachments. Contact the employer or KulturIT AS for help to assess the risk.

7.3 All emails must be archived according to the employer’s routines.

7.4 Attachments should be saved on file servers or other central systems as described in internal procedures.

7.5 For planned absences (e.g., vacation, leave), users must set up an automatic out-of-office reply in Outlook indicating the duration of the absence and a contact person.

7.6 Employer email must only be used for work-related purposes. Be especially cautious if you have roles in other companies, associations, or clubs. Do not use your employer's email address for these purposes.

Figur

8. Connecting to Wireless Networks

Wireless networks carry certain security risks. You can take precautions to minimize these risks.

8.1 Evaluate the wireless network before connecting. If possible, only connect to networks that require a security key or other protection mechanisms. If unsure about the network’s security, KulturIT AS recommends using mobile internet sharing instead.

8.2 On attacker-controlled networks, the attacker could monitor, log and alter the content you access. Along with extracting data from your connected devices.

Figur

9. Laptops, Mobile Phones, and Portable Devices

9.1 Laptops are configured by KulturIT AS and must not be altered by users.

9.2 Confidential information should only be temporarily stored on laptops, phones, or portable devices.

9.3 Laptops used within KulturIT AS’ network may be used during travel or at home in accordance with employer guidelines. Work laptops must only be used for work-related tasks.

9.4 Screen lock or password protection must be used on all portable devices.

9.5 Never leave laptops, mobile phones, or other storage devices visible and unattended.

9.6 If a managed laptop or phone is lost, KulturIT AS must be contacted as soon as possible, to remotely secure, track and wipe the device.

9.7 Before discarding or selling mobile phones, they must be factory reset, and all user data deleted.

Figur

10. Backups

10.1 To ensure data is backed up, all work-related information must be stored on the employer-managed servers or services.

10.2 Save files/documents when created and regularly during work to avoid data loss.

10.3 For PCs used for travel or remote work, sync with the employers' servers regularly, especially if others depend on the information. Ensure your PC is connected to the internet and the home office solution to sync files.

10.4 Data restoration is only performed in special cases where recovery isn’t otherwise feasible. This must be assessed by the user in consultation with their supervisor and KulturIT AS.

10.5 USB sticks and external drives no longer in use must be returned to the employer for secure disposal.

Figur

11. Software and Hardware Installation

11.1 Only software that complies with licensing agreements may be used. Additional software must be approved by the employer and KulturIT AS.

11.2 All software must be approved by the employer and KulturIT AS. Users may not install any software themselves, except for pre-approved software available in the “Software Center.”

11.3 For additional software, contact KulturIT AS for assessment and pricing. Costs must be approved by an authorized representative.

11.4 Execution of unauthorized software directly from portable devices is prohibited.

Figur

12. Web-Based Solutions/Cloud Services (SaaS)

If there is a need to use external SaaS services, contact KulturIT AS for evaluation together with the authorized representative of the employer. This applies to both free and paid services requiring account registration.

Figur

13. Private PC Use

13.1 The employer must provide the necessary work PC.

13.2 Private PCs must not be used for work purposes.

13.3 Work-related information must not be stored on private PCs. It must be stored on services and central stores managed/authorized by the employer.

Figur

14. Repairs, Service, and Maintenance

14.1 All faults or suspected faults (hardware or software) must be reported to KulturIT AS immediately.

14.2 Only KulturIT AS is authorized to perform IT system maintenance. External vendors must coordinate with KulturIT AS

Figur

15. Moving Networked Hardware

15.1 Network ports in the office are typically locked to a specific device.

15.2 If a device needs to be moved to a different network port, notify KulturIT AS well in advance so they can make the necessary changes during regular hours.

Figur

16. Handling Information

Disks, devices with hard drives, and other storage media (e.g., memory cards, backup tapes) must be returned to KulturIT AS for secure destruction.

Figur

17. Termination of Employment

17.1 Upon resignation, the user must clean up their email and arrange message forwarding or handover with their supervisor.

17.2 If the user is unable to review personal areas (email or storage), the employer will assess the need for access.

17.3 After termination, the email account will be deleted. Backups and other related data will also be removed.

Figur

18. Use of Artificial Intelligence (AI)

18.1 Users must be cautious when using AI. Do not enter sensitive, confidential, or business-critical information into AI tools unless owned or explicitly approved by the client.

18.2 Users must verify sources and validate content before using AI-generated information.

18.3 When using open AI platforms, do not share information you wouldn’t share publicly (e.g., in meetings, newsletters, or on websites).

Figur

19. Privacy

19.1 Stored Personal Data: Personal data (e.g., name, address, employee ID, national ID number, bank account, phone, email) will be stored to manage employment obligations or the management of the client's collections. Login and access logs may also be stored briefly to protect the client's data and assets.

19.2 Archiving Personal Data: Some professional systems require long-term storage of names to ensure provenance of museum objects, fulfilling the client's societal mission.

19.3 Deletion of Personal Data: Personal data required for bookkeeping will be stored for up to 5 years. Other data will be deleted within 3 months after termination, except for systems that manage objects and collections.

Figur

Personnel Security

Security Instructions
Users, employees; consultants; and temporary hires, must comply with these IT usage instructions and sign the document.

Consequences of Violations
Violations of these rules will be evaluated by the employer on a case-by-case basis and may, in serious cases, lead to loss of access, termination or dismissal.

Reporting Security Incidents
Report any security breaches or suspicious activity immediately to: support@kulturit.no