This policy was last reviewed by the Information Security Working Group in August 2022.
This policy was last approved by Information Security Working Group in September 2022.
Purpose and scope
The Information Security and Data policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions on how to protect themselves, others and College IT assets (e.g. data and services). The policies, associated processes and procedures are designed to reduce information-related risk to tolerable levels. Everyone must adhere to these policies to keep the College and its people secure from Information Security risks, such as ever-evolving cyber-threats or non-compliance with the Data Protection Act 2018.
This policy sets out the account and password requirements for anyone granted permission to use College IT services (e.g. software, computers and network) and those responsible for managing them. The College operates on the principle of least privilege, and therefore only the appropriate level of access will be provided.
Non-compliance of policies puts people and the College at risk. A breach of information security may result in damage to you, our students, or your colleagues through the loss of control over personal data or confidential data, identity theft, fraud or financial loss. Breaches to this policy also put the College at risk of cyber-threats, legal action and regulatory penalties. Additionally, sometimes damages are irreparable and have serious reputational consequences.
Therefore non-compliances may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action.
Accounts and passwords
Passwords verify an individual's identity and allow access to a device, application or website and therefore maintains the confidentiality of systems and information. Consequently, they must remain secure and a secret (known only by the account owner).
Individuals given access to College IT services will be issued a unique ID which may include an email address. It is their responsibility to take the following reasonable steps to protect them.
- be for the sole use of the individual issued to
- not be shared with others
- be logged out when finished
- be removed after 6 months from the end of a contract
In some circumstances, an individual delegates responsibility for managing another email account, but only with clear written permission from the owner. Delegation does not require sharing of account details, so please contact [email protected] for assistance.
- Remain unique (never use the same password for both personal and College accounts), confidential and secure.
- Be changed if an account has been (or suspected of being) compromised.
- Be at least 12 characters long.
- Never be shared, not even with IT Services.
- If individuals must write passwords down on paper, the note should be stored safely out of sight of others and kept safe at all times. However, writing passwords on paper is strongly discouraged.
- Use Multi-Factor Authentication (MFA) when accessing College systems and services, and not share the MFA applications or method (e.g. single-use password token generator etc.) with anyone.
Under no circumstances should an individual request someone’s password. If they do, signpost them to this policy and if they continue, report it to their line manager or IT Services. This includes being vigilant of request for their account password through email and other means, and at no point should divulge their password when requested. Often external criminal elements use various means to trick individuals in order to gain access to their account.
System-level and high privileged accounts pose a greater risk to College assets as they have extensive access to services and resources. Therefore additional steps are required:
- Periodically review privileged access and remove when no longer required.
- Temporary accounts must have an end date.
- Respect the rights of all users, the integrity of the systems and data.
- Follow the change management process for provision and revocation of privileged rights; be aware they are personally responsible for privileged accounts and place them in a position of considerable trust.
- Use system or service accounts for scripts, services, password vaults or other automated processes.
- Use a separate standard account for daily use if responsible for a privileged account (e.g. local, domain administrator).
- Not use an administrator account to login, unless the purpose of the session is solely to make administrative changes.
- Not conduct any general web browsing or access email using a privileged account.
- Not use privileged access to make any changes that will compromise the security or integrity of a device, application or website.
- Where an account password (for services) is shared by a group of staff, use secure methods of storing passwords (e.g. password managers).
- Multi-Factor Authentication must be used to strengthen the login process.
Data security breach process (internal)