Information Security Policy. Policy and Procedures

Size: px
Start display at page:

Download "Information Security Policy. Policy and Procedures"


1 Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable Use Agreement Anti-virus Procedure Change Control Procedure College Network and Systems Access Policy College Server Backup Procedure Computer Disposal Procedure Data Protection Act 1998 Information Security Incident Reporting Procedure Version number 2.1 This policy has undergone an Equality Impact Assessment (EQIA) confirming that there are no negative consequences in the case of this policy. EQIA completed on 29 Aug 14 By CJ

2 Introduction Electronic information is a valuable resource of which the college takes great care to protect from loss, corruption and unauthorised use or misuse. Although much of the information held and processed by the College is intended for general use, certain information (key data and information) has to be handled and managed securely and with accountability. In addition such information and the way it may be processed is subject to UK law and the Data Protection Act Purpose and Policy Statement This document provides the policy framework, through which the College will apply information security controls throughout the college. It is based upon the International Standard ISO (BS 7799) and includes the following: - information classification access control operations incident management physical security third-party access business continuity management Supporting Policies containing detailed Information Security requirements will be developed in support of the Information Security Policy. Reference to supporting policies will be made in bold italic text throughout the remainder of the document Definition: what is Information Security Information Security is a means of protecting key data, information and information systems from unauthorized access, use and misuse, inspection, disclosure, disruption, modification or destruction.

3 Scope The Information Security Policy covers the following: - The College s IT/IS infrastructure key data and information those who have access to or who administer IT/IS facilities Individuals who process or handle key data and information The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental. Responsibilities The College has a responsibility to ensure that information security is properly managed. The IT Manager is responsible for: the development and upkeep of this policy ensuring this policy is implemented and supported by appropriate documentation, such as procedures ensuring that documentation is relevant and kept up-to-date ensuring this policy and subsequent updates are communicated to relevant staff ensuring that serious breach Individual members of staff have a responsibility to: Adhere to this policy, and for reporting any security breaches or incidents to the IT Manager, as soon as practicable using Information Security Incident Reporting Procedure 1. ICT Assets IT Services will maintain an inventory, subject to audit, of all ICT assets. This will be in two categories: - Hardware Software This asset inventory is in addition to the fixed asset register used for College financial accounting. Hardware that is obsolete/beyond economical repair shall be disposed of using an approved company. The company should meet legislation introduced in the Waste Electrical and Electronic Equipment Directive (WEEE Directive) which was introduced into UK law in January 2007 by the Waste Electronic and

4 Electrical Equipment Regulations This legislation sets strict guidelines with regard to computer disposal and other waste electrical and electronic equipment. The company should also be able to demonstrate that they have secure destruction facilities for data contained on hardware. Further information is contained in the Computer Disposal Procedure 2. User Accounts It is the responsibility of IT Services to maintain a directory of users authorised to use College ICT resources. Staff, students, temporary guest users and external users are subject to College Acceptable Use Agreement, and will have different access permissions and responsibilities. For the purposes of this policy the following guidelines are used to distinguish between the different types of user: - Staff - are those registered on the College HR/Payroll systems Students - are those registered in the College MIS system Guest users - are users permitted to temporarily access College ICT facilities External users - are all other users permitted access to College ICT facilities 2.1. Staff All staff whether permanent, temporary or agency staff must abide by the terms and conditions covering the use of ICT at the College. The staff agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services, in written or electronic form. Temporary staff accounts should be set with an expiry date for the end of their contract period. Staff may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement Students All students must abide by the terms and conditions covering the use of ICT at the College. The student agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services in written or electronic form. Students may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.

5 2.3. Guest Users Guest user accounts allow limited access to College resources and will be provided on a limited time period with specific access hours. These user accounts do not have access External Users At present there are no requirements for external user accounts. If at future time there is a requirement then they should have limited access to College resources and should only be enabled on a daily basis. 3. Physical & Environmental Security Controls will be implemented to prevent unauthorised access to computer and information systems Physical Security Server rooms, IT Services computer suite, telecoms cabinets and communications cabinets shall be protected to provide suitable physical security and environmental controls. Servers used for storing and/or processing data shall be located in physically secured areas. Server rooms shall be inspected twice a week to ensure integrity of physical security 4. Communications and Operations Management Controls will be implemented to enable the correct and secure operation of information processing facilities Operating Procedures Design, build, configuration and operating documents will be produced for all servers and system applications, these documents are to be kept in secure areas with access only available to IT Services staff and where relevant MIS staff Change Control All changes to live critical systems will follow a change management process detailed in the Change Control Procedure

6 4.3. Protection Against Malicious Software Protection will be provided using a multi-level defence using the following:- Router Firewall Web Content Management with malware protection Anti-virus Software Scanning Virus scanning shall be enabled on all servers, desktops and laptops; this shall be automatically updated to ensure the signatures files are up to date, and shall not allow users to switch off the antivirus software -.See attached Antivirus Procedure in Procedures Section 4.4. Information Security Incidents Information security breaches should be reported to IT Services as soon as practicable. Any events that are regarded as security incidents will be defined, and processes implemented to investigate, control, manage and review such events in accordance with the using Information Security Incident Reporting Procedure 4.5. Security Patches Critical security patches shall be installed automatically when made available by Microsoft, Apple or and other system software vendor Housekeeping All critical data and applications are to be backed up in accordance with the College Server Backup Procedure; this includes the handling, storage and disposal of media. In the event of restoration of data follow the College Server Restore Procedure. College Server Backup Procedure 4.7. Network Management Controls will be implemented to achieve, maintain, and control access to internal/external computer networks including wireless LANs, in accordance with the College Network and Systems Access Policy

7 5. Access Control Access to College data and resources is dependent upon the type of user, whether they are staff, student, guest or external user. Users shall only be given access to resources in relation to their role. The procedure for determining and administering the different types of user can be found in the Network and Systems Access Policy. 6. Username and Password Control Access to College ICT resources is controlled by use of a network username and password. Control of network username and passwords is the responsibility of IT Services. See attached Password Procedure in Procedures Section 7. Remote Access Controls will be implemented to manage and control remote access to the College s ICT resources, see Network and Systems Access Policy. 8. Business Continuity Planning Business Continuity Planning is working out how to continue operations under adverse conditions that include local events like building fires, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact operations should be considered, such as interruption, loss of or damage to critical infrastructure (computing/network resource). As such, risk management must be incorporated as part of Business Continuity Planning. 9. Encryption To ensure compliance with data protection regulations the best solution is that all data remains on college servers/system. If personal data has to be taken away from the college it should be encrypted. Laptops shall use full disk encryption using Microsoft Bit Locker technology; full disk encryption will be installed by IT Services team. USB flash drives and USB external drives shall be encrypted using Microsoft Bit Locker technology, see guidance notes for instruction If personal details to be ed or sent by any other media (i.e. CDROM) it shall be stored in an encrypted archive which uses AES encryption, third party product 7-Zip is to be used, see guidance notes for instruction

8 Procedures Anti-virus Procedure Purpose All New College Telford computers/laptops must have the college s standard; supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus signatures must be automatically kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. IT Services are responsible for creating processes that ensure antivirus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the college's networks (e.g., viruses, worms, Trojan horses, bombs, etc.) are prohibited, in accordance with the Acceptable Use Agreement. Any employee or student found to have violated this procedure may be subject to account removal and or disciplinary action Anti-virus Process Recommended processes for users to prevent virus problems: Always use the supported anti-virus software available on college systems. NEVER open any files or macros attached to an from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your rubbish bin. Delete spam, chain, and other junk without forwarding. Never download files from unknown or suspicious sources. Avoid direct CDROM/DVDROM or USB memory stick sharing with read/write access unless there is absolutely a business requirement to do so. Always scan CDROM/DVDROM or USB memory stick from an unknown source for viruses before using it. If you suspect that you have got a virus or malware on your computer contact IT Services immediately using address

9 Processes for IT Services Staff Automatically apply critical updates for college standard anti-virus system,to all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Automatically apply virus signatures updates on all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Setup automatic reporting to IT Services team for any computer where a virus has been detected. Ensure that any virus detected has been removed automatically or quarantined, in the event of failure to automatically remove or quarantine virus, remove the computer from the network and manually remove virus or reimage the computer. Setup automatic daily anti-virus scan of hard drives for all college desktop and laptop computers. Setup automatic anti-virus scan of hard drives for all college server computers Set anti-virus real time detection for all college computer systems

10 Password Procedure Purpose Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the college s entire corporate network. As such, all New College Telford employees and students (including contractors and vendors with access to college systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the network, or stores any information. Password Requirement Passwords will subject to the following rules. Minimum password length 5 characters Passwords will be subject to expiry limit of 42 days Password history to prevent reuse of passwords 5 Accounts will be locked out after 3 incorrect attempts for a period of 15 minutes to prevent password cracking software General Password Construction Guidelines Passwords are used for various purposes at New College Telford. Some of the more common uses include: user level accounts, web accounts, accounts,, voic password, and system logins. Since very few systems have support for one-time tokens (ie. dynamic passwords (which are only used once)), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics: The password contains less than five characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: o Names of family, pets, friends, colleagues, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o The words New College, NewCol, NCT or any derivation. o Birthdays and other personal information such as addresses and phone numbers.

11 o Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., ~-=\`{}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered.. NOTE: Do not use either of these examples as passwords! Password Change In the event of password being forgotten the staff/student can get password reset by IT Services, after displaying their id card. Staff Account Process When Staff Member Resigns Human Resources must inform IT Services when a member of staff has resigned so the network user account can be disabled and archived. After receiving the notification of a member of staff leaving, the expiry date on the network user account is set for the end of the day of leaving employment. After the leaving date the staff network user account is disabled permanently and moved to the OU=Archived_Accounts under OU=Staff_Admin,DC=nct,DC=ads. The user s personal data is moved to \\athena\staffhomes\ Archive. At the end of the month, after a full monthly backup a script is run automatically to remove the Active Directory network user account, Exchange Mailbox, and the archived personal data. The majority of applications use the network user account to allow access to applications, any application with their own user account controls such as Resource should also have the user account removed when employment ceases. MIS must inform IT Services when a student leaves so the accounts can be disabled and archived in accordance with the Network and Systems Access Policy.

12 IT Services will maintain a database of all system passwords and this must be kept in a secure manner. System passwords should be changed regularly. Enforcement Any employee found to have violated this policy may be subject to account removal and or disciplinary action.

13 Guidance Notes USB flash drive and USB external drive Encryption Launch the Bitlocker utility by typing in bit locker into the Start Search menu. Enable the drive encryption on the USB drive by clicking Turn on BitLocker

14 Enable the check box Use a password to unlock the drive and enter a complex password to use when using your external USB drive. Click the Save the recovery key to a file button and choose a safe location for the file. The location cannot be the USB drive you are encrypting.

15 The USB drive will begin encrypting. It may take a long time depending on the size of the drive. If needed the process can be paused and restarted at a later date with no issues. When encryption is complete the following dialogue box will be displayed. When attempting to use the drive you will be prompted to enter the password you specified earlier.

16 Encrypted Archive Using 7-Zip Right click on the file(s) to archive and go to the 7-zip menu, then select Add to archive Change the Archive format to zip by clicking the drop down menu and selecting zip

17 Change the Encryption method to AES-256 by clicking the drop down menu and selecting AES-256 Enter the password for the archive in the Encryption area and then click okay to archive the selected file(s). Once encrypted zip file has been created this can be ed or put onto other medium such as CDROM etc.