IT02 - Information Technology (IT) Security Policy

(1)

IT02 - Information Technology (IT) Security Policy – v3.0 - Page 1 of 18

IT02 - Information Technology (IT) Security Policy

Introduction

1 This policy applies to all IT services administered by Southampton Solent University. It contains:

i General principles for information security, its overall objectives and scope and its importance as an enabling mechanism for information sharing. ii A statement of management intention, supporting the goals.

iii An explanation of specific security policies, principles, standards and compliance requirements, including:

a Compliance with legislative and contractual requirements; b Security education requirements;

c Virus prevention and detection policy;

d The general and specific responsibilities for all aspects of information security;

e An explanation of the process for reporting suspected security incidents. 2 This document is based on BS7799-1:1999.

Security Organisation

3 Management Information and Technology Committee (MITC) is responsible for reviewing and recommending the IT Security Policy. Information and

Communications Technology (ICT) will act as its executor. From time to time, ICT will present to MITC reports of major initiatives to enhance information security and reports on threats and breaches.

4 ICT will coordinate and provide support where appropriate on issues associated with information security. It is an integral part of the induction programme for all users acting in a staff-capacity (hereafter referred to as staff).

5 Each School and Service is responsible for setting authorisation levels for their own staff and where appropriate for staff across the University. Owners of information systems are responsible for its data and must clearly state the level of access for each user.

6 To ensure that the installation of new equipment will not adversely affect the security of the existing infrastructure, the following process must be followed. 7 Each installation of IT equipment must have the appropriate approval from ICT to

ensure that it conforms to the relevant security policies and requirements before connection to any University IT service.

(2)

8 ICT offers specialist advice on issues associated with information security threats. This covers possible unauthorised access to data, as well as data corruption due to viruses or other means.

Third Parties

9 This section concerns access by third parties, users other than the University's staff or students, who require non-public access to the University's information and IT systems. All third parties who are given access to the University's information and IT systems, whether suppliers, customers or otherwise, must agree to follow the University's IT policies.

10 All third parties who need to access the University’s information and IT systems must have a University sponsor. The sponsor must be a member of staff who is responsible for maintaining the operational relationship between the University and the third party. The sponsor must provide to ICT a clear statement of the business requirements for access and must liaise with ICT to document and maintain a clearly defined access policy statement that defines the access rights for each user or group of users. The policy must take into account the security requirements of their access and the policies for information dissemination and entitlement. The sponsor must notify ICT of any changes in relationships e.g. a need to withdraw login access.

11 All risks involving third party access to the University's information and IT systems must be identified and documented and suitable controls implemented before access is granted. Access must be controlled such that the minimum access necessary is provided. University staff or students must not permit any

information security safeguards to be bypassed or allow inappropriate levels of access to the University's information and IT systems. University staff or students must not divulge their personal login credentials to anyone else.

12 Confidentiality agreements must be signed by the third parties where information being disclosed or made accessible is of a confidential, sensitive or valuable nature. 13 Remote access by third parties to the University's information and IT systems must be

controlled by secure access control protocols using appropriate levels of encryption and authentication.

14 University staff responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the content and spirit of

Southampton Solent University's information security policies.

15 Any facilities management, outsourcing or similar company with which Southampton Solent University may do business must be able to demonstrate compliance with Southampton Solent University's information security policies and enter into binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance.

16 All contracts with external suppliers for the supply of services to Southampton Solent University must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriated provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier.

(3)

17 Arrangements involving third party contracts must have the following security items included in the contract:

i General policy on information security; ii Permitted access methods;

iii A description of the service to be made available; iv Times and dates when the service is to be available; v The respective liabilities of the parties to the agreement;

vi Procedures regarding protection of University assets including data;

vii Responsibilities with respect to legal matters e.g. data protection legislation; viii That the University has the right to monitor and revoke third party activity; ix The responsibilities regarding hardware and software installation and

maintenance;

x The right to audit contractual responsibilities;

xi Any restrictions on copying and disclosing information and issues associated with intellectual property rights;

xii Measures to ensure the return or destruction of information at the end of the contract;

xiii Any physical protection measures that are required;

xiv Any mechanisms to ensure that security measures are followed; xv Measures to ensure protection against the spread of computer viruses; xvi An authorisation process for user access;

xvii Arrangements for reporting and investigating security incidents; xviii Any arrangements for physical access to on-site equipment.

Assets Classification and Control

18 Inventories of assets help to ensure that effective security protection is

maintained. An inventory should be drawn up for each major asset associated with each information system. Each asset must be clearly identified and its owner and its security classification documented.

19 The assets associated with information systems include the following: i The information assets such as databases, documentation, operational

procedures etc.;

(4)

iii Physical assets such as computers, communications equipment and magnetic media.

20 The physical and software assets inventories are managed by ICT. The University classifies its information to indicate the needs and priorities for security

protection. The responsibility for defining the classification of an item of information and keeping an inventory of information assets rests with the originator.

Personnel Security

21 All University staff will receive appropriate training on security procedures and the correct use of IT services before access to IT services is granted.

22 Reports must be written for any security incidents which cause system failures, loss of service, errors resulting from incomplete or inaccurate data, or breaches of confidentiality, and sent to the Director of ICT.

Physical and Environmental Security

23 The following lists the controls for secure areas:

i Several rooms have been identified as being high security areas. Major items of network equipment are housed in secure areas throughout the University. The computer room has been identified as having the highest security; ii High security areas can only be entered through access-controlled doors. All

other doors are kept locked except where access is required for purposes such as delivery of equipment. Access rights to the secure areas will be revoked immediately for staff who leave employment. Third party personnel supplying or maintaining systems should be granted access to the secure areas only when required and authorised. Where appropriate, their access may be restricted and their activities monitored. When vacated, secure areas must be physically locked;

iii Computer consumables, such as stationery, must not be stored within the computer room until required. Fallback equipment and back-up media must be sited in a different building to avoid damage from a disaster at the main site;

iv Smoke detectors and fire extinguishing systems are installed in the main computer room;

24 The following lists the controls to prevent compromise or theft of information: i Confidential or sensitive data stored on paper, diskettes, CDs or USB memory

keys should be kept in a locked cabinet when not in use;

ii Computers must be either shut down and powered off, logged out of and left at the logon screen or password locked (where allowed) when not in use; iii IT Equipment, data or software, must not be taken off site by University users

without documented authorisation from the Director of ICT (or a suitable deputy).

(5)

25 The following lists the controls for equipment security:

i IT equipment should be sited so as to reduce the risk and opportunities for unauthorised access. Monitor screens displaying sensitive data should be positioned to reduce the risk of being overlooked. All equipment should be labelled and, if deemed necessary, marked with INDSOL Tracer;

ii Uninterruptible power supplies should be provided for equipment supporting the critical business operations;

iii Network cabling and network traffic should be protected from unauthorised interception or monitoring by staff or students;

iv Repairs and servicing of the equipment must only be carried out by authorised personnel. A record of all faults or suspected faults must be kept on the Helpdesk system;

v IT equipment, regardless of ownership, used outside the University’s premises to support the business activity should be subject to University management authorisation and with an equivalent degree of security protection as that of on-site IT equipment. The following guidelines should be used:

a Personal computers should not be used at home for business activities unless up-to-date virus detection software is installed;

b When travelling, equipment and media must not be left unattended in public places. Portable computers should be carried as hand luggage when travelling;

c Portable computers which are vulnerable to theft, loss or unauthorised access when travelling, must be provided with an appropriate form of access protection e.g. passwords to prevent unauthorised access to their content.

vi All items of equipment containing storage media or any removal magnetic media should be checked to ensure that any sensitive data or license software are removed or overwritten prior to disposal;

Computers, Servers and Network Management

Servers and Systems

26 Operating procedures should exist to cover the following areas: i Server start-up and shutdown procedures;

ii Back-up procedures;

iii Instructions for handling errors and exceptional conditions;

iv System restart and recovery procedures for use in the event of system failure. 27 Logs must be written for any incidents that cause system failures, loss of service,

(6)

analysing and identifying the cause of the incident, and recommending the implementation of remedies to prevent recurrence. Evidence of the security breach should be part of the report along with any audit trail. Actions taken to correct and recover from a security breach should be documented. The items that may appear in the report include:

i Evidence in relation to a potential breach of the employment contract or student regulation;

ii Evidence in the event of proceeding under a breach of the law.

28 Segregation of duties minimises the risk of negligent or deliberate system misuse and consideration should be given by management for separating the execution of certain duties and areas of responsibility. Areas of high risk include financial, personnel and student records.

29 Segregation of development and operational services is desirable to reduce the risk of accidental changes or unauthorised access to operational software and data. The following controls should be considered and may be implemented depending on financial considerations:

i Development and operational software should where possible be run on different servers or in different domains or directories;

ii Different usernames and passwords should be used on development systems than on operational systems.

30 Acceptance criteria for new systems should be established and suitable tests carried out prior to acceptance. The requirements and criteria for acceptance of new computer systems should be clearly defined, agreed, documented and tested. The following items should be considered:

i Performance and computer capacity requirements;

ii Preparation of error recovery and restart procedures, and computer contingency plans;

iii Preparation and testing of routine operating procedures to defined standards; iv Evidence that installation of the new system will not adversely affect existing

systems, particularly at peak processing times; v Training in the operation or use of new systems.

31 For major new developments, the users should be consulted at all stages in the development process to ensure the operational efficiency of the proposed system design. Appropriate tests should be carried out to confirm that all acceptance criteria are fully satisfied.

Virus Detection

32 Virus detection and prevention measures must be implemented on all computers and users should ensure that the anti-virus software is being used.

(7)

33 Actions against major virus infection occurrences will be managed by ICT, who may shutdown the network infrastructure and/or services without notice, to limit the damage being caused. Patches, fixes and virus eradication software may be forced to run on workstations without the user’s knowledge or consent.

34 Virus 'repair' software should be used with caution and only in cases where virus characteristics are fully understood and the correct repair is certain.

Data and Software Backup

35 Backup copies of essential business data and software are taken regularly. 36 Backup arrangements for central systems are the responsibility of ICT and must

meet the following minimum standards:

i A minimum level of backup information, together with logs of the backup copies, are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. At least three generations of backup data should be retained for important business applications;

ii Backup data should be given an appropriate level of physical control. The controls applied to media at the main site should be extended to cover the backup site;

iii Backup data should be regularly tested, where practicable, to ensure that it can be relied upon for emergency use when necessary. Data owners should specify the retention period for essential business data and also any

requirement for archive copies to be permanently retained.

37 Backup arrangements for Personal Computers are the responsibility of the School or Service but must meet the following minimum standards:

i A minimum level of back-up information, together with accurate and complete records of the backup copies, should be stored in a remote

location, at a sufficient distance to escape any damage from a disaster at the main site. At least three generations of back-up data should be retained for important business applications;

ii Backup data should be given an appropriate level of physical security, consistent with the standards applied at the main site;

iii Backup data should be tested, where practicable, to ensure that they can be relied upon for emergency use when necessary;

iv Procedures for handling sensitive data such as cheques, invoices and payroll records should be established in order to protect such data from unauthorised disclosure or misuse.

Fault Logs

38 IT staff should maintain a log of all operations carried out. A separate fault log should be kept for central servers and network systems that list faults reported and actions taken. The fault logs should be reviewed regularly to ensure that problems have been satisfactorily resolved. Corrective measures should be

(8)

reviewed to ensure that security controls have not been compromised and that the action taken is fully authorised.

Network Controls

39 A range of security controls is required for computer networks. Appropriate controls must be established to ensure the security of data in networks and the protection of connected services from unauthorised access. In particular, the following items should be addressed:

i Responsibilities and procedures for the management of remote access must be established;

ii Special controls should be established, if necessary, to safeguard the confidentiality and integrity of data passing over public networks; iii Staff and student data networks must be configured to ensure that

unauthorised access through network listening is avoided;

iv Protection of the University’s infrastructure and information by the appropriate use of firewall technology.

Computer Media and Documentation

40 Procedures for the management of removable computer media such as CDs, USB storage and printed reports should include the following controls:

i Use a data storage system that avoids the use of descriptive labels; ii Storage of media in a safe secure environment;

iii All procedures and authorisation levels to media should be clearly documented.

41 Computer media should be disposed of securely and safely when and no longer required. Clear procedures for the secure disposal of media should be established. The following guidelines should be included:

i Media containing sensitive information should be disposed of securely and safely by incineration or shredding or erasing the data from magnetic media; ii Disposal of some sensitive items may require logging for future reference and

to maintain an audit trail.

42 Procedures for handling sensitive data such as cheques, invoices, credit card details and payroll records must be established in order to protect such data from unauthorised disclosure or misuse. The following items must be covered:

i Handling and labelling of the media;

ii Where required a maintenance of a formal record of the authorised recipients of data;

(9)

43 System documentation may contain a range of sensitive information e.g.

descriptions of application processes, procedures, data structures, authorisation processes. The following controls should be applied to protect system

documentation from unauthorised access: i System documentation should be secure;

ii The distribution list for system documentation should be kept to a minimum and access to such documentation should be restricted to authorised

personnel only;

iii Computer generated documentation should be stored separately from the application system and assigned an appropriate level of access protection.

Data and Software

Data Exchange

44 Formal agreements must be established for the exchange of data between the University and external organisations. The security contents of such agreements must reflect the sensitivity of the information involved. Agreements must include the following:

i Management responsibilities for controlling and notifying transmission, despatch and receipt;

ii Procedures for notifying transmission, despatch and receipt; iii Minimum technical standards for packaging and transmission; iv The responsibilities and liabilities in the event of data loss;

v Data and software ownership and responsibilities for data protection and similar considerations;

vi Any special measures required to protect very sensitive items.

45 Computer media can be vulnerable to unauthorised access, misuse or corruption during transportation. The following controls must be applied to safeguard computer media when being transported between sites:

i Reliable transport or couriers must be used;

ii Packaging must be sufficient to protect the contents against any physical damage likely to rise during transit;

iii Special measures must be adopted when necessarily to protect sensitive information. This may include the use of locked containers or delivery by hand.

46 Controls should be applied, where necessary, to reduce the business and security risks associated with electronic data interchange, e-mail and online transactions. Issues that should be addressed include the following:

(10)

i The vulnerability of data or messages to unauthorised access or modification; ii The vulnerability to error, e.g. incorrect addressing or misdirection, and the

general reliability and availability of the service;

iii The security and data protection implications of publishing directory entries; iv Legal requirements associated with proof of origin;

v The need for security measures to control remote user access to computer accounts.

47 Controls for electronic commerce must include: i Authentication – customer and trader identity;

ii Authorisation – restricting access to authorised staff only; iii Contract – confidentiality, proof of despatch and receipt; iv Pricing – confidentiality;

v Liability and Settlement – guarding against fraud and who carries the risk. 48 The University has a separate policy regarding the status and use of email

especially with regard to its use for authorisation purposes.

49 Care must be taken to protect the integrity of electronically published information to prevent unauthorised modification which could harm the reputation of the University. Information stored on Web servers accessible via the Internet needs to comply with UK laws and University rules. All electronic publishing systems

including the web-based ones should be carefully controlled so that:

i Information is obtained and displayed in compliance with the data protection legislation;

ii Information input to, and process by the publishing system will be complete, accurate and current;

iii Sensitive information will be stored correctly.

50 Care should be taken to ensure that the exchange of information through the use of voice, fax and video communication services are protected. Information could be compromised due to:

i Phone-call being overheard;

ii Message stored on an answering machine being overheard, or being played back by an authorised person;

(11)

Software

51 Formal software agreements should be established for procured software between the University and the software company. The security contents of such an

agreement must reflect the sensitivity of the business information involved. Agreements must include the following:

i A software escrow agreement;

ii Software ownership and software copyright compliance;

iii The responsibilities and liabilities in the event of data loss though software malfunction;

iv Access controls for remote connections to the system and any special measures required to protect sensitive data items.

52 Clear procedures and guidelines are required to control the business and security risks associated with electronic office systems and the use of electronic signatures. Requirements and issues which should be addressed include the following:

i The possible need to exclude categories of sensitive business information; ii The need for a clear policy and controls to manage data and information

sharing, e.g. shared data files or the use of corporate electronic notice boards;

iii The possible need to restrict access to diary information relating to selected individuals;

iv The suitability, or otherwise, of the system to support business applications, such as communicating requests and authorisations;

v The categories of staff and students that are allowed to use the system and the locations from which it may be accessed;

vi The possible need to restrict selected services to specific categories of user; vii The policy regarding retention and back-up of information held on the

system;

viii The requirements and arrangements for fall-back.

User Access Management

53 There must be a formal user registration and deregistration procedure for access to all multi-user IT services managed by ICT. The user registration process must include the following.

i Check that the user has authorisation from the system owner for the use of the service;

ii Check that the level of access granted is appropriate for the purpose and is consistent with organisational security procedures;

(12)

iii Require users to sign undertakings to indicate that they understand the conditions of access;

iv Ensure service providers do not provide access until the authorisation procedures have been completed;

v Maintain records of all persons registered to use the service;

vi Immediately disable the access rights of users who have changed jobs or left the organisation;

vii Periodically check for, and remove, redundant usernames and accounts that are no longer required;

viii Ensure that redundant usernames are not re-issued to another user. 54 The use of special privileges must be restricted and controlled. A formal

authorising process must include the following.

i Identify the privileges associated with each system product e.g. operating system, database management system and the staff to which they need to be allocated.

ii Maintain an authorisation process and record all privileges allocated. iii Users who are assigned high privileges for special purposes should use a

different username for normal use.

55 Passwords are currently the principal means of validating a user’s authority to access a computer service. The allocation of passwords must be controlled by a formal management process, the requirements of which are as follows:

i Require users to undertake to keep personal passwords confidential and group passwords solely within the members of the group.

ii Ensure, where users are required to maintain their own passwords that they are provided initially with a secure temporary password which they are forced to change on first use. Temporary passwords are also provided when users forget a password, always subject to positive identification of the user. iii Convey temporary passwords to users in a secure manner. Conveyance of

passwords through third parties or through unprotected (clear text) email should be avoided.

iv Expiry dates for passwords may be set for some accounts; the period should be determined by the application owner. This period should not be too short as this results in passwords been written down rather than remembered. A period of six months is recommended.

v All passwords must have a minimum length set. At least six alphanumerical characters is recommended.

56 To maintain effective control over access to data and formal process to review users’ access rights should be undertaken. This process should ensure that users’

(13)

access capabilities are reviewed at regular intervals; a period of 12 months is recommended.

Access Control

Network Access Control

57 Network services that can be accessed by an individual user must be consistent with the access control policy.

58 Connections by remote users to University systems requires secure authentication, unless it is to access Internet-facing web servers containing public information only. In cases where content is more sensitive this may be supplemented by the use of secure access to thin client servers or the use of VPN software.

59 Computers or servers that have remote access for use by third party maintenance engineers must be protected. The access must be disabled until required and only enabled following an arrangement between ICT staff and the maintenance

engineers. Each request for access must be documented.

60 Servers must be protected from unauthorised access and the network from packet listening. The University network as a whole must be protected by a defined security perimeter with a single firewall acting as a network gateway.

61 All equipment connections to the University network must be authorised by ICT prior to use. Equipment must never be connected to more than one network at a time without authorisation from networking specialists in ICT.

62 Network routing control, virtual LANS and network protocols are the responsibility of ICT.

Computer Access Control

63 Access to servers must be via a secure logon process which minimises the

opportunity for unauthorised access. Where possible, the procedure must include the following:

i Limit the number of unsuccessful, consecutive, login attempts allowed. A limit of three is recommended;

ii On failure disconnect and give no assistance to the end user;

iii Limit the maximum time allowed for the logon procedure. If exceeded the system should terminate the logon;

iv Where possible, after a successful logon the date and time of previous

successful logon and details of any unsuccessful logon attempts since the last successful logon should be displayed.

64 All users will be allocated a unique account username for their sole use which should not be given to another individual. Usernames should not give any

indication as to the user’s privileged level. In exceptional circumstances, where there is a clear benefit, shared usernames may be used. Approval by ICT

(14)

Application Access Control

65 Users of application systems and systems utilities must be provided with access to data in accordance with a defined access policy based upon the individual

requirements.

66 The access policy must contain the following controls:

i Access control to the application system function or system utility;

ii Controlling the access capability of the end user to data items. This includes read, write, update and delete.

67 Systems utilities that may override system application controls must be restricted and tightly controlled.

68 In order to minimise the corruption of computer programs, strict control must be maintained over access to source code.

69 On systems containing sensitive data, audit trails recording exceptions and other security relevant events must be kept for an agreed period to assist in future investigations into any possible breaches. Such systems may be monitored to ensure usage is correct. Any audit trail should include usernames, dates and times. 70 Special care is required when using mobile computing facilities such as laptops,

notebooks, smartphones and tablets. Protection must be in place to avoid the unauthorised access to or disclosure of information stored by these facilities. The equipment should have installed on it up-to-date virus detection software and, if connected to an ISP, a personal firewall. Care must also be taken to ensure that the equipment is protected against theft.

Remote Access to End-user Computing Devices

71 ICT staff may, following permission being granted by the end user, take full

remote control of the computing device for the purposes of diagnosing problems or the installation of software. Such operations must be carried out with an audit log recording all actions.

Systems Development and Maintenance

72 An analysis of security requirements must be carried out at the requirements analysis stage of each development project. The security requirements must include how the system and the network will safeguard the confidentiality, integrity and availability of information for all server environments of that project, for example development servers and production servers. The analysis must include the following:

i Access control to information; ii Data integrity checks;

iii Back-up and archiving requirements;

(15)

73 Within application systems, data input must be validated wherever possible. Such controls must include:-out of range, invalid characters, missing or incomplete data and inconsistent data. Where possible batch controls, balancing controls,

validation processing and hash totals should be used to minimise any data corruption.

74 The need for cryptographic, encryption or digital signature techniques should be considered to ensure confidentiality, authenticity and integrity of information. 75 Strict control must be exercised over the implementation of software on

operational systems. The following controls must be exercised:

i The updating of operational programs must only be performed after authorisation;

ii If possible, source code should not be held on operational systems; iii Executable code must only be implemented on operational systems after

evidence of successful testing and user acceptance is obtained; iv An audit log must be maintained for all updates;

v Previous versions of software should be retained as a contingency measure and live data must be backed up prior to implementation of a new version of the program.

76 Testing usually requires substantial amounts of test data that is as close as possible to the live data. The use of test databases containing real personal data must be avoided. If such data is used, it must be depersonalised before use. 77 Formal change control procedures should be produced and should include the

following:

i Maintaining agreed authorisation levels and obtaining approval before work commences;

ii Reviewing security controls and integrity procedure to ensure that they will not be compromised by the changes;

iii Identifying all computer software, data files, database entities and hardware that require amendments;

iv Ensuring that the system documentation is updated; v Maintaining version control and a log of all changes.

78 When the operating system or the database management system is updated, the application system should be reviewed to ensure that there is no adverse impact on security or data integrity.

79 Modifications to vendor supplied software packages should be discouraged. In circumstances where it is deemed essential to modify the package or its data, the following points should be considered:

(16)

i Whether any built-in controls or integrity processes are compromised by the modifications;

ii Possible vendor support problems;

iii Possible problems associated with later versions of the vendor standard program;

iv The University becoming responsible for future maintenance of the software. 80 Programs should only be purchased or downloaded from a reputable source. Where

software development is outsourced, the following must be considered: i Licensing arrangements, ownership and intellectual property rights; ii Contractual requirements for quality, accuracy of work done.

Business Continuity Management

81 There should be a managed process for maintaining a business continuity plan. The key elements should be:

i Understanding the risks;

ii Understanding the impact of interruptions;

iii Considering the acquisition of a business continuity contract; iv Documenting plans;

v Regular testing and updating of plans; vi Identifying responsibilities.

Compliance with Legal Requirements

82 The University should draw to the attention of all users the legal restrictions on the use of copyright material. Regular audits of software should be taken and software registers maintained.

83 Important University records should be protected from loss or destruction. The following steps should be taken:

i Guidelines should be issued on the retention, storage, handling and disposal of records and information;

ii A retention schedule should be drawn up by identifying record types and the period of time for which they should be retained.

Legislation

84 Personal information (on living individuals who can be identified from the information) that is stored or processed on a computer is subject to the Data

(17)

Protection Act 1998 and to all types of information under the Freedom of Information Act 2000.

85 Compliance with legislation will require some form of management structure and control. An Officer should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. It should be the responsibility of the owner of the data to inform the Officer about any proposals to keep personal information on a computer, and to ensure awareness with the legislation.

86 The use of University IT services is authorised by ICT management. Any use of these services for non-business or unauthorised purposes, without management approval will be regarded as improper use of the services. If such activity is identified by usage monitoring or by other means, it will be brought to the attention of the line management concerned for appropriate disciplinary action. 87 University users are advised that no access is permitted except that which is

formally authorised.

Security Reviews of IT Systems

88 All areas within the University should consider undertaking regular reviews to ensure or compliance with a security policies and standards.

89 IT services should be regularly checked for compliance with security implementation standards.

Other Sources of Information

90 Other University IT policies:

i IT01 – IT Acceptable Use Policy; ii IT03 – Internet Usage Policy;

iii IT04 – Email and Instant Messaging Usage Policy; iv IT05 – Telephone and Mobile Phone Usage Policy; v IT06 – IT Hardware and Software Policy;

vi IT07 – Disposal of IT Equipment and Media Policy; vii IT08 – Application Systems Policy;

viii IT09 – Identity Management Policy

http://portal.solent.ac.uk/support/official-documents/policies-procedures-guidelines/information-communication-technology.aspx

91 Other University policies, including but not limited to, the following: i Data Protection Policy;

(18)

ii Freedom of Information Policy; iii Confidentiality Markers Policy; iv Maintenance of Records Policy; v Disciplinary Procedure Policy; vi Management of Information Policy; vii Web Publishing Policy.

http://portal.solent.ac.uk/support/official-documents/policies-procedures-guidelines/policies-procedures-guidelines.aspx

92 Southampton Solent University’s Internet connections are governed by: i JANET Connection Policy;

ii JANET Security Policy;

iii JANET Acceptable Use Policy.

https://community.ja.net/library/janet-policies

Author(s): Keith Baker, ICT Security and Standards Manager Owning committee: Management Information and Technology Committee Approved by: Paul Colbran, Director of ICT

Date of approval: 9 July 2015

Version: 3.0