This policy was last reviewed by the Information Security Working Group in April 2020.
This policy was last approved by Information Security Working Group in April 2020.
Purpose and scope
The Information Security policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions, on how to protect themselves, others and College IT assets (e.g. data and services) from ever-evolving cyber threats. The policies, associated processes and procedures help reduce information-related risk to tolerable levels.
This policy sets out the responsibilities and required behaviours for anyone granted permission to use College IT services (e.g. software, computers and network).
Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action.
Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action. A breach may result in damage to you, your colleagues and friends, such as loss of control over personal data, discrimination, identity theft or fraud and financial loss.
Accounts and passwords
Individuals given access to College IT services will be issued a unique ID which may include an email address. It is their responsibility to take reasonable steps to protect them (see the Account and Password policy for more information).
IT equipment provided, remains the property of the College and is managed by IT Services. Individuals must ensure:
● Fixed items (e.g. monitors, personal computers, printers) remain on-site and connected to the network;
● Software is updated regularly, and devices locked when left unattended;
● Damage to, lost or stolen items are reported to the IT Service Desk immediately;
● Equipment is made available to IT Services when requested.
Personally owned devices
Staff are not generally required to use their privately-owned equipment for work purposes; however, in some circumstances, it might be necessary. Individuals must carry out appropriate due diligence to mitigate the increased risk of using their own devices, especially when working with confidential data. This means they:
● must be encrypted and protected with a strong password;
● have a supported operating system (e.g. Apple macOS, Microsoft Windows) with security updates regularly installed, including third-party applications (e.g. Adobe Acrobat);
● auto-lock after a short period (e.g. 10 minutes);
● have anti-virus software installed, updated regularly and a firewall running at all times;
● have a separate, secured account for work purposes, so others do not have access to confidential or sensitive information.
Visit the College's information security intranet pages for help keeping devices up to date and secure.
Personal use of College IT services
Occasional personal use of College IT services is allowed with the following conditions:
● such activity must not:
○ interfere with the work of the individual or others;
○ contravene College policies;
○ be excessive in its use of resources.
● do not store personal files (e.g. photographs, music, correspondence) on College drives (e.g. Google Drive, file shares, disk drives);
● staff must not use private email addresses to conduct College work.
● Activity that contravenes Jisc (the College's internet service provider) policies (https://community.jisc.ac.uk/library/janet-policies);
● illegal activity;
● provide unauthorised individuals access to College services;
● any irresponsible or reckless handling of College data (see the Information Handling Policy).
● using IT facilities to cause alarm or distress to others;
● send unsolicited email (spam);
● create, store, transmit or share material which:
○ is defamatory or obscene;
○ infringes copyright;
○ promotes terrorism or violent extremism;
○ seeks to radicalise individuals to such causes.
● make configuration changes to the IT systems that may undermine the confidentiality, integrity or availability of services (e.g. disable antivirus or firewall);
● install and use unsupported or unlicensed services without seeking permission from IT Services;
● failure to comply with policies and instructions from IT Services or other authorised staff;
● failure to report data security breaches to IT Services.
Obscene material In very few circumstances, some individuals are required to view obscene materials (e.g. for academic research or investigative purposes). In these cases, they must seek written approval from an Ethics Committee, their Head of Department or the Chief Information Officer and inform IT Services.
Information security policy suite
● Data Protection Policy;
● Data Breach Policy.
Information security guidance
● Information security training (mandatory)