Information Security Policy
Policy and Procedures
Issue Date February 2013
Revision Date February 2014
Responsibility/ Main Point of Contact
Neil Smedley
Approved by/Date
Associated Documents Acceptable Use Agreement Anti-virus Procedure
Change Control Procedure
College Network and Systems Access Policy College Server Backup Procedure
Computer Disposal Procedure Data Protection Act 1998
Information Security Incident Reporting Procedure
Version number 2.1
This policy has undergone an Equality Impact Assessment (EQIA) confirming that there are no negative consequences in the case of this policy.
Introduction
Electronic information is a valuable resource of which the college takes great care to protect from loss, corruption and unauthorised use or misuse.
Although much of the information held and processed by the College is intended for general use, certain information (key data and information) has to be handled and managed securely and with accountability. In addition such information and the way it may be processed is subject to UK law and the Data Protection Act 1998.
Purpose and Policy Statement
This document provides the policy framework, through which the College will apply information security controls throughout the college. It is based upon the
International Standard ISO 17799 (BS 7799) and includes the following: -
information classification
access control
operations
incident management
physical security
third-party access
business continuity management
Supporting Policies containing detailed Information Security requirements will be developed in support of the Information Security Policy. Reference to supporting policies will be made in bold italic text throughout the remainder of the document Definition: what is Information Security
Information Security is a means of protecting key data, information and information systems from unauthorized access, use and misuse, inspection, disclosure,
Scope
The Information Security Policy covers the following: - The College’s IT/IS infrastructure
key data and information
those who have access to or who administer IT/IS facilities
Individuals who process or handle key data and information
The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental.
Responsibilities
The College has a responsibility to ensure that information security is properly managed. The IT Manager is responsible for:
the development and upkeep of this policy
ensuring this policy is implemented and supported by appropriate documentation, such as procedures
ensuring that documentation is relevant and kept up-to-date
ensuring this policy and subsequent updates are communicated to relevant staff
ensuring that serious breach
Individual members of staff have a responsibility to:
Adhere to this policy, and for reporting any security breaches or incidents to the IT Manager, as soon as practicable using Information Security Incident Reporting Procedure
1. ICT Assets
IT Services will maintain an inventory, subject to audit, of all ICT assets. This will be in two categories: -
Hardware
Software
This asset inventory is in addition to the fixed asset register used for College financial accounting.
Electrical Equipment Regulations 2006. This legislation sets strict guidelines with regard to computer disposal and other waste electrical and electronic equipment. The company should also be able to demonstrate that they have secure destruction facilities for data contained on hardware.
Further information is contained in the Computer Disposal Procedure 2. User Accounts
It is the responsibility of IT Services to maintain a directory of users authorised to use College ICT resources. Staff, students, temporary guest users and external users are subject to College Acceptable Use Agreement, and will have different access permissions and responsibilities.
For the purposes of this policy the following guidelines are used to distinguish between the different types of user: -
Staff - are those registered on the College HR/Payroll systems
Students - are those registered in the College MIS system
Guest users - are users permitted to temporarily access College ICT facilities
External users - are all other users permitted access to College ICT facilities
2.1. Staff
All staff whether permanent, temporary or agency staff must abide by the terms and conditions covering the use of ICT at the College. The staff agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services, in written or electronic form. Temporary staff accounts should be set with an expiry date for the end of their contract period.
Staff may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.
2.2. Students
All students must abide by the terms and conditions covering the use of ICT at the College. The student agreement form and terms and conditions are
available from IT Services. The completed agreement forms will be kept by IT Services in written or electronic form.
Students may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.
2.3. Guest Users
Guest user accounts allow limited access to College resources and will be provided on a limited time period with specific access hours. These user accounts do not have email access.
2.4. External Users
At present there are no requirements for external user accounts. If at future time there is a requirement then they should have limited access to College resources and should only be enabled on a daily basis.
3. Physical & Environmental Security
Controls will be implemented to prevent unauthorised access to computer and information systems.
3.1. Physical Security
Server rooms, IT Services computer suite, telecoms cabinets and communications cabinets shall be protected to provide suitable physical security and environmental controls.
Servers used for storing and/or processing data shall be located in physically secured areas.
Server rooms shall be inspected twice a week to ensure integrity of physical security
4. Communications and Operations Management
Controls will be implemented to enable the correct and secure operation of information processing facilities.
4.1. Operating Procedures
Design, build, configuration and operating documents will be produced for all servers and system applications, these documents are to be kept in secure areas with access only available to IT Services staff and where relevant MIS staff.
4.2. Change Control
All changes to live critical systems will follow a change management process detailed in the Change Control Procedure
4.3. Protection Against Malicious Software
Protection will be provided using a multi-level defence using the following:-
Router
Firewall
Web Content Management with malware protection
Anti-virus Software
Email Scanning
Virus scanning shall be enabled on all servers, desktops and laptops; this shall be automatically updated to ensure the signatures files are up to date, and shall not allow users to switch off the antivirus software -.See attached Anti-virus Procedure in Procedures Section
4.4. Information Security Incidents
Information security breaches should be reported to IT Services as soon as practicable.
Any events that are regarded as ‘security incidents’ will be defined, and processes implemented to investigate, control, manage and review such
events in accordance with the using Information Security Incident Reporting Procedure
4.5. Security Patches
Critical security patches shall be installed automatically when made available by Microsoft, Apple or and other system software vendor.
4.6. Housekeeping
All critical data and applications are to be backed up in accordance with the College Server Backup Procedure; this includes the handling, storage and disposal of media. In the event of restoration of data follow the College Server Restore Procedure. College Server Backup Procedure
4.7. Network Management
Controls will be implemented to achieve, maintain, and control access to internal/external computer networks including wireless LANs, in accordance with the College Network and Systems Access Policy
5. Access Control
Access to College data and resources is dependent upon the type of user, whether they are staff, student, guest or external user. Users shall only be given access to resources in relation to their role. The procedure for
determining and administering the different types of user can be found in the Network and Systems Access Policy.
6. Username and Password Control
Access to College ICT resources is controlled by use of a network username and password. Control of network username and passwords is the
responsibility of IT Services. See attached Password Procedure in Procedures Section
7. Remote Access
Controls will be implemented to manage and control remote access to the College’s ICT resources, see Network and Systems Access Policy. 8. Business Continuity Planning
Business Continuity Planning is working out how to continue operations under adverse conditions that include local events like building fires, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact
operations should be considered, such as interruption, loss of or damage to critical infrastructure (computing/network resource). As such, risk management must be incorporated as part of Business Continuity Planning.
9. Encryption
To ensure compliance with data protection regulations the best solution is that all data remains on college servers/system. If personal data has to be taken away from the college it should be encrypted.
Laptops shall use full disk encryption using Microsoft Bit Locker technology; full disk encryption will be installed by IT Services team.
USB flash drives and USB external drives shall be encrypted using Microsoft Bit Locker technology, see guidance notes for instruction
If personal details to be emailed or sent by any other media (i.e. CDROM) it shall be stored in an encrypted archive which uses AES encryption, third party product 7-Zip is to be used, see guidance notes for instruction
Procedures
Anti-virus Procedure Purpose
All New College Telford computers/laptops must have the college’s standard; supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus signatures must be automatically kept up-to-date.
Virus-infected computers must be removed from the network until they are verified as virus-free. IT Services are responsible for creating processes that ensure anti-virus software is run at regular intervals, and computers are verified as anti-virus-free. Any activities with the intention to create and/or distribute malicious programs into the college's networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Agreement.
Any employee or student found to have violated this procedure may be subject to account removal and or disciplinary action
Anti-virus Process
Recommended processes for users to prevent virus problems:
Always use the supported anti-virus software available on college systems.
NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your rubbish bin.
Delete spam, chain, and other junk email without forwarding.
Never download files from unknown or suspicious sources.
Avoid direct CDROM/DVDROM or USB memory stick sharing with read/write access unless there is absolutely a business requirement to do so.
Always scan CDROM/DVDROM or USB memory stick from an unknown source for viruses before using it.
If you suspect that you have got a virus or malware on your computer contact IT Services immediately using email address its@nct.ac.uk
Processes for IT Services Staff
Automatically apply critical updates for college standard anti-virus system,to all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures.
Automatically apply virus signatures updates on all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures.
Setup automatic reporting to IT Services team for any computer where a virus has been detected. Ensure that any virus detected has been removed automatically or quarantined, in the event of failure to automatically remove or quarantine virus, remove the computer from the network and manually remove virus or reimage the computer.
Setup automatic daily anti-virus scan of hard drives for all college desktop and laptop computers.
Setup automatic anti-virus scan of hard drives for all college server computers
Password Procedure Purpose
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the college’s entire corporate network. As such, all New College Telford employees and students (including contractors and vendors with access to college systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the network, or stores any information.
Password Requirement
Passwords will subject to the following rules.
Minimum password length 5 characters
Passwords will be subject to expiry limit of 42 days
Password history to prevent reuse of passwords 5
Accounts will be locked out after 3 incorrect attempts for a period of 15 minutes to prevent password cracking software
General Password Construction Guidelines
Passwords are used for various purposes at New College Telford. Some of the more common uses include: user level accounts, web accounts, email accounts, , voicemail password, and system logins. Since very few systems have support for one-time tokens (ie. dynamic passwords (which are only used once)), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
The password contains less than five characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:
o Names of family, pets, friends, colleagues, fantasy characters, etc. o Computer terms and names, commands, sites, companies,
hardware, software.
o The words New College, NewCol, NCT or any derivation.
o Birthdays and other personal information such as addresses and phone numbers.
o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o Any of the above spelled backwards.
o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Are at least eight alphanumeric characters long.
Are not a word in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered..
NOTE: Do not use either of these examples as passwords!
Password Change
In the event of password being forgotten the staff/student can get password reset by IT Services, after displaying their id card.
Staff Account Process When Staff Member Resigns
Human Resources must inform IT Services when a member of staff has resigned so the network user account can be disabled and archived.
After receiving the notification of a member of staff leaving, the expiry date on the network user account is set for the end of the day of leaving employment.
After the leaving date the staff network user account is disabled permanently and moved to the OU=Archived_Accounts under OU=Staff_Admin,DC=nct,DC=ads. The user’s personal data is moved to \\athena\staffhomes\__Archive.
At the end of the month, after a full monthly backup a script is run automatically to remove the Active Directory network user account, Exchange Mailbox, and the archived personal data.
The majority of applications use the network user account to allow access to applications, any application with their own user account controls such as
Resource 32000 should also have the user account removed when employment ceases.
IT Services will maintain a database of all system passwords and this must be kept in a secure manner. System passwords should be changed regularly. Enforcement
Any employee found to have violated this policy may be subject to account removal and or disciplinary action.
Guidance Notes
USB flash drive and USB external drive Encryption
Launch the Bitlocker utility by typing in ‘bit locker’ into the Start Search menu.
Enable the check box ‘Use a password to unlock the drive’ and enter a complex password to use when using your external USB drive.
Click the ‘Save the recovery key to a file’ button and choose a safe location for the file. The location cannot be the USB drive you are encrypting.
The USB drive will begin encrypting. It may take a long time depending on the size of the drive. If needed the process can be paused and restarted at a later date with no issues.
When encryption is complete the following dialogue box will be displayed.
When attempting to use the drive you will be prompted to enter the password you specified earlier.
Encrypted Archive Using 7-Zip
Right click on the file(s) to archive and go to the 7-zip menu, then select ‘Add to archive…’
Change the Archive format to zip by clicking the drop down menu and selecting ‘zip’
Change the Encryption method to AES-256 by clicking the drop down menu and selecting ‘AES-256’
Enter the password for the archive in the ‘Encryption’ area and then click okay to archive the selected file(s). Once encrypted zip file has been created this can be emailed or put onto other medium such as CDROM etc.
