New College Information Security Policy

1. Introduction

 

After people, information is the lifeblood of the College and everyone has a part to play in ensuring the safety of this fundamental asset.

The College recognises that information and information systems are valuable assets which play a major role in supporting the College’s strategic objectives. Information Security is important to the protection of the College’s reputation and the success of academic and administrative activities.

This policy provides management direction, support and documents how Information Security is managed throughout the College; it outlines the appropriate measures through which the College will facilitate the secure and reliable flow of information, both within the College and externally. It sets out the principles and an overarching framework for Information Security and details the specific supporting policies, guidelines which will address certain aspects of security.

The approach being adopted is based upon the International Standard ISO /IEC 17799: 2005 (BS7799) The Code of Practice for Information Security Management.

This policy has been ratified by the College and forms part of its policies and procedures.

2. Purpose

 

New and more advanced Information Systems provide the ability for the College to become more efficient and to supply better customer service. Greater reliance on them brings with it the likelihood of more damaging consequences should they fail. We need to pay attention to safeguarding the trust which our stakeholders place in us.

The purpose this policy is:

  • To provide an overarching framework and state the responsibilities of both the College and IT Technical Services to manage information security, by safeguarding the resources provided and protecting information against unauthorised access, maintaining the confidentiality, integrity and availability of the information held and ensuring that legislative and regulatory requirements are met.
  • To optimise the management of risks, by preventing and minimising the impact of information security incidents, so maintaining and enhancing the reputation of the College.

3. Scope

 

Information takes many forms e.g. stored on computers, transmitted across networks, printed and verbal communication. This Information Security Policy applies to recorded information in all its forms i.e. paper stored hardcopy and electronically or held on film, microfiche or other media. It includes text, pictures, audio and video and covers the transmission of information by post by electronic means and by verbal communication through the telephone and voicemail. It applies throughout the information lifecycle from creation, through utilisation and storage to disposal.

The College holds and processes information about staff, students and other data subjects for academic, administrative and commercial purposes. When handling such information, the University and all staff or others who process or use any personal data, must comply with the principles set out in the Data Protection Act 1988.
Responsibilities under the Data Protection Act are detailed in the College’s Data Protection Policy
Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.

The College is committed to protecting the security of information through the preservation of three aspects of information:

  • Confidentiality: ensuring that information is not accessible to those who are not authorised to have access.
  • Integrity: safeguarding the accuracy and completeness of information and processing methods.
  • Availability: ensuring that authorised users have access to information and associated assets when required.

This policy applies to all existing and proposed systems within the College, both IT systems and hardcopy systems and is effective from the date of issue of this policy.

In terms of IT systems, The policy covers all areas i.e. systems, hardware, software, data, networks and environmental controls and supports the Network Security & Connection and Acceptable Use of ICT Facilities policies.

Everyone who uses New College Swindon’s information resources is responsible for protecting information assets, systems and infrastructure.

The policy applies to all staff and students of the College and to other authorised users (including Third Parties) of the College information resources.

Information security is to be implemented through an appropriate set of best practice methods and controls. In practice these will be a combination of policies, procedures, organisational structures and physical or hardware/software measures.

4. Responsible Authorities

 

This policy is issued under the authority of the ICT Manager who is responsible for enforcing sanctions where necessary to safeguard the College and its members.

The IT Infrastructure is managed by the ICT Manager who is responsible for the prevention and detection of ICT misuse.

This policy is managed by the ICT Manager who is responsible for investigating incidents of ICT misuse.
Through IT Technical Services the College ensures that effective security measures are in place to protect both the continuity of these systems and the information they process. All users have an individual and collective responsibility to guard against unauthorised access, disclosure, loss, theft or damage to any part of the University’s’ equipment, data and information.

The IT Manager is responsible for defining information security policy and standards.

The Data Protection Officer is responsible for promulgating advice and guidance relating to compliance with the Data Protection Act 1998

4.1 Management Responsibilities

 

SMT and College Managers are responsible for ensuring that the Information Security Policy is followed within their respective area and for overseeing compliance by people under their direction, control or supervision.

4.2 System Administrators

 

System administrators have responsibility for maintaining the integrity of the College Computer systems and the data held on them, and for ensuring the systems are not misused.
System administrators are provided with privileged access to computer systems in order to carry out their responsibilities. They have a duty to use such privilege at all times in a professional manner.

4.3 User Responsibilities

 

All users including authorised Third Parties have an obligation to use information and the College’s IT Systems responsibly. Users of the College’s IT Systems’ responsibilities are defined in the “ICT Usage Policy’s”, “ICT Software Policy” and the “Hardware Installation / Depreciation procedure”, all of which can be found on the ICT Support Website.

All individuals acting on behalf of the College have a responsibility to observe the Data Protection Act. See the “Data Protection Policy” located on the Staff Portal for more information.

All users must comply with the Copyright Designs & Patents Act 1988 under which it is an offence to copy copyrighted material without the permission of the copyright owner or an appropriate licence.

In terms of software, the College will carry out reviews periodically to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary action and could lead to legal proceedings.

5. Compliance with legal and contractual requirements

 

The College has obligations which it must comply with relevant UK and European Community legislation and contractual requirements, including (but not exclusively):

  • The Data Protection Act 1998
  • The Human Rights Act 1998
  • The Computer Misuse Act 1990
  • The Copyright, Designs and Patents Act 1988
  • The Freedom of Information Act 2000
  • The Regulation of Investigatory Powers Act 2000
  • Electronic Communications Act 2000
  • Privacy and Electronic Communications Regulations 2003

The use of the computing and networking facilities is permitted by the College on the condition that all users will comply with the conditions stated in the College ICT Usage Policy. and JANET Acceptable Use Policy (AUP)
Users should note that the Colleges’s access to the Internet is solely through the JANET network and that violations of the JANET AUP could potentially lead to this access being withdrawn.

All users of the College network are required to comply with the approved College Policies, Standards, relevant legislation and contractual requirements and should seek appropriate advice when in doubt.

6. Policy Statements

6.1 General

 

The College’s information systems are provided to support the College’s activities including learning, teaching, research, administration and approved business activities. Only staff, students and other persons authorised by IT Technical Services and others responsible for such systems are entitled to use the College’s information systems.
All users have an obligation to use information and information systems responsibly. This obligation is defined in the College ICT Usage Policy.

This Information Security policy is provided :

  • To ensure that all of the College’s information and the systems used to manage that information are provided with the protection appropriate to the nature of the information.
  • To ensure that all of the Colleges’s ICT facilities, data, network and equipment are adequately protected against loss, misuse or abuse.
  • To ensure that all users have a proper awareness and concern for ICT facilities and systems security and an adequate appreciation of their responsibility for information security.
  • To ensure that all users are aware of their accountability under this policy.
  • To ensure that contractors, consultants have a proper awareness and concern for the security of the University information.
  • To ensure that all users are aware of and fully comply with the relevant UK legislation.
  • To provide a framework and guidance for the establishment of standards, procedures and guidelines in respecting of information security.
  • To instil awareness across the College, that appropriate security measures are implemented as part of the effective operation in support of Information Security.

6.2 Information Sharing

 

Information is an organisational asset and should be shared and exploited as widely as possible across the College unless it is of a sensitive nature, e.g. personal or commercially-sensitive information.

6.3 Monitoring Electronic Communications

 

The College respects the privacy of its users and through IT Technical Services exercises its right to intercept and monitor electronic communications through the data network and infrastructure within the guidelines set down by the Regulation of Investigatory Powers Act 2000 (RIPA). The guidelines cover, but are not limited to, monitoring for criminal or unauthorised use, viruses, threats to the University systems e.g. hacking or denial of service attacks.

Full details can be found in the “Access to Staff and Student IT Accounts and IT Equipment Access to Staff and Student IT Accounts and IT Equipment” policy which can be found on the IT Technical Services website.

6.4 Information Security Education and Awareness

 

All users will receive training on how to:

  • Protect the information for which they are responsible
  • Operate the technology and information systems provided
  • Understand the security risks to their information and systems
  • Use the security features provided within their information systems
  • Select, manage and safeguard passwords
  • Prevent the spread of malicious software and data, e.g. computer viruses, hoax and chain e-mails
  • Identify and safeguard important records from loss, destruction and falsification
  • Identify and report information security incidents
  • Ensure the physical security of their information assets, PC and other information management equipment.

6.5 Virus Protection and Management

 

The College will maintain detection and prevention controls to protect against malicious software and unauthorised external access to the College network and systems. All users of the College network will comply with the College Virus Protection and Management policy which can be found on the IT Technical Services Website.

6.6 Software Protection

 

To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988, the University may carry out checks from time to time to ensure that only authorised software products are being used.

Only IT Technical Services are allowed to install software on College owned resources, an unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary action and where appropriate legal proceedings.

Full details can be found in the “ICT Software Policy” which can be found on the IT Technical Services website.

6.7 Incident Response and Business Continuity

 

As are all organisations, the College is susceptible to a number of threats which could potentially result in loss or unauthorised access to its information. While many of these relate specifically to electronic information and the systems used to manage it, threats to physical information are also as damaging to the College and should be planned for, mitigated and managed.

The College is susceptible to computer virus attacks given the open access arrangements and many connections to external information systems e.g. Internet. All users are required to take special care and use the protective measures in place to prevent such attacks and report any actual / suspected attack by a computer virus or thefts of computer assets.

Any breach of security or security incident could lead to the loss of personal information. This would be an infringement of the Data Protection Act 1998 and could lead to civil or criminal proceedings. It is vital that all users of the College ICT facilities and systems comply not only with this policy, but also with the College’s Data Protection Policy and other supporting policies.

The College will investigate all security incidents involving the potential compromise of information security.
Notification reports of actual or suspected information security incidents are to be made by e-mail to the IT Manager.
Appropriate processes and procedures will be implemented to initiate, record, manage and where necessary escalate the emergency response to the incident.

6.8 Compliance with Information Security Policy and Standards

 

The Manager will establish an appropriate programme of reviews/audits to ensure that the College’s information, systems and supporting infrastructure are being managed in accordance with the College Information Security policy and standards and any other relevant legal and contractual requirements.

IT Technical Services monitors the data network and infrastructure within the guidelines set down by the Regulation of Investigatory Powers Act 2000 (RIPA).

6.9 Design of Information Systems

 

Appropriate information security controls must be implemented to protect information assets from internal and external security threats, whether intentional or accidental. Controls must be consistent with College policies and standards. A statement of applicability should be drawn up, recording the controls that will be implemented, as well as those that have been excluded, together with an indication of the reason for inclusion or exclusion.

A security requirements analysis will be carried out at an early stage by the System Proposer in each major IT development project to identify any exceptional security risks and to define the relevant security standards and features that need to be designed into the system.

6.10 Physical Security

 

Computer systems and networks will be protected by suitable physical, technical, procedural and environmental security controls which will be implemented as appropriate to prevent access to, interference with or damage to information assets.

Files servers and machines that hold or process highly critical or sensitive data will be located in physically secured areas. Access to these areas will be strictly controlled.

6.11 Retention and Disposal of Information and ICT Equipment

 

All staff have a responsibility to consider security when using and disposing of information and ICT equipment in the course of their work. The College will determine retention periods for information and departments should establish procedures appropriate to the information held and processed by them. ICT Equipment shall only be disposed of in accordance with the agreed College procedures.

  • All information must be removed from ICT equipment scheduled for disposal.
  • All removable digital media must be reformatted, de-gaussed or physically destroyed at the time of disposal.
  • All confidential or sensitive information which does not form part of the College’s records and which is held in non digital form must be shredded.

6.12 Breaches of Security

 

Any breach of security of which could lead to loss of security of personal information, would be an infringement of the Data Protection Act 1998 and could lead to civil or criminal proceedings. It is vital, therefore, that users of the College’s information, information management systems and ICT facilities comply, not only with this and other Information Security related policies, but also with the College’s Data Protection policy.

7. Sanctions

 

The College has in place sanctions for staff and students who compromise the security of information or information management systems and disciplinary proceedings may be invoked for any member of the College who breaches this or other information security related policies.

IT technical Services on behalf of the College may disconnect, block traffic to / from, impound or log information regarding any machine / PC using the data network which is misused or compromised. Under the College disciplinary procedures and “Access to Staff and Student IT Accounts and IT Equipment”, IT technical Services are authorised to initiate investigations of users who abuse this policy.

Results of any investigation may result in IT Technical Services disabling a user’s access to the network without prior notice, pending resolution of the incident.

8. E-Safety

 

Addressing the challenges of supporting and delivering high quality and flexible teaching and learning whilst at the same time enabling both young people and vulnerable adults to keep safe in a rapidly changing digital world, is the focus of the New College Swindon ICT eSafety Policy.

Please see the E-safety Policy for further information.

9. References

 

Supporting Policies associated with this policy are detailed below and will be published on the IT Technical Services website web site. All staff, students and any third parties authorised to access and use the College network, systems and facilities are required to familiarise themselves with them and to work in accordance with them.

ICT Usage Policy – http://ictsupport.newcollege.ac.uk/?page_id=3
ICT Software Policy – http://ictsupport.newcollege.ac.uk/?page_id=4
Access to Staff and Student IT Accounts and IT Equipment – http://ictsupport.newcollege.ac.uk/?page_id=336
Laptop Loan Agreement – http://ictsupport.newcollege.ac.uk/?page_id=188
Hardware Installation / Depreciation procedure. – http://ictsupport.newcollege.ac.uk/?page_id=202
Mobile ICT Equipment Agreement – http://ictsupport.newcollege.ac.uk/?page_id=326
Data Protection Policy. -
Virus Management & Protection Policy.
College Guidance on Social Networking -
JANET Acceptable Use Policy. URL: http://www.ja.net/services/publications/policy/aup.pdf
JANET Security Policy. URL: http://www.ja.net/services/publications/policy/security-policy.pdf

About the Author