Information Security Policy

© Borders College 19/10/12 1 Working Together

Uncontrolled Copy

W

orki

ng T

oget

her Information Information

SecuritySecurity PolicyPolicy

May 2012

Information Security Policy

© Borders College 19/10/12 2 Working Together

Uncontrolled Copy

Information Security Policy 1. Introduction Borders College recognises that information systems, the information they contain and the associated processing tools and services now pervade teaching, learning and administration and are of vital importance to the efficient functioning of the organisation. Its policy is to take any measures considered necessary to ensure that all aspects of its systems are fully protected complying with The Computer Misuse Act 1990, the Data Protection Act 1998, The Copyright (Computer Programme) Regulations Act 1992, Regulation of Investigatory Powers Act 2000 (RIPA), Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP). 2. Scope The infrastructure and information systems to which the policy applies includes, desktop productivity tools, telephone, fax, voicemail, internet access, social media, e-mail, the underlying network and communication lines. The policy applies to all users of the information systems including students, staff, technical support staff, managers, board members, auditors (both internal and external) and any other authorised users. 3. Key Principles 3.1 The College will ensure that all users of information systems

recognise their responsibilities in relation to securing hardware, peripherals and other equipment, and the information contained in those systems via the creation of the comprehensive Acceptable use of Information Systems Policy.

3.2 Controlling Access to Information and Systems:-

• Access Control will be determined in accordance with the agreed levels for each end user’s role in the College.

• Unattended workstations will have enforced screen saving mechanisms put in place where the end user will have to re enter their login details to unlock the screen.

Information Security Policy

© Borders College 19/10/12 3 Working Together

Uncontrolled Copy

• Access and usage will be logged and monitored to identify potential misuse of systems or information.

• Remote access to the network and resources will only be permitted providing the authorised users are authenticated beforehand.

3.3 Purchasing and Maintaining Commercial and In-house Software

• Prior to the purchase of new software, essential full specification of business and technical requirements will be developed. (User Requirement Specification).

• Consideration of how any new software or how any changes to current software will affect integration with other systems will be included as part of any evaluation.

• Sizing and capacity requirement exercises will be carried out for all new software, with input from the supplier as appropriate. The appropriate number of licences to be purchased must be specified to allow use of the software, adherence to the Terms Of End User License Agreements, and retention of eligibility for ongoing vendor support.

• Third party support, whether of a technical or “housekeeping” nature will be specified and quantified in advance of any purchase or development, to ensure that the support availability matches business requirements and that such support is backed by a Service Level Agreement.

3.4 Business Continuity\Disaster Recovery

• Detail backup strategies ensuring confidentiality and identifying mission critical data will be updated and maintained on a regular basis.

• The plans will be periodically tested and documented including clear guidelines on how this should be carried out.

3.5 Change Management

• All changes to software and hardware systems will be subject to a comprehensive change management process.

Information Security Policy

© Borders College 19/10/12 4 Working Together

Uncontrolled Copy

• Major changes will be subject to a formal project management methodology and will include (but not limited to) full options appraisal, resource requirements, risks and constraints, control, reporting, stakeholders, project organisational structure and responsibilities.

• Systems testing (including User Acceptance Testing) will be carried out and the results documented and signed off prior to implementation of live changes.

• Changes will be managed in such a way as to ensure that, wherever possible, the networks, systems and services availability to users is maintained throughout the process and that information is processed and transferred correctly, preserving its integrity.

3.6 Detecting and responding to information security incidents

• A register of incidents will be maintained and reviewed on a regular basis.

• All such evidence will be collected in a methodical and consistent manner to ensure risk of repeat faults is minimised. Reports will give full account of incident and actions taken.

• Faults will be reported to the ICT Strategy Group and, where there has been significant adverse effect or where a risk remains, to the College Senior Management Team.

3.7 Audit and Compliance

• The ICT systems, including infrastructure, data integrity and management, change management, disaster recovery, replacement scheduling, end user services, policies, practices and procedure will be subject to inclusion in the College’s internal audit programme.

Information Security Policy

© Borders College 19/10/12 5 Working Together

Uncontrolled Copy

4. Responsibilities 4.1 The Finance and General Purposes committee is responsible for

agreeing the Policy. 4.2 The Director of Finance and Resources is responsible for the

implementation of the Policy. 4.3 The ICT Manager is responsible for all aspects of system security,

including:-

• Procedures for Systems and Network Administration

• Use of Electronic Communication Systems

• Internet and email

• Remote connections

• Ethics and Application Use

• User identification and accountability

• Authentication

• Access control 4.4 All staff and students are responsible for adhering to the Policy. All

breaches of computer security must be referred to the ICT Manager. 5. Related Procedural Documents • Data Protection Policy

• Data Protection Act 1998

• Disciplinary Policy and Procedures

• Whistle Blowing Policy 6. Review This Policy will be reviewed every 2 years or more regularly as circumstances dictate.

Information Security Policy

© Borders College 19/10/12 6 Working Together

Uncontrolled Copy

Status: Approved by the JCC Policy Committee Policy Dated: May 2012 Author: ICT  Manager Review Date: May 2014 Equality Impact Assessed: N/A