IT Data Security Policy

Transcription

1 IT Data Security Policy Contents 1. Purpose Scope Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data... 3 Business continuity... 4 Transmission and storage of data... 4 Use of external contractors Forms/Instructions Links/Dependencies Appendices...6 Policy control Approved by Contact/s Wojtek Adamek (ICT CIO) Gary Nye (ICT) History/Revision dates Nov 13, Dec 14 Audience Internal (Intranet only) External (Internet) Page 1

2 1. Purpose 1.1 The University computer network holds a variety of data relating to commercial activities, student activity and student and staff personal data. Much of this data is confidential in nature and it essential that all reasonable precautions are taken to ensure the security of this data. 1.2 The Chief Information Officer is responsible for ensuring that an adequate framework is in place to enable ICT staff to maintain the security of centrally held data, including password and access controls, system security, back-up procedures, disaster recovery procedures and secure means for the destruction of such data. He/she is also responsible for ensuring that all contractors working on University computer systems operate within appropriate data security guidelines. 2. Scope 2.1 ICT will provide guidance to staff on maintaining the security of data held on local devices, including local PC drives, laptops, disks or other portable devices, but the responsibility for this security and secure destruction of the data remains with the user. 2.2 This policy outlines the measures in place that allow all staff involved in the processing of data, including the entering of data, extraction of data for reporting purposes or the transmission of data internally or externally, to meet their responsibilities. Particular care must be taken when engaging external parties who may have access to confidential information. 3. Policy 3.1 All University staff are bound by their conditions of employment to observe the Access to Confidential Data conditions outlined in the Code of Conduct for Employees. 3.2 The University is bound by the Data Protection Act 1998 and related legislation to safeguard all personal data it controls on behalf of its students and staff. The Act covers personal data which is held on computers, networks, s, mobile devices (including laptops, telephones and USB pens) and in structured manual filing systems. Colleagues are obliged to familiarise themselves with the University s Data Protection Policy and Guidance, which can be accessed via the Legal Office s page on the staff website. Page 2

3 Access to the University computer network 3.3 All staff and students are provided with an ID and password to access the University computer network. Access is controlled through a network wide Identity and Access Management system. 3.4 Access to individual systems is granted following written application and confirmed by the Head of Department or other official as identified by the data owner. The application will contain the appropriate rights for data entry and access that should be allocated to the individual. 3.5 Staff are reminded of the need to change their access passwords on a regular basis. Security of computer network 3.6 The University computer network is protected from intrusion by an industry standard, best of breed, firewall. This system is reviewed and updated regularly to ensure that a robust security level is maintained against external attacks. 3.7 All incoming s to University addresses pass through a high quality spam filter which is reviewed and updated regularly. Data backup 3.8 Data backup procedures vary across the University network according to the data requirements. All centrally managed computer systems are backed up overnight to magnetic tape and organised into daily, weekly and monthly tape sets. Refer to the separate Data Backup procedures for further details. Secure destruction of data 3.9 All desktop PCs and network data storage equipment are destroyed at end of life, with suitable precautions taken to ensure the security and destruction of data contained on the devices Responsibility for the destruction of data held on local or portable storage equipment (see 7.2 (iii) below) rests with the user. Page 3

4 Business continuity 3.11 Business continuity plans are held by the University secretariat. Plans are prepared to describe the procedures to be followed to recover from key risks identified in the University business continuity plan. These include:- i. Local network node outage ii. Loss of student record system iii. Loss of financial information system iv. Loss of academic support system v. UCAS link failure. Transmission and storage of data 3.12 Where it is necessary to move data from one computer system to another, care must be taken to ensure the security of the data during the transfer Data should be transferred by one of the following means, in order of preference:- i. Direct transfer to the destination system Wherever possible, a direct link should be established between the source and destination systems. Where the destination system is external to the University network, due consideration must be given to the security of the data whilst in transit, with appropriate encryption used where necessary. ii. Data storage shared drive/folder After extract from the source system, files should be stored in a dedicated folder in an appropriate shared drive. Access to the shared drive/folder must be restricted to only those staff members or systems that require access in order to process the data. Once the data transfer or processing is completed, the files must be deleted from this folder. iii. Portable data device Where it is necessary to use a portable device (e.g. CD/DVD/data pen) every precaution must be taken to ensure the security of the data, both in the format of the data on the device, and in the physical security whilst the device is in transit. The device should be kept in the possession of those staff who are authorised to hold or have access to the data. Data files must be encrypted and password protected before being transferred to the device. Page 4

5 Once the data transfer or processing is completed, the files must be deleted from this device. iv. Whilst the system may be considered secure, s are not encrypted and the content may be intercepted and read by unauthorised persons. Personal or confidential information should not be transferred by . There is a high risk that the communication may be sent to the wrong address, and hence to an unauthorised recipient. This method of transfer must only be used when no other method is possible and must be sanctioned by the department head. Data files should be encrypted and password protected before being transferred to the . The password to access the data must not be contained in the . Use of external contractors 3.14 Where external contractors or suppliers are engaged to work in areas or on systems where confidential data may be held, then it is essential that the appropriate Confidentiality and Non-disclosure Agreement (please see 4. Forms/Instructions) is completed These procedures also apply where potential suppliers are invited to make a sales presentation to the University, which may include the disclosure of confidential information by the University. In this case, a Confidentiality and Non-disclosure Agreement should be completed before any information is disclosed For new suppliers, when a standard University contract is completed by the supplier, then this should be accompanied by the standard Confidentiality and Non-disclosure Agreement, to be completed at the same time as the contract. Note that this Agreement must not be completed before the main contract, as the terms in the later agreement will apply When a contractor is engaged without the completion of the standard contract, then a Confidentiality and Non-disclosure Agreement must be completed. A copy of this Agreement must be provided to the contractor prior to or at the commencement of the engagement. They must complete, sign and return a copy of the Agreement before any access to the University computer network is provided A copy of the Agreement should be retained by the contractor, and the University copy provided to the departmental Office Administrator for filing Where access to the University computer network is required, a bespoke user account should be created, with access rights strictly restricted to those areas required Page 5

6 for completion of the contract. On the completion of the contract and the departure of the contractor, the user account should be closed Where personal data is passed to an external party, the sanctioning officer is responsible for ensuring that the necessary Data Protection legislation is complied with. 4. Forms/Instructions Confidentiality and Non-Disclosure Agreement for external contractors or suppliers: data/assets/word_doc/0012/304032/confidentiality-agreement docx 5. Links/Dependencies This policy should be read and its use considered with reference to: Code of Conduct for Employees Data Protection Policy and Guidance 6. Appendices Page 6