Guidelines to Use Unsupported Software

Before you start using any new third party based software or services for University business, please consider these guidelines to ensure that University information will be secure and appropriately managed.

What is Supported Software?

For a software to be considered Supported, there are a number of things to consider such as: licensing, terms and conditions, security and privacy settings, support agreements, compatibility with the ITS supported operating systems, to mention some. If ITS can verify or test that the software will not pose a risk on any of the above criteria, we will consider the software Supported. Please note that ITS does not maintain an exhaustive list of Supported software, therefore, the Software that we haven’t tested, used or supported previously might be deemed Unsupported.

What is Unsupported Software?

There are different circumstances for a software to be considered Unsupported, the most common ones are: (1) that the software has not been tested, used or supported previously by ITS, or (2) that ITS have concerns with regards to the software licensing, terms and conditions, security and privacy settings, support agreements, compatibility with the ITS supported operating systems or other concerns. Please note that Unsupported software does not always mean insecure software, but often there is no confidence that the software will be secure or compatible with the ITS supported workstations.

Steps to follow if you need to use Unsupported Software

If you need to use Unsupported Software, please follow these steps. The ITS team might ask you to confirm that you have read and understand this information before proceeding to install the requested software in your computer.

Step 1  - Find out if it is Supported or Unsupported Software

If you need to use any third party software in your University workstation, whether the software is licensed, open source, free, freemium or anything in between, the first recommendation is to check with the ITS Service Desk whether we support the software you require.

Step 2 – Where possible, the ITS Service Desk will offer Supported Software as an alternative

When you contact the ITS Service Desk to check if the software you need to use is Supported or Unsupported, we will do our best to offer an alternative software that we consider Supported. If the Supported Software meets your needs, we will go ahead and install this for you. Often this is the simplest option.

Step 3 –Consider the risks of using Unsupported Software

Data Privacy
Foreign software does not always adhere to best practices and sometimes do not comply with ‘common sense’ cyber security or ‘common sense’ based on the ordinary practices for companies that operate in NZ or bounced by Privacy legislation (eg Commonwealth nations, GDPR zone, etc).

Did you know? According to section 10 of the NZ Privacy act, if data is transferred outside New Zealand, the destination country should have comparable privacy laws to ours. (This includes personal data held on back-ups and anyone accessing personal data remotely). If the service\software provider is not able to guarantee this, you should not use their cloud service.

Data breach
In addition to Data Privacy, and if good Data Privacy practices are not followed by the issuers of Unsupported Software, another common risk is the possibility of a Data Breach. This could happen when a third party gets access and uses or releases private and confidential information to an unsecured environment. In this context, this doesn’t necessarily means that the software issuer will release information obtained from your computer, but this could happen because the software issuer could be victim of a cyber-attack, especially if their security practices are not up to international standards (which will be one of the reasons why the University of Waikato does not support such software). The information involved in a data breach, generally is:

• Data that can identify particular individuals, known as personally identifiable information (PII)
• Research details or intellectual property (IP)
• Confidential, sensitive or private information that could pose a reputational damage to the University or people.

Step 4 – Consider the actions to manage some of the risks of using Unsupported Software

Data Privacy
This is what you can do to manage or mitigate the risk of exposing data to unauthorised parties – we understand these recommendations might not be practical in some circumstances.

• Use  an isolated machine (not connected to your network or without personal files on them)
• Do not save any sensitive\confidential data onto the computer where you run third party products.

Data Breach
To manage or mitigate the risk of a data breach, please consider the following:

Privacy Policy, Terms & Conditions

• Remember that as end user, you have the decision whether you accept or not the terms and conditions once you’ve read and understand them.
• Things to look out for in Privacy Policy and Terms & Conditions are the following practices explained below: data collection, data security and data retention.

Data Collection

• The security best practice is for third parties collecting data to disclose what data is collected, for what purpose and how it is managed.
• Do you know what data is collected by the software or service?
• Are you able to opt-out from allowing the software or service to collect your data?

Data Security

• The security best practice is to encrypt all data in transit, and at rest (stored). Does the software issuers offer an appropriate level of security to process, store or transfer data? If the answer is no or unsure, then consider adding that protection yourself (where possible), for example, if you must transfer information that is deemed confidential or sensitive, you can encrypt the file yourself using free tools like 7zip or Winzip, and share the encryption key (password) securely (via text message or phone call) with the recipient.
• A suggestion on how to determine what level of protection is required is to ask to yourself what would be the impact on the University or the data subjects if the data was lost, stolen or exposed.
• If the impact will be high, consider not exposing the data, or if you must, proceed with caution and at your own risk.
• If you have any concerns about the security of your data at any point, get in touch with ITS via Kuhukuhu or call the Service Desk to discuss your concerns.

Data retention 

• The security best practice is for third parties collecting and retaining data to disclose what data is collected, for what purpose and how it is managed, including how and when it is disposed or destroyed.
• Does the software issuer allow you to control the data retention? i.e, would you be able to delete the data once you decided to stop using the service?
• Does the service provider remove data from their systems upon your request?
• If you have any concerns about the security of your data at any point, get in touch with ITS via Kuhukuhu or call the Service Desk to discuss your concerns.

Step 5 – If Unsupported Software must be used, proceed with caution

Once again, we understand that these recommendations might not be practical in some circumstances and if you must use unsupported software, we advise caution. Although the support we could provide might be limited, if you have any question, comment or concern, please contact us via Kuhukuhu.