Page tree
Skip to end of metadata
Go to start of metadata

Aims

The aim of this document is to establish clear procedures relating to information security.

All users of college IT facilities, whether staff, students or associates, are to comply with the Regulations for the Acceptable Use of RBC Information Technology (“the AUP”), the Information Security Policy and Procedures

It is college policy that all users of computing facilities at the RBC carry out their work in accordance with these procedures.

Where appropriate, compliance with the procedures will be monitored, and failure to comply may be subject to disciplinary action.

Acceptable behaviour

The AUP gives examples of acceptable and unacceptable behaviour in the use of IT facilities.

All users must be aware of what is acceptable, and take individual responsibility for their actions.

Passwords

Appropriate usernames and passwords will be issued to all users. These will allow general access to IT facilities as well as individual access to specific business systems where required. Each user has individual responsibility for the security of their password and it is forbidden to give a password to another person. IT staff will never ask an individual to reveal their password.

Should the security of a password be compromised it is the responsibility of the individual user to change it and to establish that no breach of confidentiality has occurred. If there is a suspected breach of confidentiality this is to be reported immediately to the Help Desk.

Passwords chosen must be of sufficient complexity such that they are not easy for another person to deduce. In particular, for example, individuals should avoid choosing passwords that feature their name, partner's name, car registration, pet or anything that might be guessed or obtained by a third party.

Where technically possible, all information systems will enforce the following:

  • The minimum password length is eight characters.
  • Passwords must be ‘complex’, that is consist of character(s) from at least THREE of the following FOUR sets:
    • Lowercase letters [a…z]
    • Uppercase letters [A…Z]
    • Digits [0…9]
    • Special characters [`!”£$%^&*()-_=+[]{};’#:@~\|,./<>?]
    • Passwords will expire from time to time and at intervals less than 91 days.
    • Previously used passwords cannot be re-used.
    • Three logon attempts with incorrect passwords within 24 hours will lock an account.
    • Locked accounts will remain locked until either:

a)    reset by the Help Desk. The Help Desk will require adequate proof of identity prior to unlocking an account

b)    unlocked by the user via a secure self-service system

c)     or after 24 hours the account will automatically unlock

If it is necessary to record a password it must be kept securely, disguised in some form.

In all cases, whether forced or not, passwords must be changed regularly – at least every 3 months.

In order to maintain user account security certain restrictions are in place to help prevent unauthorised access.

Training

All staff, students and associates will be offered appropriate training in the use of relevant IT facilities.

All users must take individual responsibility for ensuring they are able to use correctly any information system to which they have been given access.

The college reserves the right to withdraw access to any system if an individual places the security of the college’s systems or information at significant risk.

Information Security Officer

The college shall designate an individual as Information Security Officer, who shall be responsibility for ensuring appropriate procedures, systems and guidelines are in place and implemented.

Data Ownership

The Principal has overall ownership of all college information, but delegates this responsibility to specific individuals (‘information owners’) responsible for identifying the use of that information.

Individuals who create information will normally be deemed the owner of their own information or information that they have acquired. For information that applies to the corporate work of the college, this owner will normally be a manager.

All information held on college systems, including that held on ‘shared areas’ and in email is owned by the college. All members of staff will have agreed to this when accepting employment at the college. Where there are concerns relating to intellectual property rights the individual must ensure the issue is specifically addressed in the employment contract.

Personal use

While the college does not provide data storage for personal use, it is accepted that limited personal use is allowed, as detailed in the AUP. However, college systems (including email), should not be generally used to store personal information.

Any personal information stored on your ‘shared area’ or in email is done so at the individual’s risk.

This data remains the property of the college. All data is regularly backed up and retained for at least one year, in order to protect the college from business loss in the event of systems failure.

Confidentiality

All corporate information should be kept confidential with computer screen’s password protected and away from public view.

Individuals must always log out of a user session (or use the CTRL, ALT & DELETE keys to lock the screen when leaving a work station) and never leave a machine with a live connection to an information system.

Certain information is particularly confidential (e.g. exam scripts, marks, personal and medical data), and particular care must be taken with these. All users must be familiar with the colleges Data Protection Policy.

Legitimate use

Any use of college information must be lawful, honest and decent, and must pay attention to the rights and sensitivities of the people concerned.

The use of college information data for obscene, illegal or intimidatory purposes or which has the intent of annoying or offending somebody else is strictly forbidden. College information and data may not be used for commercial gain.

Retention

Information must be kept only for as long as it is required, especially personal data. Certain categories of information must be legally retained for specified periods. All users must be aware of the retention periods detailed in the colleges Records Retention policy and ensure that they have processes in place to meet these.

All IT equipment must be disposed of in line with the WEEE regulations. In particular, any equipment or storage media which could contain any information or data must be disposed of in a secure manner. In general, all equipment should only be disposed of by or via the colleges Estates department. CDs should be shredded.

Storage

Every member of the college is supplied with a networked default ‘documents’ and ‘desktop’ store. This is the usual place for storage of individual data. No information should be stored on local hard drives (C: drive). Where this is unavoidable (e.g. on a laptop being used remotely) information must be copied to networked storage as soon as possible.

Departments and teams are also provided with shared networked 'cloud' data storage. These areas should be used for all information which may be needed by more than one individual.

For portable temporary storage the use of USB memory sticks is recommended, but again, any information that is important must be copied to college network storage. Particular care must be taken to ensure the security of memory sticks.

Data may be copied for use on a home computer, but the ownership will remain with the college. Any information modified on a home computer must be copied to networked storage as soon as possible. Data on home computers must be deleted as soon as it is no longer needed.

Any data relating to an identifiable living individual (and as such subject to the Data Protection Act) must not be stored on a laptop or removable memory or storage unless it is encrypted or otherwise secured (for instance through password protection). Where this is absolutely necessary, it should be stored for as short a period as necessary.

All college storage systems will have quotas in place, to prevent any individual abusing the system. These quotas will be as generous as possible, within current system constraints.

Access by others

Data stored in individual storage areas will not normally be accessed or made available to anyone else. However, this may be done in certain circumstances, either with or without the permission of the individual.

Access with your permission

Those who need to delegate responsibility for checking email to a colleague or assistant may do so through the "delegates" facility within Outlook. Having added the appropriate username as a delegate, various levels of permissions can be set for all aspects of Outlook including managing of both calendar functions and sending and checking of email.

More extensive delegation can be provided but this requires the account holder to apply by email to the help desk with details of to whom the account holder wishes to give full control of their email account (this can only be done for a member of staff).

Data, documents and files required by others should be saved to a departmental share drive – this will enable your team or department to share access to files. An individual may not grant access to their personal documents to anyone else.

Absence during employment

In the event of unplanned absence by a member of staff and access is required to information held only by that person, then in the first instance the staff member will be contacted and consent sought.

If consent is not or cannot be obtained, then a business case may be made by Human Resources to gain access to specific data on the documents drive or email. If the case is accepted, the users password will be reset allowing an authorised independent third party to search the absent member of staff’s data or email for the specific information required which will then be passed to the Head of Department. Due to the administrative cost of this procedure, genuine business need must be proved.

Access without your knowledge/permission

The privacy of an individual’s data and emails will normally be respected; however, there are a number of situations in which access to data may be made:

  • Where a request is made under the provisions of relevant legislation in relation to the prevention or detection of crime, authorised staff may be requested to make an individual’s data available
  • At the request of the data owner (the Principal) or one of his named representatives
  • By IT Staff in connection with the maintenance of the systems
  • Where an allegation or evidence of breach of the Regulations needs to be investigated, which will be carried out in accordance with the IT Investigation Policy.

After employment has ceased

Line managers are responsible for ensuring they have access to all necessary data before an employee leaves the college. It is necessary for an employee to make this data available by moving files to a shared drive or portable media device, on or before their last day at work; advice can be sought from the Help Desk

Where an individual requires assistance by IT, written permission for data to be transferred to the network drive of a colleague or line manager must be given. These arrangements should normally be made at least one week before leaving the college.

An example of the permission document required is below:

“I hereby give permission for <named person> to have access to data on my documents and email after my departure from the college on <state date>. I understand that it is my responsibility to remove all personal data from both accounts before my departure, and that by arranging for this data to be passed to <named person> I am revoking any intellectual property rights.

I understand that after this data has been passed to <named person> both my network and

email account will be deleted.

Signed <your signature>,

Name: <your name in full>,

Username: <your college username>”

Permission requests must be signed written originals; photocopies, faxes, or emails are not acceptable, nor is a letter signed as ‘pp’ acceptable for this purpose.

This permission will only refer to data available on the date of departure. It will not authorise the named person to access data previously deleted and stored on backup. Similarly, it will not be possible to automatically redirect any future email to colleagues.

After departure, a vacation message can be requested on the email to inform people that you have left the college and provide an alternative address for contacts. This will allow the sender to email to the appropriate address; and will be displayed until the email account is deleted. During this time the email account will remain closed.

If you are concerned that you are the only contact for any business-related email then as soon as you are aware you will be leaving or moving jobs you should arrange for a business account or alias to be created by contacting the Help Desk, and inform all your contacts that this is the appropriate address to use.

System management

All of the colleges systems are to be managed by suitably trained and qualified staff to oversee their day to day running and to preserve security and integrity in collaboration with nominated individual system owners.

All IT staff shall be given relevant training in information security issues.

Change Control

The implementation of new or upgraded software must be carefully planned and managed, to ensure that increased information security risks associated with any changes are mitigated.

There will be formal change control procedures, with audit trails for all changes to systems.

Access

Access to all information services shall use a secure logon process and access to high value systems may have further limitations as appropriate (2FF). Access will always be role/need and not by seniority of post.

Access controls shall be maintained at appropriate levels for all systems by ongoing proactive management and any changes of access permissions must be authorised by the manager of the system or application. A record of access permissions granted must be maintained.

Access to IT systems is to be logged and monitored to identify potential misuse of systems or information.

Privileged Access

Certain members of staff will have elevated permissions on some or all systems. Some of these permissions are only granted when required but others will be granted implicitly by membership of certain domain groups.

A full charter expanding on these responsibilities is contained as Appendix A to this document.

With these elevated privileges comes increased responsibility, and all staff with elevated permissions will undergo training in their responsibilities. Abuse of privileged status will be regarded as a serious disciplinary matter.

If these staff leave the college, or are no longer a member of one of more of the membership groups, either through secondment or a permanent change in job role, these permissions will be revoked.

The college will regularly audit the status of all members of staff and accounts with increased privilege and confirm that this is still required and at the correct level.

Clocks

All System clocks will be regularly synchronised to the same time signal via automated processes such as NTP.

Capacity

Capacity demands of business systems shall be monitored, and actions taken to ensure increased demands are met. Users must be aware that disk storage and capacity is limited, and take reasonable care not to overload any system.

Any known or planned requirements for large amounts of storage or processing power must be notified to and agreed by the AUP Designated Authority well in advance.

Business Continuity

All business information systems and IT facilities will have a defined disaster recovery process in place. Systems designated as critical will have some level of resilience as long as this is technically possible and cost effective.

Responsibility for planning for being able to continue to operate without any IT facility is the responsibility of individual Heads of Departments. Full details are in the Business Continuity and Disaster Recovery Policy.

New information systems

The procurement or development of all new information systems must be discussed with the either the Head of IT and approved by SMC.

Before introducing any new business data system, a risk assessment will include an assessment of any legal obligations that may potentially arise from the use of the system. The Head of IT oversees this risk assessment.

Misuse

If any member of the college knows of or suspects any misuse of IT facilities, they must report it either to their Head of Department or, if this is not appropriate, to the Head of IT.

If the suspected misuse is by the Head of IT, the matter must be reported to the Principal. In the case of reported or suspected misuse of computers or breach of the AUP by a student, then whatever the degree of reported or suspected misuse, the first response will be to disable the user's network and/or email account immediately. The purpose of this is to prevent any further misuse. At this time, the student's account history file will be checked to see if there is any record of a previous offence.

In accordance with the college’s Student Disciplinary Procedures, IT will in all cases refer the matter immediately to the Registrar, with the relevant details. The Registrar may meet with the Head of IT or nominee to discuss the incident

As stated in the AUP, a breach of regulations may result in access to IT facilities being withdrawn, regardless of academic consequences.

In the case of reported or suspected misuse of computers or breach of the AUP by a member of college staff, the college Staff Disciplinary Procedures will be followed. Access to IT may be withdrawn if appropriate.

In the case of reported or suspected misuse of IT or breach of the AUP by guests or associates, computing access may be withdrawn pending investigation, and further action may include reporting the matter to the visitor's host department and/or home institution if appropriate.

Appendix A – Privileged User Charter

Introduction

System and network administrators, as part of their daily work, need to perform actions which may result in the disclosure of information held by other users in their files, or sent by user’s over communications networks. For these reasons they will have elevated and privileged permissions. This charter sets out the actions of this kind which authorised administrators may expect to perform on a routine basis, and the responsibilities which they bear to protect information belonging to others.

On occasion, administrators may need to take actions beyond those described in this charter. Some of these situations are noted in the charter itself. In all cases they must seek individual authorisation from the appropriate person in their organisation for the specific action they need to take. Such activities may well have legal  implications for both the individual and the organisation, for example under the Data Protection and Human Rights Acts.

System and network administrators must always be aware that the privileges they are granted place them in a position of considerable trust. Any breach of that trust, by misusing privileges or failing to maintain a high professional standard, not only makes their suitability for the system administration role doubtful, but is likely to be considered by their employers as gross misconduct. Administrators must always work within the colleges information security and data protection policies, and should seek at all time to follow professional codes of behaviour.

Authorisation and Authority

System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". In the college this right is delegated by the Principal to the Head of IT. This document will use the term "Designated Authority" which could refer to this post, or other nominee, as is most appropriate.

If any administrator is ever unsure about the authority, they are working under then they should stop and seek advice immediately, as otherwise there is a risk that their actions may be in breach of the law.

Permitted Activities

The duties of system administrators can be divided into two areas.

The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which they are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.

Many administrators also play a part in monitoring compliance with policies which apply to the systems. For example, some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. The JANET Acceptable Use Policy prohibits certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.

The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act 2000, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.

Operational activities

Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:

  • monitor and record traffic on those networks or display it in an appropriate form
  • examine any relevant files on those computers
  • rename any relevant files on those computers or change their access permissions
  • create relevant new files on those computers

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from the Designated Authority or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store, then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Policy activities

Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users, then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.

Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they are responsible:

  • monitor and record traffic on those networks or display it in an appropriate form
  • examine any relevant files on those computers
  • rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below)
  • create relevant new files on those computers

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it or by marking it as personal, the administrator must not examine or attempt to make the content readable without specific authorisation from the Designated Authority or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store, then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Disclosure of information

System and network administrators are required to respect the secrecy of files and correspondence.

During the course of their activities, administrators are likely to become aware of information which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific investigation:

  • Information relating to the current investigation may be passed to managers or others involved in the investigation
  • Information that does not relate to the current investigation must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to the Designated Authority (or, if this is not appropriate, to a senior manager of the organisation) for them to decide whether further investigation is necessary.

Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems.

Such data may become known to authorised administrators during the course of their investigations.

Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant data controller.

Intentional Modification of Data

For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:

  • rename or move files, if necessary to a secure off-line archive, rather than deleting them
  • instead of editing a file, move it to a different location and create a new file in its place
  • remove information from public view by changing permissions (and if necessary ownership)

Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.

The administrator may not, without specific individual authorisation from the appropriate authority, modify the contents of any file in such a way as to damage or destroy information.

Unintentional Modification of Data

Administrators must be aware of the unintended changes that their activities will make to systems and files. For example, listing the contents of a directory may well change the last accessed time of the directory and all the files it contains; other activities may well generate records in log files. This may destroy or at best confuse evidence that may be needed later in the investigation.

Where an investigation may result in disciplinary charges or legal action, great care must be taken to limit such unintended modifications as far as possible and to account for them. In such cases a detailed record should be kept of every command typed and action taken. If a case is likely to result in legal or disciplinary action, the evidence should first be preserved using accepted forensic techniques and any investigation performed on a second copy of this evidence.