- User accounts are only created for people entitled to use resources or facilities belonging to your organisation or to which they subscribe. Personal accounts must not be created for shared use.
- User accounts are only to be used in connection with the normal activities of your organisation.
- Reasonable steps are taken to ensure that user accounts are only used to access or use resources or facilities to which your organisation subscribes and for no other purpose.
- Usernames, passwords and personal information are kept confidential and all relevant data protection and privacy legislation is properly observed at all times.
- All information concerning users and administrators required by OpenAthens to provide the service is accurate, complete and kept up to date.
- Industry best practice and guidelines issued by OpenAthens concerning usernames, passwords and security are complied with.
- No person shall attempt to violate or circumvent any security measures put in place by OpenAthens or any service provider, or any supplier of resources or facilities to which your organisation subscribes. Administrators shall report any infringements to OpenAthens as soon as they become aware of them.
- Any IP allow lists for Access, Self-Registration or Administration accounts are as restrictive as reasonably possible
- Any kind of testing, security or otherwise, against the OpenAthens service is agreed with the OpenAthens Service Manager before it begins (any unauthorised testing will be identified as an attack and treated accordingly)
- Any vulnerabilities discovered during the use of OpenAthens are reported to the OpenAthens Service Desk immediately and not disclosed to any other party.
- Monitoring or link checking is less frequent than 1 check per minute
- User access is promptly removed when their entitlement to the resource or facility expires, for example when they leave your organisation.
- User access is promptly removed upon the reasonable request of OpenAthens or the supplier of the resource or facility.
- Administrators should periodically check for compliance with all of the foregoing requirements and will co-operate with reasonable requests from OpenAthens or suppliers to verify compliance or to investigate where any breach is suspected.