COLLEGE I.T. SERVICES · professional business messaging tool , transferring any received attached...

Policy Title: I.T. Security PolicyAuthor: Rose KaneUpdated November 2012Due for Review November 2013

1

COLLEGE I.T. SERVICES

I.T. Security Policy.

User-group: Executive Directors, Corporation – Audit Committee, Auditors, CollegeManagers, I.T. Services Staff, Personnel, Staff Development,Registry.

Category: Information Technology

Last Modified: November, 2012Review Date: November, 2013

Approved By: ExecutiveCommissioningAuthor: Rose Kane, I.T. Services ManagerContact Person: Rose Kane, I.T. Services Manager, 01274 433062

Person Responsible: Andy Welsh, Director of Corporate Services: Directorate.

College Mission Statement: “To help students from the region, nationally andinternationally, achieve their potential, and make a rewarding contribution to their owncommunities.”


2

EXECUTIVE SUMMARY:

The I.T. Security Policy summarises the actions that Bradford College takes to secure itsIT provision and ensure safe access for its users – and outlines associated managementresponsibility. As recommended by the BS7711 guidelines for I.T. security it acts as anindex to the suite of policies and associated procedures published for users andadditionally outlines the specialist procedures relevant to I.T. specialists.


3

I.T. SECURITY POLICY

Scope 4Compliance 4Publishing Controls 5Web Publishing 5Email Controls 5Data Protection Compliance 6Copyright Controls 8Procurement 9Physical Security Controls 10Change Control 11User Access Controls 12Account Password Security 15Individual System Access Rights 16Security against Internal/External Sabotage 16Telephony Controls 19Emergency Communication 20Breach of Policy – Investigation Framework 21Recovery Controls 22

AppendicesSummary of Legal Requirements 23


4

POLICY TITLE: I.T. Security Policy

ScopeThis policy suite outlines how Bradford College manages and secures its InformationTechnology (I.T.) provision. The policy describes the management, regulations andprocedural processes that underpin procurement, change control, compliance andacceptable use, outlining the enforcement that Bradford College applies to ensure thequality of its services for its users.

This Policy is reviewed annually by the I.T. Services Manager, who will makerecommendations to the College Leadership Group. Any necessary and approvedrevisions will be approved by that group.

1. Conditions of Use

Students will agree to comply with the College policies and will have access to full copiesof them when they sign their Student Learning Agreement.Staff will sign to agree compliance with the College policies and will have access to fullcopies of them when they accept their contract of employment with the College.

Staff and students of the College who act in breach of the I.T. Acceptable Use Policy willbe subject to the College’s disciplinary procedures.

Members of subsidiary organizations who use College I.T. Services will be subject to thedisciplinary procedures of their own organization.

Infringement of civil or criminal law will be referred to the external agencies concerned.The instigator/owner of the material may be subject to a legal penalty, in addition todisciplinary action.

2. Compliance

This Security Policy outlines the framework in which the College I.T. and TelephonyAcceptable Use Policy and related policies will operate and the procedures which I.Tprofessional staff and College Managers will follow to ensure compliance with Collegeregulations, third party contractual policies and our legal obligations.

2.1 Contractual Compliance

Joint Academic Network (JANET)

The College uses JANET for all connections to the Internet. All users of the Collegenetwork will comply with the JANET Acceptable Use Policy.

Combined Higher Education Software Team (CHEST)

All users of the College network will comply with the CHEST Code of Conduct forthe use of Software or Datasets.

2.2 College Regulations ComplianceExisting College rules and policies apply equally to the use of all electronic services.

This I.T. Security Policy underpins the College I.T. Acceptable Use Policy, the


5

College WEB Publishing Policy, the College I.T. Disaster Recovery & BusinessContinuity Plan and procedures in place to underpin and enforce those policies.


6

3. Publishing Procedures

3.1 Publishing Procedures and Whistle Blowing Compliance Opportunity for the e-publishing of promotional as well as controversial and

damaging information is freely available via Web Pages, Email, Chat Rooms,Bulletin Boards and Social Network areas. More recent popularity of online diaries(Weblogs or “Blogs”) hosted within public Web space encourages Internet usersto share and publish opinion and research.

Within its corporate owned websites the College delegates the responsibility forlocal content update to local authors within its departments whilst the MarketingDepartment are responsible both for the content of corporate pages and theacceptability of local content. To ensure compliance with brand and accessibilityguidelines and to ensure quality of the overall online product, the CollegeMarketing Team will exercise the editorial right to reject or withdraw content that isnot compliant or acceptable.

4. The Web Publishing Policy and its associated procedure outlines the College rules thatgovern the publication of corporate, departmental, personal and internet content thatrelates to the College.

5. E-mail Controls

5.1 Email – Appropriate Use and Protection of Users Bradford College provides email for staff as a messaging platform and not as the

primary data storage platform. College staff must use College email as aprofessional business messaging tool , transferring any received attached data tosecure data filestore and taking personal responsibility for the backup of anyadditional personal facilities they choose to use, such as online diaries, addressbooks and calendars.

The College strives to protect its internal users from Internet abuse and to providerelevant and responsive contacts for its external clients. This policy outlines thetechnical controls that underpin that process.

Student use of Live@Edu email is bound by the policy for Acceptable Use of aCollege facility and is also bound to the regultaions issued by Microsoft andJANET.

The I.T. & Telephony Acceptable Use Policy and its associated procedure outlines therules for staff and student access and use of I.T. systems provided by the College.

5.2 E-mail DisclaimerThe College publishes its professional intent in a disclaimer and any staff emailthat is sent from the College system to any external address will automaticallyhave the disclaimer attached.

5.3 E-mail Filestore ThresholdsStaff Email filestore that approaches thresholds will automatically send amessage to the user to request a data cull.

5.4 Global Internal Staff E-mail Restrictions


7

Staff email to “all internal users” is restricted to managers and keycommunicators.

5.5 Protection Against Spam Address HarvestingExternal, individual staff email addresses are externally available via a searchthat demands prior knowledge of the user’s name. Results to searches willdisplay a limited number of emails, to discourage persons who might obtainthem for unauthorised reasons. To prevent harvest of emails for Spam lists, thesearch will never display a clickable email address.

5.7 User Location AnonymityNo physical location of any user will be displayed to external users.

5.8 Advertised Contact Address – Approvals and FormatKey College contact generic email addresses and contact details will beadvertised externally as required and agreed by the College and will normally be“functional” email addresses. Managers who are responsible for genericfunctional emails will ensure that staff are designated to administer the emailaddresses and that I.T. Services are informed should such staff delegates leavethe organisation. Individual leaver account access is monitored through thestarter and leaver process and is the over=arching control for this process.

6. Data Protection Compliance

Changes in the law governing Data Protection as well as changes in technology haveoutlined new areas of risk – particularly where remote work is undertaken, whereincreasingly portable appliances are used, where portable College equipment is removedfrom the campus for reasons of travel or where accesses take place in public areas of thecampus. This section of the It Security policy summarises the controls that BradfordCollege exerts to protect its data.

The I.T. and Telephony Acceptable Use Policy outlines the rules for staff and students whomay use College portable devices and may work remotely.

6.1 Data Protection - Remote WorkingThe College allows external access to personal data stored on internal systems,only by approval and only by VPN.All personal data must be accessed and stored on College server systems andnot on local devices or removable media.Access to email, intranet and individual data store is via web access only, and apersonal username and password.

It is a breach of policy to remove screen-dumps or output files that containpersonal data from the College – whether by transmission e.g. email or filetransfer, or by portable storage device E.g. PDAs, Zip drives, CDs, Floppy disksor USB sticks. Users who do so will be disciplined.


8

6.2 Visibility of Personal Data within College PremisesAll users must logout from or lock workstations before leaving their desk. Inaddition the EBS Student Records System will auto-logout after a period ofinactivity of more than one minute, removing data display from the monitor.

6.3 Remote Working - other non-personal College DataUsers frequently work from home, access emails out of hours and frequentlyrequire access to personal files in order to update lesson plans and materials orupdate policy, planning and strategic information. The College allows remoteworking within the confines of its policy to protect personal data from exiting itspremises and to protect non-personal data from extracting viruses or falling intothe wrong hands whilst offsite.

6.4 Authorization for Remote WorkingIt is a requirement of this policy that any work on College data that is to takeplace away from College premises should be approved by ProgrammeManagers or Sector Managers and that on seeking such approval, staff shouldbe reminded of their responsibilities and provided with adequate resources tocomplete the work securely.

6.5 Remote Working and Offsite Equipment RulesData that falls into the category of “other College Business Data” E.g. planningdata or lesson planning data that is College intellectual property but is notsensitive personal data, should be primarily stored on a College server area andaccessed there. It is accepted that this data may be transported on a Collegelaptop from time to time for offline working, but College business Data shouldnever be loaded or stored on personal home computers or laptops or accessedby any device that is not protected by the College anti-virus system.Students will and may use their own devices for their learning material storageand may use these own devices on the wireless secure network only. Studentsare advised to save prime copies of their data on their College allocated area atLive@Edu and are advised that the College is not responsible for that data inany other storage location (E.g. when saved to local College or home drives).

6.6 Portability of College DataCollege personal data must not be ported between College and remote locationon USB memory sticks, PDAs, removable media, discs or laptops that are smallenough to be easily lost, stolen and must not be uploaded to PCs /laptops thatare not owned by the College.

6.7 Enforcement - User TrainingUsers are instructed in I.T. staff induction of their responsibilities for securingother College Data and personal filestore and of the disciplinary procedureshould the policy be breached.

6.8 Enforcement - Management ControlsProgramme Managers and Central Service Managers (Budget Holders) arerequired to use their consumable I.T. budget responsibly and must give adviceto users before portable devices are agreed, purchased and distributed e.g.USB memory sticks, PDAs.


9

7. Copyright Controls

I.T. Services does not have a campus remit for copyright but many of our activities requirevigilance and the controls that we exert are outlined within this section.

7.1 The I.T. and Telephony Acceptable Use Policy outlines the rules for Internetaccess and use.

7.2 Licensing Compliance & Software Asset Management (SAM) The I.T. Services is responsible for campus software licensing compliance

for staff and students and this section of the policy outlines the controls inplace.

Administrative Records are retained, recording when licenses are due forrenewal, which licenses are site-wide, how many single of concurrentlicenses are held/deployed. The campus has purchased Keyserve and thePhoenix Dashboard, a robust licensing auditing tool that managesconcurrency, software controls, audit and monitoring.

The Software Licensing Policy and its associated Procedures outlines thecontrols and rules governing software procurement, deployment andregulation.

7.3 Software CopyrightSoftware auditing detects unauthorised software download patterns and reportswill instigate an investigation where it is found that students or staff aredownloading unathorised software or bringing in software that is not authorisedfor business use.

7.4 Staff & Student Deals are pursued to allow the purchase of software andsubject to the regulations of the provider, staff and students may then usesoftware that is the same as that in use at College. Business licenses are notavailable for use on home premises, other than on a College provided laptop orPC.

7.5 Anti-Plagiarism SoftwareWe have site licensed the JISC Turnitin Software which is both an educational,annotative and anti-plagiarism checking tool to assist both staff and students inunderstanding what plagiarism is, what is correct referencing and allowing anonline check of submitted work.


10

8. Procurement Process

The College supplies an extensive Local area and Wide area infrastructure and backboneserver deployment on which its business and teaching systems are dependent for theirsmooth operation. The acquisition of new systems, new technologies and new softwareapplications invariably changes the balance of the backbone provision and requires reviewto assure feasibility, accessibility, relevant communication provision, adequate securityprocesses, resourcing and the provision of an implementation and training programme forusers. New software, hardware and related technology acquisition is part of a developcycle to which the College applies the following strategic process to ensure:

Fitness for purpose; Compatibility; Accessibility; Feasibility; Value for Money; Future Proofing.

The acquisition cycle and authorization is subject to the following procedures:

8.1 Concept and Proposal The concept may arise in user groups, functional strategic management processes

or from users or providers. Major planning is encouraged during the spring term when outline pro-forma are

submitted to College managers and the results, along with College strategic needs,from the basis of the budget forecast for the forthcoming academic year. It isaccepted that minor change control will be required during the year, particularly ascurriculum development requires and Change Control Request Forms for individualrevenue and small capital expenditure are available on the Intranet. These formsmay be viewed in the procedural sections of the Hardware Policy and SoftwareLicensing Policy.

8.1.2 Technical Consultation Minor proposals and approved developments are examined weekly by the I.T.

Services Manager and Procurement Manager and purchases are authorised orfurther examined as required.

Major new proposals are taken to the ILT Board who will assess technicalfeasibility, compatibility and strategic fit as well as budget availability and projectmanagement requirements.

8.1.3 CostThe budget forecast is provided by the Central budget holder – the I.T. ServicesManager in liaison with other IT strands that hold planning responsibility –specifically E-Learning Resources.

8.1.4 College ConsultationFor major implementation, change or capital expenditure outside the remit of thepublished I.T. Strategy, the concept, technical proposal and associated costs andtimescales will be submitted to the College Directorate for approval and additionalfunding.


11

8.1.5 ProcurementI.T. procurement methodologies are subject to the College Financial Regulations.

8.1.6 Communication and Preparation The development is communicated to key users and marketed to all proposed

users. A project team comprising I.T. trainers, project managers, developers andlead specialists is set up and an implementation, training and support planprepared with the stakeholders. Implementation and Training takes place.

The system is supported and cascaded to further users. The system provision and quality is reviewed and reported to the Directorate. Development is agreed and taken into the next phase of the procurement cycle.

8.1.7 EnforcementThe College executive directors may approve a concept for exploration, butCollege managers must be aware that no system, technology or majorrefurbishment or software acquisition will be approved for purchase by the CollegeDirectorate until the necessary stages of I.T. feasibility; cost and available budgetare available and agreed by ILT Board.

9. Physical Security Controls

Protection of Sensitive AreasAccess to network hub areas and server areas is restricted to a small number of namedI.T., Estates, Security and supervised contractor personnel. Keys will not be released toany other persons. The I.T. Services Manager, Estates Manager and Security Managerwill supply the Security Department with the names of staff leavers from their sections.Key Site Hubs and resilient back-up Hub areas are adequately maintained and securedwith additional environmental and fire alarm equipment as described in detail in theDisaster Recovery and Business Continuity Plan.


12

10. Change Control - Software

10.1 Version ControlOperating System and Application System version directly affect what the end usersees and how they interact with systems. The College strives to supply “state of theart” systems that are relevant to what its students will see when they take upemployment. The College agrees update of its operating and application platformsvia a strategic process, managed by I.T. Services that:a) Ensures coherence across the installed base;b) Ensures that teaching staff and students use systems that might maximize on the

potential of pre-prepared teaching aids and learning materials;c) Supplies a platform that is compatible with and has been tested to support key

College business applications and backbone systems;d) Simulates the typical systems that students will encounter in employment.

Timing and preparedness that involves the replacement of many teaching materialsand the re-training of staff is the key to a smooth implementation and it is Collegepolicy that no individual College section changes the operating system base or theapplication system base without authorization of the I.T. Services Section whosupply the College strategic technical plan and licensed software provision.

10.2. Stages of process:

10.2.1 Proposal for Software UpgradeThe proposal may arise in user groups, functional strategic managementprocesses or from tutors, users or providers. All proposals must be agreed bythe ILT Board.

10.2.2 Technical Consultation & Acceptance TestingThe proposal is examined by the College I.T. Technical Services Team whowill examine technical feasibility, compatibility, the need for technical change,test results of the version proposed and assess the impact of the process andwhether a partial process will be feasible.

10.2.3 Cost and Licensing CoverOur licensing status and whether there are any costs associated with theproposal will be examined by the Central budget holder –the I.T. ServicesManager and Compliance Manager.

10.2.4 College ConsultationFor major implementation or change – i.e. site-wide proposals, the proposaland technical authorization is approved by the College Directorate, followingILT Board recommendation.

10.2.5 Software ProcurementIf necessary, the software is procured subject to the College FinancialRegulations.


13

10.2.6 Communication and PreparationThe development is communicated to key users and marketed to all proposedusers. A project team is set up and an implementation, training and supportplan prepared.

10.2.7 Implementation and Training takes place.

10.2.8 The system is supported and cascaded to further users.

10.2.9 The system provision and quality is reviewed and reported to theDirectorate.

EnforcementNo system, technology or software acquisition is approved by the CollegeDirectorate until the previous stages of examination are signed off.

10.3 Technical Communication Control – Code WordI.T. Services occasionally issues instructions, warnings or advice to theCollege and sometimes requires College users to take emergencypreventative action e.g. allow an automatic script to proceed across all PCs toinstigate an emergency Sophos patch due to a new virus.

To ensure that our messages are never confused with “chain mail messages”that issue pseudo instructions or Spam emails that urge users to take actionand email other users, I.T. Services issues a rotating code word to staff. Thiscode word precedes our communications in capitals and ensures staff of itsauthenticity.

10.4 Technical ControlsDocumented specific procedure for technical control of patches, service pack,anti-virus software and other operating system and firmware management maybe found in the I.T. Services Backbone Server Documentation Set, retained bythe College Server Team and not available for general publication.

11. User Access Controls

11.1 New Staff Users Personnel must notify I.T. Services of appointed new staff, via an online form.

The form is submitted to IT Customer Services who generate a unique PINidentifier that will be known to the new user. Copies of the notification will besent to Staff Development who will pre-book induction for the new member ofstaff.

This section of the policy describes the process.

The associated forms and their fields may be viewed in the I.T. and TelephonyAcceptable Use Policy – Procedures for New Staff/Students and forStaff/Student Leavers.


14

Personnel will complete the online form when new staff are appointed. Theform is submitted to IT Customer Services (with a copy to Staff Developmentwho will pre-book induction).

New staff login accounts are advance supplied and secured with a passwordknown only to I.T. Services staff. Authentication PIN numbers, identified by asmall red envelope are sent for the personal attention of new staff, via theirmanagers. Mandatory induction is advance booked by the Staff Developmentteam who notify the new member of staff, by letter to their home address, ofcourse dates.

New staff contact I.T. Services, Customer Services by telephone once theyhave their Security ID card on their first day of employment, giving their uniquePIN identifier as authentication of their identity.

I.T. Services, Customer Services will ensure that a new, personal securepassword is chosen and successfully set. The PC will be remotely configuredto allow the new member of staff to use College email and Web links to thepolicy and the Staff Development system will be posted to the new user’semail.

Mandatory I.T. Induction sessions will run each month to reinforce accessrules and begin the process of staff development and assessment regardingaccess to systems for which training is required. The names of staff who donot attend will be notified to Staff Development for follow-up action.

11.2. Staff Leavers The Personnel Department will advance notify I.T. Services, Customer

Services of full time and part-time staff leavers via an online form which willcarry the leave date.

I.T. Services Support team leaders will liaise with College sections to ensurethat arrangements are in place for the move and caretaking of any data orincoming email.

Accounts and emails of staff leavers will be de-activated after 4.30pm on theleave date and group memberships updated.

Area managers are responsible for the voice mail of all staff leavers and mustreplace it with a generic College welcome message and appropriately divertedextensions.

Personnel will supply a monthly list for reconciliation of records, which iscarried out by IT Customer Services Staff.

11.3 New Student Users New student details are updated from EBS Records System in real time, to the

access systems, print system and Live@Edu email system and filestoresystems. All enrolled students have signed the Student Learning Agreement toagree compliance with College policies.

Students are pre-notified of a one-time only single use password format forinitial access. Their ID is always their unique student enrolment number. Thispassword includes elements of the student name and date of birth. On first use


15

of this access, the student is forced to personalise the password for later useand also to set authentication options for forgotten password. The studentpassword is a minimum 6 alpha-numeric characters and is subject to enforcedchange to a unique password every term.

A generic student login and password is available on a building basis to allowfor essential assessments prior to course module choice and enrolment. Thispassword allows workstation access – but does not allow network filestoreaccess. The password changes every month.

11.3.1 Student LeaversStudent College withdrawals from College are supplied by the EBS StudentRecords Manager as soon as withdrawal status is agreed as complete, so thatstudent accounts may be disabled.

11.4 Staff and Students Suspensions and DismissalsSuspensions and dismissals are notified by telephone to the CustomerServices Emergency Line by the Directorate at the time of suspension ordismissal. Accounts and emails are deactivated or suspended immediately thenotification is received.Area managers are responsible for the resetting of staff voice mail.

11.5 Third Party Support AccountsThird party organizations are contracted to support specific systems within theCollege.

Third parties will access the College internal systems by a preferred VPN(Virtual Private Network) and will be supplied a VPN access key and anaccount from their premises to the specific system required.

Organizations that use a legacy modem to access a specific system willrequest access in advance of the modem being connected and will advise ofclose of session to enable the modem to be disconnected.

11.6 Visitor and Guest Accounts – Staff Internal SystemsThe College does not supply Guest accounts to its staff internal systems anddoes not allow the use of non-College owned equipment to connect to Collegewired networks on its premises. Access to the wireless secure, web-only VLANis allowed, via an authorised personal username and password.

Each visitor – company, inspector, associate organization – will be required toapply for access in advance via their staff hosts who will collect requirementsto ensure security for the College and a professional service for the visitors.

Requirements will include the hire of College equipment, the use of ownequipment, anti-Virus software and own-equipment acceptability, requirementsfor network access, requirements for system access, requirements for test runand support and the dates/times that access will be required.


16

I.T. Services staff will work with visitor organizations to provide services withinthe guidelines of College policies and to secure the area after use.

EnforcementThe process is communicated to managers who are responsible for ensuring that visitorstake advantage of the service and is regularly utilized for College Inspection and someaudit requirements.

Visitors (and College managers who do not use the advance notification process) may notbe assured of access or timely support and will be refused access if any aspect of theproposed use is considered by technical staff to be a threat to the security of Collegesystems.

College Managers will support the process.

12. Account Password Security

Bradford College implements controls to quality assure secure access and authenticationto its systems.The I.T. Security Policy - Procedure for Password Controls details the specific rules andprocedures in place.

The following is enforced: Personal identity and enforced password change; Personal and shared filestore with enforced authentication; Mandatory induction training; Staff and Students ID/secure password pair that is initially set and personalized as

described in Section 3.2.1 and Section 3.2.3.; Rigorous control of generic accounts; Controls of legacy modem and preferred VPN routes for third party access.


17

13. Individual System Access Rights

13.1 Initial Login – Default AccessesAccess to business systems (staff) and the VLE and related learning systems(Students) is dependent upon the login and password pair. Change of passwordis enforced every 30 days (staff) and every term (learners) and user accountdeletion and suspension follows the process described in section 6 for staff andstudents.

Staff default accesses are: Personal Filestore; Print Services; College E-mail; Staff and Student Intranet Internet Access; Web Systems – Staff Development Booking, Internal Service Booking VLE access (teaching staff).

Student default accesses are: Personal Filestore at Live@Edu; Print Services; Live@Edu E-mail account; Student Intranet Internet Access; Web Systems – Learning Resource Place booking VLE access Library access

13.2 Additional System Access AuthorizationProgramme Managers and Service Managers determine individual systemaccess requirements and submit these on a Staff System Access Form that iscirculated to individual Systems Managers in advance of the start date.

System Managers will authorise access to: EBS Web Client; *VLE Course Design; *Finance System; *Proachieve; *Admissions System; *Exams System; *EBS Enrolment Full Client and will notify users of usernames and

passwords.

All systems tagged with a * are dependent upon user training which is added to inductiontraining.


18

14. Security of Service from Internal/External Sabotage

14.1 Protection of Users

The College strives to provide its users with reliable, relevant services that supportand inspire learning and underpin efficient business and communication processes.We are conscious of the need to balance a degree of academic freedom for HE(Higher Education) users and staff research with our responsibility to FE (FurtherEducation students, many of whom are minors.

We are aware that a large population of young users, formerly restricted by tighterInternet filtered sites within schools, could be a potential risk to the Collegereputation – particularly in view of the messages they might send, data they mightaccess and store and publications they might create on our equipment, from oursite and in our name. A number of rules and tools exist to ensure the safe operationof our business and our users and also to assist us in identifying user actions thatare in breach of policy.

14.2 Internet Access – Website Filtering We do not provide our own Internet “Allowed” and “Barred” subset views,

popular with many schools – and do allow full Internet access viaSuperJANET from our site. However, to protect our users from anunregulated Internet, we do operate a “barred” list of known Websites thatcontain unacceptable content or represent unacceptable activity.Squidguard, running on Redhat Linux supplies the list and is automaticallyupdated on a monthly basis.

Teaching staff may request a barred access to be allowed, should the tool befound to prevent access to a required element for a course – and this wouldbe processed, following investigation of the site and agreement of theCollege.

14.3 Enforced Access Paths All users on College premises are required to access the public Internet via a

firewall, a College supplied PC and an authorised College network addressand infrastructure port.

14.4 Network Monitoring and Reporting Monitoring of network traffic will detect unusual traffic patterns and internal

sabotage attempts.

The introduction of unauthorised user equipment, tampering with Collegeequipment, unathorised changes to network settings, introduction ofunauthorised software and provision of electronic, wiring or wireless devicesthat will introduce, change, bridge or route network access paths is a seriousbreach of the Acceptable Use Policy.


19

14.5 Enforcement - Disciplinary Action Unauthorised actions will be investigated and reported to the College

Directorate and unathorised equipment will be disabled and removed. Staff and students who attempt to sabotage the College provision will be

disciplined and depending upon the severity of the attempt/incident,dismissed.

The authorisation of investigation procedural form may be found in the I.T.and Telephony Acceptable Use Policy – Procedure for Investigation.

14.6 Anonymous E-mail Access The College used to block student anonymous access to free E-mail

systems, allowing only supervised access during the first term forInternational students who were familiarising with their new emails andrequire to keep in touch with home. Currently the College supports the use offreemail and social networks throughout the day from its premises and doesnot use central enforced restriction. Individual tutors are able to restrict useof social networks within classrooms that are fitted with IT equipment, usinga teaching management tool for the session.

14.7 Unusual File Storage Patterns The College applies thresholds to enforce responsible use of expensive

filestore resources – and will investigate user filestore should traffic patterns,access patterns or disciplinary investigations require evidence.

14.8 Anti -Virus Software All internal desktop devices and Servers will be provided with Sophos anti-

virus software. No user is permitted to tamper with or remove this software. Automatic online updates will detect and deal with a high percentage of

known viruses. From time to time new virus patterns will emerge in advanceof antidote software and notification of these viruses and common hoaxviruses will be circulated via Email and Intranet.

14.9 SPAM Bradford College does implement Spam-tagging for email that reaches a

threshold set for site SPAM and such email is forwarded to the user with atag.

College user email addresses are not published externally in a format thatmight be easily harvested for SPAM and all listed email addresses are listedas text.

Email addresses will display only several addresses at a time following anInternet Search and will not produce a result for search criteria that does notinclude a known part-name.

14.10 Infrastructure Access and Controls Development, testing and maintenance of the network infrastructure is

managed solely by the I.T. Services Team.

External Contractors and internal staff, carrying out work on theinfrastructure, will operate under the direction of the I.T. Services Manager.


20

Contractors and internal staff providing new systems that will be connectedto the infrastructure and will transmit data over the infrastructure will discussrequirements and agree all stages of work with the I.T. Services Manager.

14.11 Teaching Requiring Infrastructure Control Access The delivery of courses involving the configuration, test and development of

networks will be conducted on separate equipment and local infrastructure. Such equipment will never be connected to the main College Network.

14.12 Wireless Workstations and Peripherals

14.13 Wireless Access Pointsare centrally managed by I.T. Services staff and subject to restrictions as described

in the Visitor Access section of this Security Policy.

Internal authentication is subject to username and password and restrictsoperation to a web-only VLAN.

15. Telephony Controls

This section summarises the key controls. Rules relating to the use oftelephony are to be found in the I.T. and Telephony Acceptable Use Policy.

The Managed Services Contractor will make changes to level of service onlywhen requested by the I.T. Services Telecommunications Specialist or I.T.Services Manager.

Free telephone ports will not run active extensions.

Billing is centralised.

Call statistics and itemised external line costs will be monitored to detectchanges in use and high costs incurred.

Anomalies will be reported and subject to investigation/disciplinaryprocedure.


21

16. Breach of Policy – Investigation Procedure

16.1 The College will investigate reported breach of policy. These may arise from theresults of routine network or telecomms bill monitoring, from manager reports ofobserved/suspect activity, from other users or external agency complaints orfrom third party suppliers of service, or the police.

16.2 In all cases where investigation is requested, Part One of the Request forAuthorisation of Investigation Form must be completed and submitted toDirectorate for authorization. The form is available on request from the I.T.Services Manager or Directorate and a copy may be seen in the I.T. andTelephony Acceptable Use Policy – Procedure for Authorisation of I.T.Investigation.

16.3 The Directorate will complete and sign the authorization, returning the form tothe I.T. Services Manager who will allocate appropriate resources and a controlmanager to the investigation.

16.4 The I.T. Resources available are senior personnel, each of whom has signed anadditional contract of confidentiality to the contract that all I.T. Services Staffsign.This manager will sign the authorization form.

16.5 The control manager will be either the section manager of the person underinvestigation, the I.T. Services Manager or a member of the College senior staff,Directorate or a Governor. This manager will sign the authorization form and willaccompany the investigating I.T. officer to ensure that only the appropriate areais investigated and to advise regarding the areas of work that are suspect.

16.6 Together with the accompanying manager, the I.T. investigating officer willproduce a report to be retained by the Directorate.

16.7 The Directorate will take action as required and will return the report and theinitial authorization to the Personnel Department for secure filing.


22

17. Controls in the Case of Fire

Data that is backed up is stored in designated firesafes for retrieval in the case of disaster.I.T. Services staff are responsible for the operation of the procedure which is described inthe I.T. Disaster Recovery Policy – Firesafe, Backup & Restore Procedure.

18. I.T. and Telephony Acceptable UseThe policy for I.T. & Telephony Acceptable Use applies to everyone - employees, studentsand third parties who use the College’s telephone, e-mail, intranet and internet facilities(“the I.T. Facilities”). This policy must be read and adhered to in respect of the any use ofthe I.T. Facilities. Any questions as to the meaning or effect of this policy should bedirected to I.T. Services.

The policy is published on the College Intranet and is available in hard copy as staff areappointed and when students enrol.

190. I.T. Disaster Recovery Plan

The I.T. Disaster Recovery Plan specifies the framework, which Bradford Collegeprovides, to risk assess its I.T. systems and respond to an I.T. emergency or disaster. Theplan provides a sub-set to the College Disaster plan and is published with its associatedprocedures on the College Intranet.


23

Appendix 1: Summary of Legal Requirements

Computer Misuse Act (1990)

This act safeguards against hacking and specifies 3 main offence areas.

Users will not:

Use unauthorised access – for example, using another person's username andpassword, either with or without their permission; impersonation via email;attempting to access another user's files without their express permission, copyingof software;

Use unauthorised access with intent – for example, accessing financial,administrative or examination data without authorisation;

Make unauthorised modification – for example, deliberately destroying or changingsoftware or another user's files; changing data, or creating, introducing ortransmitting a virus.

Maximum penalty for breach is up to 6 months imprisonment or up to a £5000 fine.

Data Protection Act (1998)

This act requires all members or agents of the College (staff, students and associates) toabide by the terms of the College's registration with the Data Protection Registrar.

Any College data users must comply with the eight Data Protection Principles of goodpractice contained within the Act. Broadly these state that personal data must be:

1. Obtained and processed fairly and lawfully;2. Held only for the lawful purposes described in the data user's register entry;3. Used only for purposes, and disclosed only to those people, described in the user

entry;4. Adequate, relevant and not excessive in relation to the purpose for which they are held;5. Accurate and, where necessary, kept up to date;6. Held no longer than is necessary for the registered purpose;7. Accessible to the individuals concerned who, where appropriate, have the right to have

information about themselves corrected or erased;8. Surrounded by proper security.

Information relating to a living person should not be stored unless their permissionhas been obtained;

Unless the person has given permission, no information may be stored that enablesa data subject to be identified by gender, race or colour;

This means that pictures of individuals cannot be stored unless they have giventheir permission.


24

Obscene Publications Act (1959)Protection of Children Act (1978)Criminal Justice Public Order Act (1994)

These Acts specify the legal requirements for the protection of minors. Transmission orstorage of pornographic, violent or offensive material is illegal for electronic as well aspaper communications. Instances of such material found on College sites will beinvestigated and legal action will be taken.

Race Relations Act (1976)

This Act forbids discrimination against any person on the grounds of race or ethnic origin.It also provides protection against incitement to racial or ethnic discrimination. Thus, anymaterial which either discriminates or encourages discrimination on racial or ethnicgrounds is likely to contravene the Act and may lead to criminal prosecution of thoseresponsible. Such information should not be stored or transmitted electronically.

Sex Discrimination Act (1975)

This Act forbids discrimination against any person on the grounds of gender, marital statusinclusive of the advertising of material that may be discriminatory.

Public Order Act (1986)

Forbids material which encourages racial hatred or in any way threatens or insults othersor may be considered abusive.

Equal Opportunities (Full Participation) Act (1995)

This Act forbids discrimination against any person on the grounds disability.

Official Secrets Acts (1911-1989)

Much information handled by Government Offices and even suppliers and customers ofGovernment is covered by these Acts. Extreme caution must, therefore, be exercisedbefore storing or transmitting any material which refers to national or international defence,intelligence, security or international relations. Heavy criminal penalties will be incurred ifany user is in breach of the Act.

Libel Defamation Act (1996)

Libel and defamation are civil offences which can incur heavy financial penalties. As it iscomplicated it is one of the easiest laws to contravene through ignorance. Any facts whichare published electronically, concerning individuals or organizations, (inclusive of opinionsabout them) must be accurate and verifiable. Views or opinions must not portray theirsubjects in any way which could damage their reputation.


25

Copyright Designs and Patents Act (1988)

Various Copyright, Designs and Patents Acts exist which protect the intellectual propertyof individuals. In general, these various Acts require that the permission of the owner ofthe intellectual property MUST be sought before any use of it is made whatsoever.

Code of Advertising Standards and Practice (1998)

It is not expected that any of the College's electronic services would be used for placingand distribution of commercial advertisements although the platforms do advertise Collegecourses, facilities, halls of residence accommodation etc.. However, if advertisements areplaced then they must comply with the Code of Practice for Advertisers issued by theAdvertising Standards Authority which requires in summary that all advertisements shouldbe 'legal, decent, truthful and honest'.

Human Rights Act (1998)

Makes part of UK Law rights included under the European Convention on Human Rights:covers right to life; to marry; to education; private property; fair civil procedure; freeelection; freedom of thought; assembly; association; expression; religion; conscience;freedom from slavery; torture and discrimination. It should be noted that permission isrequired for publication of material and photographs in which the general public feature.

Regulation of Investigatory Powers Act (2000)

Specifies the framework governing the interception of electronic communications (data,fax, voice - inclusive of email.) on public and private networks : rules (Lawful BusinessPractice) permit such interception for purposes of investigation of unauthorised use(phones, email), checking of compliance to standards, monitoring of performance andfunctionality of systems, provision of evidence of business transactions.

Electronic Communications Act (2000)

Includes a directive on electronic signatures with regards to their use as evidence.

Terrorism Act (2000)

Includes provision for the trying of hackers under the terms of the Act.

NB. There is a general requirement in law against incitement of others to commit criminalacts and in some instances even to contemplate committing criminal acts. It should benoted therefore that any material published electronically which incites others to criminalacts or incites them to contemplate such acts is likely to be illegal.


26

RELATED PROCEDURES AND FORMS:

RELATED POLICIES:

APPENDICES:

COLLEGE I.T. SERVICES · professional business messaging tool , transferring any received attached...

Documents

Transcript of COLLEGE I.T. SERVICES · professional business messaging tool , transferring any received attached...