This document addresses the risk of using the Internet, the policies required to manage those risks to an acceptable level and the responsibilities within the business to achieve this.
Security Policy is an essential measure to help protect college information systems from compromise, either accidentally or deliberately, which could have an adverse consequence on the college, its management and staff and students. This document addresses the risk of using the Internet (except email which is separately covered), the policies required to manage those risks to an acceptable level and the responsibilities within the business to achieve this.
The structure of this document is described in the table below
|Background to Risk||Examples of Internet risks including recently publicised cases|
|The User Policy||Describes the policies that all Internet users must follow|
|Management Responsibilities||Describes management’s role in supporting the policy|
|Technical Support Responsibilities||Describes IT role in supporting the policy|
Related policies include:
- Standards and Guidelines for all users of College Computing and Network Facilities
- Email Acceptable Use
- Virus Protection Policy
- Data Protection and Monitoring
- Personnel Security
Background to Risks
Use of the Internet is an essential tool of college life, allowing access to a large volume of research and reference material, business to business commerce and general information required in many day to day businesses. Accidental or deliberate misuse of the Internet can have a number of serious impacts upon the college. Here are several potential risks with examples using cases that have been publicised:
Download of Malicious Software
With a click of mouse a user can accidentally download and install software that may impact the operation and integrity of the workstation, install Spyware that can leak confidential information out to the Internet, or install software “zombies” which mount a denial of service attack on another Internet website. College operations could be badly disrupted by malicious code, the college could be embarrassed and may even be sued by any third party organisations in the event that its systems are damaged.
A normal banner or popup advertisement will attempt to install executable software on the user's PC. Depending on the browser's security settings, the software will either download transparently without any user action, or present an install prompt window. Uninformed users may choose 'Yes' thinking the browser is asking to download a legitimate plugin – which is common to the Internet experience."
Access to Offensive Content
Access to websites leaves a trail that can be used to identify the individual or organisation concerned. Inappropriate access to offensive websites, such as those containing racist or pornographic content can badly damage the college’s reputation. Some websites allow illegal content and the college could find itself involved in a criminal enquiry that draws in significant resources, may require forensic access to computer equipment and ultimately interrupt normal college life. Download of offensive content could lead to loss of productivity of staff and students, distress and even harassment claims
Excessive personal Browsing
Whilst not necessarily as serious an activity as those who access websites with offensive content, members of staff or students may be spending long periods of time surfing websites for personal reasons do impact the college. There is a large volume in music and video content, even those from reputable broadcasting and news organisations that put out news in the form of these new media. However excessive time on these sites uses up considerable bandwidth, and reduces staff and student productivity.
Website Spoofs and Scams
Websites can be used to impart incorrect information such as false market information, or to elicit information from users such as User Ids and passwords. Such events can result in incorrect business decisions being made, and confidential information disclosed. The college’s reputation could be affected.
Software executables that are downloaded may result in an infringement of copyright rules. This could result in embarrassment to Rose Bruford College and large fines.
In relation to the internet, the college Principal is responsible for ensuring the college’s compliance with all current legislation and corporate governance. The Principal has a responsibility to governors, staff and students to safeguard college assets and viability and for preserving the college’s integrity and reputation.
Management are responsible for:
- Implementing this Internet policy, monitoring its effectiveness, maintaining it
- Ensuring that staff and students are made aware of policy contents and confirm their understanding by appropriate means
- Handling individual exceptions to rules, e.g. for business or technical reasons
- Adhering to the User Policy principles and thereby showing the correct example
- Ensuring that breaches of policy are treated even-handedly no matter the level of staff involved
- Discipline will be applied as defined in the Student Handbook / Staff Handbook
- Ensuring that any requests by an individual to gain access to another’s email account, e.g. on extended leave or sickness is approved and documented
The effectiveness of the policy will be monitored by carrying out the following activities:
- Formal information security awareness / training;
- Reviewing content management reports;
- Gaining feedback from email users;
- Monitoring web content in accordance with the UK Privacy Directive – i.e. if it is justified and there has deemed to be a breach of security;
The following two sections detail the user internet policy principles that must be followed by all users. In the event that users are not clear of any policy principles they should seek clarification from the IT Manager
Main Policy Principles
These are the essential principles of the internet security policy which must be followed by all internet users, whether, staff or students:
- Rose Bruford College Internet facilities are intended for college and educational use. A limited amount of personal use is allowed subject to management agreement
- Software must not be downloaded from the Internet unless specifically required by management, and not without the express approval of the ICT Manager; (see guideline on downloading)
- Do not subscribe to any services or place any orders on the Internet unless this has been explicitly authorised
- Do not attempt to visit websites whose content are offensive in e.g. a racial, sexual, religious, ethnic, or any other nature not permitted, unless the content is directly related to research or educational course work.
- The authenticity of websites relied upon for critical business information should be verified
- Users are accountable for usage of their desktop machine for connection to the Internet and the websites they visit
- Users should not transmit any information identifying the college to any website without express permission
- Users should not breach copyright restrictions in force on any website or document downloaded
- Failure to comply with any of the above policies principles may result in disciplinary action
Monitoring of Internet Access
The college reserves the right to intercept, read and store details of any internet usage on its systems or in transmission over its network in the UK at its discretion. All interceptions will be carried out in accordance with current legislation.
IT Support Responsibilities
The ICT personnel supporting the Internet service have the following responsibilities:
- Complying with the policy principles as users
- Create only unique Internet accounts for individuals only. Generic or shared accounts must only be created if justified by business or technical requirements, must be approved by management and documented
- Giving access to Internet accounts, resetting passwords in line with separate policy. Access in event of absence to be extended by permissions if possible in preference to divulging passwords
- Removing the ability to logon to internet accounts once users have left the organisation;
- Making sure that IT support staff are familiar with the relevant Privacy Directive legislation and do not read personal email (so marked):
The monitoring of communications by unauthorised individuals is prohibited and may be illegal. Interception and monitoring may only take place with explicit written authority and must be justified and fully documented.
Legal Notice to Users
This is computer system and network is the property of Rose Bruford College.
It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to any authorized law enforcement agency, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of Rose Bruford College. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.
LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning or if you are not authorised to access this network (you do not have a valid username and password), or you are not using your own username and password.