ALL STAFF
Framework Area: Information, Communication & Business
Technology
Policy:
IT Security Framework
Quality Assurance – Document Version Control
Date of Origination: February 2007 Date of Revision: July 2010
April 2013
Author: Information, Communication & Business Technology
Status: Current Consultation with Trade Unions: May 2013 Approved by: Corporation
Reviewed and agreed: May 2013
Supersedes: July 2010
Impact Assessment Completed:
Active From: February 2007 For Review on: Spring 2016
Available in large font and other formats on request
This record may be out of date if printed
INFORMATION & TECHNOLOGY
SECURITY FRAMEWORK
CONTENTS
Page
1.
FRAMEWORK INTRODUCTION
1
2.
e-SAFETY POLICY
6
3.
IT SECURITY AND ACCEPTABLE USE POLICY
11
1
1. INTRODUCTION
Good practice in Information Technology (IT) security is an essential element in providing the technical applications and infrastructure that underpin and support the teaching, learning, and administrative activities of the College. The College must:-
i. ensure that its learners and staff remain safe in their use of technology; and
ii. protect its information assets – defined for the purposes of this framework as computers, hardware, mobile devices, networks, software and all of the data they contain
In doing this, the college will:-
Ensure that a high quality technical service is offered to staff, learners and other customers.
Maintain and improve its reputation and meet its legal obligations and strategic business and professional goals.
Prevent data loss and criminality.
Ensure that learners and staff are fully aware of their personal responsibilities for protecting themselves and the college’s information assets in accordance with College or any external organisation’s guidelines.
Protect itself from any financial loss arising from security breaches.
2. SCOPE & STRUCTURE
This framework applies to all learners, staff, customers and other stakeholders who access and use the College’s IT systems.
The framework is designed around a series of policies aimed at protecting:-
PEOPLE: ensuring that learners, staff and others who access college
systems both on site and remotely remain safe in doing so,
DATA & INFORMATION ASSETS: ensuring that all the information that the
College collects, processes and stores is held securely and that the risk of unauthorised access or innaproprate disclosure is minimised
NETWORK & INFRASTRUCTURE: ensuring that technical infrastructure and
physical assets are secure from theft, damage, unauthorised access or malicious attack.
2
PROTECTING
PEOPLE INFRASTRUCTURE NETWORK & INFORMATION DATA & ASSETS
E-SAFETY
POLICY ACCEPTABLE USE IT SECURITY & POLICY
INFORMATION SECURITY
POLICY
3. RESPONSIBILITIES
Adherence to the policies included within this framework is the personal, professional and legal responsibility of all staff (including contractors, short term, voluntary staff and anyone with a College IT account) and students. Every person handling information or using the College’s IT systems is expected to have proper awareness of and observe the policies and procedures noted within these policies, both during and, where appropriate, after their time at the College and to act in a responsible and professional way.
This Policy shall apply to all locations from which College IT systems, data or information are stored or accessed and shall extend to home use and all other off-College sites where applicable.
4. SECURITY BREACHES & INCIDENT REPORTING
The College will ensure that adequate incident reporting is maintained which will detail all incidents which are deemed to have bre ached the policies included within this framework. The reporting will contain:
The nature of the incident
Details of investigations carried out into the cause of the breach Actions required to reduce the risk of re -occurrence
Each incident should be investigated and reported within 7 days of occurrence or notification of the incident. If criminal action is suspected, the College may consider contacting the police immediately. Any security breach will be subject to the college’s Disciplinary policy, Anti-Fraud Policy or the learners Code of Conduct
3 It is the responsibility of all staff to report known security breaches as follows:
Policy Reporting
Manager Contact
e-Safety Heads of Learner Services (Safeguarding Officers) Crosskeys: [email protected] Newport: [email protected] Ebbw Vale: [email protected]
Pontypool & Usk:
IT Security &
Acceptable Use Head of ICT [email protected] Information
Security (Information Manager Services)
5. TRAINING & AWARENESS
The College is committed to providing timely, appropriate and relevant training to all users and systems support staff to ensure that they have the knowledge and skills to adhere to the policies included within this framework.
6. MONITORING
In accordance with the Regulation of Inv estigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 the College carries out monitoring for the following purposes:
To ensure the effective operation of IT systems
To investigate or detect unauthorised use of IT systems
To establish the existence of facts relevant to the business of the College
To determine whether or not the communications are relevant to the business of the College
To prevent or detect crime
The following logs will be retained for monitoring purposes:
Internet Access Log – Time, Date, U R L, Workstations IP Address, U ser Name
Email U sage Log – Time, Date, Server, To Address, From Address, Subject, Email Size.
Firewall log – including user activity and security alerts Workstation Event Logs
4 Server Event Logs
Network Traffic Logs – including the levels of traffic between routers and switches
The logs are retained for the following reasons: Monitoring of System Use and Misuse Protection of all users
Protection of Network and College Systems Protection of College
Capacity Planning and Maintenance Strategic Planning
There are specific obligations on the College which are:
Keep recorded data secure Comply with legislations and regulations Maintain and review monitoring Procedures Inform Users that such monitoring takes place Duty of Care to Staff and Students
Bearing these points in mind the justification for such monitoring is:
Duty of Care to protect the College, its Staff and Students Maintain System Security Compliance with College Policies Prevent Misuse of College Systems
7. CONSEQUENCES OF NON COMPLIANCE
The College reserves the right to withdraw user access where there is a breach of security or an alleged or significant risk of a security breach. In such cases user accounts may be disabled or services shutdown or withdrawn pending an investigation.
The College will collate and report any evidence of misuse to the appropriate authority. Where members of staff are involved, the College Disciplinary Policy and Procedure will be followed. Where students are involved the Learner Disciplinary Process and Policy will be followed.
8. FEEDBACK
Coleg Gwent welcomes all constructive feedback on the policies included within this framework. If you would like further information, or wish to send
5 us your comments then please contact Hazel Gunter, PA to the Vice Principal (Resources & Financial Planning) via e-mail at [email protected]. Useful Links for Further Information:
e-Safety
Child Exploitation & Online Protection Centre
http://www.ceop.police.uk
Internet Watch Foundation http://mobile.iwf.org.uk
DirectGov -‘Staying Safe Online’
http://www.direct.gov.uk/en/YoungPeople/CrimeAndJustice/KeepingSa fe/DG_10027670
Get Safe Online http://www.getsafeonline.org
IT & Acceptable Use policy JISC
http://www.jisc.ac.uk
Information Security
Information Commissioners Office
http://www.ico.gov.uk
Welsh Government
INFORMATION & TECHNOLOGY SECURITY e-Safety
6
In line with the College’s duty to safeguard learners and to satisfy our wider duty of care, we will do all that we can to make our learners and staff remain safe online. This e-safety policy should be read in conjunction with other relevant college policies e.g. Safeguarding Children, Protection of Vulnerable Adults, Anti Bullying, and Disciplinary Policy & Procedures.
1. SAFE USE OF COLLEGE IT SYSTEMS AND MOBILE DEVICES
Learners, staff and other users are responsible for using the college IT systems and mobile devices in accordance with the college’s IT Security and Acceptable Use Policy which staff should actively promote through embedded good practice.
2. SAFE BEHAVIOUR
The college will not tolerate any abuse of IT systems. Whether offline or online, communications by staff and learners should be courteous and respectful at all times. Any reported incident of bullying or harassment or other unacceptable conduct will be treated seriously and in line with the relevant college policies.
Where conduct is considered illegal, the college will report the matter to the police.
3. SAFE USE OF IMAGES AND VIDEO
The use of images or photographs is popular in teaching and learning and should be encouraged where there is no breach of copyright or other rights of another person. This includes images, video, and audio (spoken word & music) downloaded from the internet and images belonging to staff or learners. All learners and staff should receive training and support on the risks in downloading these media as well as posting them online and sharing them with others.
Copyrighted music files should never be stored on the college network (e.g. your ‘documents’ folder of student / staff areas) as it is a form of file sharing without permission. This could be illegal even if you legally downloaded or copied the music in the first place.
If learners and staff are being photographed, audio recorded or filmed for ANY purpose during their time at college, then consent must be sought beforehand. Where tutors photograph, record or film learners, the attached consent form must be completed and held on file.
INFORMATION & TECHNOLOGY SECURITY e-Safety
7
4. SAFE USE OF SOCIAL NETWORKING
The following statements are applicable regardless of whether staff and learners are using facilities in college, offsite or at home, at any time. Staff and learners should be aware that social networking websites are a
public forum, particularly if the user is part of a "network". They should not assume that their entries on any website will remain private.
Staff or learners should never send abusive or defamatory messages. Staff should take care and be aware that online discussions or
photographs displayed on social networking sites could be deemed to bring the college into disrepute.
Staff should not be “friends” with Coleg Gwent learners on Facebook or any other social media where there is, or has been, a lecturer/learner relationship in place, as this has the potential to compromise their duty of care to learners and their professional relationship with other college staff.
Staff should apply discretion if they are 'friends' with any post compulsory learner in any other capacity e.g. as a personal friend. Staff must not use their college email address when registering on social
networking websites. They should refrain from entering details on their profile that allow people to identify them as college staff (job status, or comments about named friends/colleagues, etc.). This does not apply if social networking technologies are required for a member of staff to fulfil their job role, as long as these have been agreed with their line manager prior to commencement.
Staff and learners must also be security conscious and should take steps to protect themselves from identity theft, for example by restricting the amount of personal information that they give out. Social networking websites allow people to post detailed personal informatio n such as date of birth, place of birth and favourite football team, which can form the basis of security questions and passwords.
Staff must complete a risk assessment form (which is available on the Health & Safety page of the intranet) before using any site not hosted by the collegebut involving social interaction. Any ‘groups’ set up by tutors to communicate with learners must be private groups and by invitation only. Staff who set these groups up must take action to ensure that none of their personal details are available to other group members (the learners). This can be done by reviewing personal security and information sharing settings regularly for the particular site(s) being used. Staff in any doubt as to how to manage ‘groups’ and privacy settings should contact the College’s e-Learning manager for advice.
INFORMATION & TECHNOLOGY SECURITY e-Safety
8 Staff must be aware that learners have a choice in whether they register to an external site/platform. It cannot be a compulsory element of their course/learning
In addition, staff and learners should:
Ensure that no information is made available on social networking sites that could provide a person with unauthorised access to the college systems and/or any confidential information; and
Not record any confidential information regarding the college on any social networking website.
5. SAFE USE OF PERSONAL INFORMATION
No personal information can be posted to Moodle, the college intranet or website without the permission of a CMT member or unless as part of a previously approved College administrative process. Only names and work email addresses of the Corporate Management Team will appear on the college website. Full details on members of the Corporation and documents relating to the business of the corporation are held on the Coleg Gwent website.
Staff must keep learners’ and staff personal information safe and secure at all times. When using an online platform, all personal information must be password protected. No personal information of individuals is permitted offsite unless provided for in the Coleg Gwent Data Protection Policy. Every user of IT facilities is required to log off on completion of any activity, or where they are physically absent from a device.
Any mobile device (laptop, USB) should be used securely in line with the Coleg Gwent Data Protection Policy. Where the personal data is no longer required, it must be securely deleted in line with the Coleg Gwent Archiving /Retention of Documents Policy and Procedure 6.7 Retention of Documents.
6. REPORTING CONCERNS & RECORDING INCIDENTS
Learners are expected to seek help and follow procedures where they are worried or concerned, or where they believe an e-safety incident has taken place involving them or another member of the college community.
Where an e-safety incident is reported to the college this matter will be dealt with very seriously. The college will act immediately to prevent as far as reasonably possible any harm or further harm occurring. If a learner wishes to report an incident, they can do so to their tutor or to the Head of Learner Services (Safeguarding Officer). Where a member of staff wishes to report an incident, they must contact their line manager. Following any incident, the
INFORMATION & TECHNOLOGY SECURITY e-Safety
9 college will review what has happened and decide on the most appropriate and proportionate course of action. Sanctions may be put in place, external agencies may be involved or the matter may be resolved internally depending on the seriousness of the incident. This is in line with the college Acceptable Use Policy. Serious incidents will be dealt with by senior management, in consultation with appropriate external agencies.
All staff should apply relevant college policies and understand the incident reporting procedures. Any incident that is reported to or discovered by a staff member must be reported to the Head of Learner Services (Safeguarding Officer).
7. EDUCATION & TRAINING
With the current unlimited nature of internet access, it is impossible for the college to eliminate all risks for staff and learners. Therefore, the college will support staff and learners through training and education, which will provide them with the skills to be able to identify risks independently and manage them effectively.
For learners:
Learners will attend Internet Watch sessions through their tutorial programme.
All learners must receive a ‘Think B4U Click’ leaflet as part of their induction.
Issues associated with e-safety apply across the curriculum and learners will receive guidance on what precautions and safeguards are appropriate when making use of the internet and technologies.
Learners should also know what to do and who to talk to where they have concerns about inappropriate content, either where that material is directed to them, or where it is discovered as part of a random search.
A link to the college e-Safety rules will appear when users log on to the college network and these rules are highlighted in posters and leaflets around IT areas and work stations.
Within classes, learners will be encouraged to question the validity and reliability of materials researched, viewed or downloaded
Learners will be encouraged to respect the copyright of other parties and to cite references properly to demonstrate that they appreciate the issues surrounding plagiarism.
Learners must also appreciate the nature of online communications and be coached by tutors to ensure that they understand the issues of posting messages and other materials (such as photographs) online. The world wide web can create a permanent record of activity and
INFORMATION & TECHNOLOGY SECURITY e-Safety
10 learners need to be able to appreciate the consequences of this, even in terms of the effect on future prospects of employment.
For staff:
All staff are required to take part in e-safety training and engage with regular updates.
For new staff this will be part of the induction process.
General e-Safety training will be offered during at least one INSET day each year.
The Manager for Learning & Development will liaise with the e-Learning Manager to identify suitable internal or external experts to carry out the annual training at INSET.
Online resources will be made available and the e -Learning Manager will issue updates in guidance via electronic means when required. Each member of staff must record the date and details of all e -Safety
training that has been training attended. This should be done via Passport to Success.
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
11
The College will ensure that the network, network equipment and other IT equipment is secure, fit for the purpose and used appropriately
1. AUTHORISATION TO USE COLLEGE IT SERVICES
All Students who have enrolled at the College and all staff employed by Coleg Gwent are entitled to a unique personal user account that provides them with appropriate access to IT resources based on their course of study or role. These accounts are always password protected.
Users are required to take responsibility for the account that is provided to them and should be aware of the following points:
U ser passwords should remain confidential. If users suspect that their password is known to others they should change their password immediately.
U sers must not share or divulge account details such as username and password.
U ser passwords should be changed regularly and passwords nee d to conform to the minimum length and complexity rules.
U sers should ensure that they logout or lock their workstations if they leave their workstations unattended.
U sers should not store data on the workstation. Workstation disks (C:\ drive) are not backed up and are liable to fail or be stolen. Data should be stored on appropriate server based shared drives.
U ser Workstations should be logged out before users leave College premises.
The IT Department will make appropriate backups of user data held in the appropriate locations on College servers.
R edundant user accounts will be disabled within 24 hours of receipt of information and removed by the IT Department in accordance with the Windows Domain User Account Removal and Deletion policy, currently available on the IT pages of the college intranet.
2. GENERAL GUIDANCE ON ACCEPTABLE USE
U sers will not use company resources for commercial activity, such as creating products or services for sale.
U sers will not send inappropriate mass mailings not directly associated with, or in the performance of, the routine course of duties or assignments. This includes multiple mailings to newsgroups, mailing lists, or individuals, e.g. "spamming," "flooding," or "bombing."
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
12 Users will not forge the identity of a user or machine in an electronic
communication, e.g. ’spoofing’.
3. USE OF WORKSTATIONS
With a valid username and password, users are granted access to workstations (P.Cs and laptops) on which recognised, legitimate and appropriate software is installed (including the operating system and appropriate Anti-Virus software). Users must accept that:-
Installation of System or application software can only be performed by IT Support staff or with the authorisation and permission of the IT Department and users must not install their own software.
Access to local system settings will be restricted whe re appropriate and users must not attempt to bypass or override any security measures in place.
4. NETWORK SECURITY
The IT Department is responsible for all networking at Coleg Gwent and the security of networked devices and user, all measures will be taken to ensure this security by implementing up to date security systems and adopting best practises.
The College IT Network consists of switches, routers, servers and firewalls. Access to Switches, routers, servers and other networking equipment is password protected and restricted to appropriate users.
Up-to-date backups of device configurations will be made by the IT Department.
Access to network resources will require a valid username and password. Access to, and the performance of, networks is heavily dependent upon the number of other client connections to the network and their usage.
Misuse of the network.
Users must not access or run any utilities of services, either deliberately or inadvertently, which might negatively impact on the overall performance of the network or deny access to the network, e.g. RF jamming, Denial of Service (DoS).
Misuse of the network will be taken extremely seriously. Such misuse may lead to:
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
13 Immediate permanent disconnection of any unapproved networking
equipment.
Disciplinary action under current college regulations and policies. The IT Department is responsible for maintaining the availability of the College network. In order to better manage, monitor and to identify rogue devices and possible misuse of the network, the IT Department will make periodic sweeps of the College network and make use of passive monitoring devices and intrusion detection software.
Any unauthorised devices operating within the College network will be considered ‘Rogue Devices’. As such, depending upon configuration, these devices may present a substantial security threat and will be subject to removal from the network.
It is expressly forbidden to activate within the College, any Rogue Device that may conflict with the College Network. A rogue device is one which is not authorised by the College and which conflicts or interferes with legitimate College business.
5. INTERNET SECURITY & ACCEPTABLE USE
Internet Access is provided for the educational, business and training needs of learners and staff and users should be aware that such access may be withdrawn on the recommendation of the Line Manager, Head of Learner Service or a member of the college senior management team.
Limited personal use of the internet is permitted provided it is not excessive, illegal or contravenes the College code of conduct for learners or staff, or has a negative effect on the user’s performance. The line manager, tutor or any other member of staff or learner has the responsibility to stop, prevent or report any such internet access breach
Users should be aware that:
All internet access is subject to filtering. Appropriate filtering policies are implemented to ensure the Colleges compliance with legal requirements and appropriate usage policies of third party organisations such as JANET. The College has a duty of care to its learners and staff and must protect its own image and reputation. To this end the College will block content that may be violent, racists, illegal or inappropriate.
College staff should maintain high professional standards when participating in Social Networking environments (including blogs and message boards). Communicating with current, past or potential Learners
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
14 via these sites carries a risk and staff should consider the consequences of sharing personal information or thoughts via such sites. This is covered in more detail in the college e-Safety policy.
U nless otherwise noted, all software on the Internet should be considered copyrighted work. Therefore, employees are prohibited from downloading software and/or modifying any such files without permission from the copyright holder.
6. E-MAIL SECURITY & ACCEPTABLE USE
E-mails generated on college computers and information contained in such e-mails are the property of the college. Email accounts should be used in a responsible and professional manner by College staff and learners. Users need to be aware that:
emails can be used in legal and contractual proceedings in the same way as hard copy documentation. Deletion from a user’s mailbox does not mean that the email is permanently removed and all emails should be treated as potentially retrievable.
Staff using Coleg Gwent e-mail accounts are acting as representatives of the College and as such, should act accordingly to avoid damaging the reputation of the College.
All email users should adhere to the Coleg Gwent Email Etiquette guidance which is available on the Marketing & Communications pages of the college Intranet
Any publishing of malicious, defamatory or discriminatory material on email, twitter, facebook etc. is equivalent to publishing and therefore illegal with possible consequences of fines or prison
If a user feels that they have been harassed, bullied or offended by material sent to them by a Learner or member of staff via email, they should inform their line manager or course tutor who will consider whether the College’s policies should be applied
Emails sent outside the College must bear the College disclaimer, which is automatically generated on leaving the organisation
If an employee is absent and communications need to be checked to ensure the smooth running of the college, then access to an employee’s account will be provided to the line manager when authorised in writing by a senior manager. Additionally, access to user accounts may be required in the course of criminal or disciplinary investigations. Such access will be authorised by the VP (F,E&IS) and the VP (HR&OD).
Limited personal use of email is permitted provided it is not excessive or has a negative effect on the user’s performance. Discretion is placed on the line manager, tutor or other appropriate authority. The
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
15 line manager, tutor or any other member of staff or learner has the responsibility to stop, prevent or report any such email abuse
Staff should not use their College email address to register on personal website accounts
7. WIRELESS NETWORK SECURITY AND ACCEPTABLE USE
The College is committed to providing comprehensive and secure wireless access to College systems. The IT Department is responsible for all wireless networking at Coleg Gwent and users should be aware of the following: Access to Wireless network resources will require a valid username and
password
The Wireless Network shall be treated in the same way as the wired network with the following additions. Users must not:
i. Intercept or attempt to intercept other wireless transmissions for the purposes of eavesdropping
ii. Access or run any utilities or services, either deliberately or inadvertently, which might negatively impact on the overall performance of the network or deny access to the network, e.g. RF jamming, Denial of Service (DoS)
Misuse of the wireless network or College wireless spectrum will be taken extremely seriously. Such misuse may lead to:
i. Immediate permanent disconnection of any unapproved wireless networking equipment
ii. Disciplinary action under current College regulations and policies Due to possible interference from other sources, the College wireless
spectrum should be kept clear of unauthorised transmissions.
The IT Department will make periodic sweeps of the College wireless coverage area and in strategic locations, make use of passive monitoring devices and intrusion detection software.
Any unauthorised wireless devices operating within the College wireless spectrum will be considered ‘Rogue Devices’. As such, depending upon configuration, these devices may present a substantial security threat and will be subject to removal from the network.
The IT Department must be notified of any existing or proposed wireless installations.
All wireless installations must comply with the wireless network architecture and standards developed through the IT Department.
It is expressly forbidden to activate within the College, any R ogue Device that may conflict with the College Network.A rogue device is one which is not authorised by the College and which conflicts with legitimate College business
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
16
8. MOBILE DEVICE SECURITY & ACCEPTABLE USE
R egular R isk Assessments will be undertaken to determine the security risks of allowing College IT systems to be accessed using a mobile device such as a Smartphone or Tablet computer
Any device connected to the College email sy stem will be subject to a security policy that will enforce the use of a security password to protect the device
All users who are allowed access to email or other college systems via a mobile device will be asked to agree to a disclaimer before access is provided. The user will agree to use, maintain and protect the security password. They will also agree to report any loss or theft of their protected device to the college IT Department.
This policy will apply to any mobile device that is allowed to connect to college IT systems whether it is owned by the college or personal property of the user.
9. PHYSICAL ASSET SECURITY
IT assets must be kept secure from theft and damage and users should be aware of the following:
Workstations (and other equipment) are to be security marked and asset tagged in accordance with the IT Support Quality Manual QM2.5 Appropriate security measures to ensure the safety and integrity of all IT equipment must be implemented. Where deemed suitable, some equipment may be physically secured by the use of brackets, Cages, or security cables
Physical access to rooms containing server computers or Network equipment must be restricted to authorised personnel (IT Support Staff). Authorised visitors such as contractors must be supervised by a member of the IT Department
All IT equipment items will be marked in such a way as to identify them as a Coleg Gwent asset and entered into the College Asset Database where appropriate.
IT Equipment moves must only be undertaken with the co-operation and involvement of the IT Department. This is essential to maintain the accuracy of the Asset Database and to ensure that moves and changes take place without un-necessary downtime.
Mobile equipment may only be taken o ff-site when accounted for under the provisions of the ‘IT Mobile Device Usage Policy’, ‘IT Projector & Laptop loan policy’
INFORMATION & TECHNOLOGY SECURITY IT Security & Acceptable Use
17
10. SECURE ASSET DISPOSAL
It is the responsibility of the IT department to ensure that all redundant assets are disposed of securely. In doing so:
All items of equipment containing storage media (e.g. fixed hard disks) will be checked to ensure that any sensitive data and licensed software have been removed or overwritten prior to disposal
Storage devices containing sensitive information will be physically destroyed or securely overwritten rather than using the standard delete function
INFORMATION & TECHNOLOGY SECURITY Information Security
18
It is the College’s policy that the information that it manages (both manual and electronic) is appropriately secured to:
ensure compliance with relevant legislation and guidance protect against unauthorised access
ensure confidentiality is maintained, especially where third party or
personal data is held
ensure business continuity and the protection of assets
prevent failures of integrity, or interruptions to the availability of that
information
1. IDENTIFYING INFORMATION ASSETS
The College will maintain an up to date inventory of all its information assets i.e. types of information that it holds electronically on college systems and in manual paper based systems.
All information assets will be assigned to an Information Asset Owner who has responsibility for the information assets in their ownership.
2. DEFINITION OF CONFIDENTIALITY
There are a number of data types which can be classified as confidential:
(i) Confidential Personal Data – Requires measures to ensure confidentiality
Coleg Gwent collects and stores the personal information of learners, staff and members of the Corporation in line with the Coleg Gwent registration with the Office of the Information Commissioner. This includes for example names, dates of birth, email addresses, assessment materials and so on. The college will keep that information safe and secure in accordance with the Coleg Gwent Data Protection Policy and Procedure 6.10, The Control, Processing And Accessing of Personal Data.
All personal data within the meaning of the Data Protection Act Data about identifiable, living individuals which relates to an
individual in any significant way, is biographical and has an individual as its focus.
Examples:
INFORMATION & TECHNOLOGY SECURITY Information Security
19 Student Applications and Enrolment Data.
(ii) Sensitive Personal Data – Requires explicit consent to collect and enhanced measures to ensure confidentiality
Ethnic Origin Political Opinions R eligion
Trade U nion membership Health (Physical and mental) Sexual orientation
Offences, allegations, proceedings, sentences Examples:
Staff Equal Opportunities monitoring Data
Student Form B (Learning difficulty and disability assessments, From D medical questionnaire)
(iii) Commercially sensitive data
Data which is held by the college and relates to past, current or future transaction of a commercial nature where disclosure of information could undermine the college’s interests
Tender documentation containing competitive price data
Documents relating to property transactions during negotiating periods
3. DATA PROCESSING SYSTEMS
The College will maintain a register of all systems used to process personal data in the College. This will include:
the type of system,
the types of personal data held the purpose of processing.
The purpose of the registers is to ensure that all processing of personal data within the College is adequately notified to the Information Commissioner. College staff are only allowed to use authorised systems for processing personal data. Any request to establish new systems for processing personal data must be made formally to the Data Protection Officer on a form available on request from the Head of Information Systems.
INFORMATION & TECHNOLOGY SECURITY Information Security
20
4. SECURE DATA STORAGE
All staff are responsible for ensuring that:
Any personal data, which they hold, is kept securely
i. Manual data - should be kept in a locked filing cabinet or locked drawer and/or kept in a room which is has secure access and is locked when not occupied
ii. Electronic data – must be password protected
Personal data is only stored on appropriate systems on the college network
Personal data is not be stored on standalone computer Integral Drives –
Unless specifically Authorised by the Data controller for a specific role (e.g laptops for work place assessors)
Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party
Only college authorised devices with appropriate encryption software may used to store personal data. Members of staff must seek the approval of their manager before storing data on a portable mobile device
College offices where staff are employed to proce ss personal data should be locked when not occupied. Consideration should be given to door security systems such as key pads in multi-occupied rooms to prevent unauthorised access.
Staff should take particular care with data processed while working at home. College personal data must not be stored on home PCs.
Staff and Learners who use Data Storage Devices (such as a smartphone, laptop, USB memory stick, portable disk drive) that might contain College data must ensure that it is kept secure at all times, especially when travelling. Passwords must be used to secure access to data kept on such equipment to ensure that confidential data is protected in the event that the device is lost or stolen. All users should exercise the same care as when using any other means of communication.
5. SECURE DATA TRANSMISSION
Personal or sensitive data must be transmitted by appropriate secure means: A risk analysis must be undertaken with respect to the nature of
transmitted data, the intended recipients and the volume of data. Data transmitted outside of the college by electronic means must be
encrypted or sent via secure data transmission sites.
Data transmitted within the college by electronic means must be password protected or encrypted.
Data must only be transferred using college approved media devices. Staff should ensure that casual disclosure does not take place by for
example leaving computer printouts or manual records containing personal or sensitive data uncovered on desktops or by allowing unauthorised users to view computer screens.
INFORMATION & TECHNOLOGY SECURITY Information Security
21
5. RETENTION OF DATA
Personal data will be retained for no longer than is necessary for the purpose for which it was collected. Standard retention times are necessary to meet various contractual requirements.
Standard retention times for documents relevant to the college Financial control procedures are specified in the College Retention of Documents Procedure.
6. DISPOSAL OF DATA
Particular care must be taken with the disposal of personal data. Staff should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records which are part of the formal College records system:
This material must not be disposed of in ordinary office waste paper bins. Personal data must be destroyed by secure methods such as shredding or
confidential waste sacks handled by authorised contractors.
Specific responsibilities are outlined in the Coleg Gwent Financial Procedures Manual. Formal records may only be destroyed with the appropriate authority.
7. CCTV
CCTV systems in the College are only used for the prevention and detection of crime and the college must ensure that:
CCTV systems are positioned to avoid capturing images of persons not visiting College premises
the recorded images must be stored safely and only retained long enough for any incident to come to light
recordings will only be made available to law enforcement agencies involved in the prevention and detection of crime and to no other third party.
