This policy was last reviewed by the Information Security Working Group in August 2022.
Purpose and scope
The Information Security and Data policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions on how to protect themselves, others and College IT assets (e.g. data and services). The policies, associated processes and procedures are designed to reduce information-related risk to tolerable levels. All staff must adhere to these policies to keep the College and its people secure from Information Security risks, such as ever-evolving cyber-threats or non-compliance with the Data Protection Act 2018.
This policy sets out the responsibilities and required behaviours for anyone granted permission to use College IT services (e.g. software, computers and network).
Non-compliance of policies puts people and the College at risk. . A breach of information security may result in damage to you, our students, or your colleagues through the loss of control over personal data or confidential data, identity theft, fraud or financial loss. Breaches to this policy also put the College at risk of cyber-threats, legal action and regulatory penalties. Additionally, sometimes damages are irreparable and have serious reputational consequences.
Therefore non-compliances may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action.
Effective security is a team effort involving the participation and support of every College employee, student and third-party who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
Accounts and passwords
Individuals given access to College IT services will be issued a unique ID which may include an email address. It is their responsibility to take reasonable steps to protect them. See the Account and Password policy for more information.
IT equipment provided, remains the property of the College and is managed by IT Services. Individuals must ensure:
● Fixed items (e.g. monitors, personal computers, printers) remain on-site and connected to the network. Where adjustments need to be made, and computing equipment needs to be taken off-site, permission is sought from IT Services;
● Software is updated regularly;
● Devices locked when left unattended and screen-locked when left unattended for short periods;
● Ensure appropriate care is taken when using computing equipment to avoid damage, loss or theft of item.
● Damage to, lost or stolen items are reported to the IT Service Desk immediately;
● Equipment is made available to IT Services when requested.
Personally owned devices
Staff are not generally required to use their privately-owned equipment for work purposes; however, in some circumstances, it might be necessary. Individuals must carry out appropriate due diligence to mitigate the increased risk of using their own devices, especially when working with confidential data. This means they:
● Enable disk encryption and protect with a strong password
● Have a supported operating system with security updates regularly installed, including third-party applications (e.g. Adobe Acrobat)
● Enable auto-lock after a short period (e.g. 10 minutes)
● Have anti-virus software installed, updated regularly and a firewall running at all times
● Have a separate, secured account for work purposes, so others do not have access to confidential or sensitive information, and ensure the password for the login account is sufficiently long and complex
● Will not use their personal email address to conduct college work
Visit the College's information security intranet pages for help keeping devices up to date and secure.
Personal use of College IT services
Occasional personal use of College IT services is allowed with the following conditions:
- such activity must not:
- interfere with the work of the individual or others
- contravene College policies
- be excessive in its use of resources
- do not store personal files (e.g. photographs, music, correspondence) on College drives (e.g. Google Drive, file shares, disk drives)
- staff must not use private email addresses to conduct College work.
- Activity that contravenes Jisc (the College's internet service provider) policies (https://community.jisc.ac.uk/library/janet-policies);
- Illegal and fraudulent activity
- Provide unauthorised individuals access to College services
- Any irresponsible or reckless handling of College data (see the Information Handling Policy).
- Using IT facilities to cause alarm or distress to others
- Send unsolicited email (spam)
- Use College IT resources to carry out cyber-attacks or break into (hack) College or external computer systems. Unless permitted by IT Services for IT Security activities
- Create, store, transmit or share material which:
– is defamatory or obscene
– infringes copyright
– promotes terrorism or violent extremism
– seeks to radicalise individuals to such causes.
- Make configuration changes to the IT systems that may undermine the confidentiality, integrity or availability of services (e.g. disable antivirus or firewall)
- Install and use unsupported or unlicensed services without seeking permission from IT Services
- Failure to comply with policies and instructions from IT Services or other authorised staff
- Failure to report data security breaches to IT Services.
In very few circumstances, some individuals are required to view obscene materials (e.g. for academic research or investigative purposes). In these cases, they must seek written approval from an Ethics Committee, their Head of Department or the Executive Director of Operations and inform IT Services.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every three years.