1 1 Purpose The purpose of this document is to set out the College's policy and provide guidance relating to the responsible use of the College's ICT resources and systems. 2 General 2.1 Belfast Metropolitan College strives to provide computer access for its staff, students and administrators to local, national and international sources of information and encourages an atmosphere that supports the sharing of knowledge, the sharing of resources, and assists the creative process of learning. 2.2 Access to ICT resources at the Belfast Metropolitan College is a privilege, not a right, and all users must act honestly and responsibly. 2.3 All users are responsible for the integrity of these ICT resources. They must respect the rights of other computer users, respect the integrity of physical facilities and controls, and respect all licence and contractual agreements related to College ICT systems. All users must act in accordance with these responsibilities, and the relevant local, national and international laws. 2.4 The College will deploy software to block access to offensive and pornographic material on the Internet from all sites that it knows about. These sites constantly change and it cannot guarantee to block access to all such sites at any one time. 2.5 The College takes no responsibility for the accuracy of information obtained from the Internet. Any person accessing information through the use of College ICT resources must determine for themselves whether the accessed information is appropriate for use. 2.6 The College will restrict or prohibit the use of its resources in response to violations of College policies or laws. When it has been determined that there has been a violation, the College will remove or limit access to ICT resources and material posted on College-owned computers or networks. 2.7 Users who do not comply with College policies will be denied access to College ICT resources. If warranted other disciplinary action will also be taken. 2.8 All staff accepting a user account shall be issued with a copy of the Belfast Metropolitan College and Internet Policy and Procedure Appendix 3). They will be required to accept the policy electronically on first logon. 2.9 All students accepting a user account shall be issued with a copy of the Belfast Metropolitan College ICT security policy and procedures - Summary for Students (Appendix 4) Accepting a user account and / or using the College's computer resources shall constitute an agreement on behalf of the user to abide and be bound by the provisions of this policy Comments or questions regarding this document, or reports of security violations should be sent by to the IT and Network services manager: 3 Definitions 3.1 For the purposes of this policy the following definitions shall apply:
2 "ICT" shall mean Information Communications Technology" Users shall mean the following groups: a. Academic, administration and support staff b. Currently enrolled students "Electronic communications" shall mean and include the use of information systems for communicating or posting of information or material by way of electronic mail, bulletin boards, World Wide Web (Internet), or other such electronic tools. "ICT resources" shall mean and include computers, networks, servers and other similar devices that are administered by the College and for which the College is responsible. "Networks" shall mean and include video, voice and data networks, routers, switches and storage devices. "Obscene material" shall mean that a. An average person applying reasonable standards would find the material offensive b. The material taken as a whole lacks serious literary, artistic, political, or scientific value. "Workstation" shall mean any device attached to the College network for the purpose of accessing, transmitting or storing data. 4 Permitted Use and Prohibited Use 4.1 Belfast Metropolitan College ICT systems are only to be used for College related purposes. Limited personal use outside working hours is acceptable. 4.2 Personal use of College ICT systems resources or equipment by any user for personal financial gain in conjunction with outside business or employment is prohibited except as described in 4.3 below. 4.3 Employee personal use in conjunction with outside professional, business or employment activities is only permitted when such use has been expressly authorised and approved by the Director. 4.4 Use of any College ICT system to access, download, print, store, forward, transmit or distribute obscene or pornographic material is prohibited. 5 Access 5.1 All currently enrolled students can have access to ICT resources but may be asked at any time to produce a valid student card. Failure to do so will result in the individual being denied access to resources. 5.2 All employees of Belfast Metropolitan College are entitled to access the College computer network. The procedure for establishing user accounts and passwords is described in the Computer and Network Security Procedures (Appendix 1). All staff accepting a user account shall be issued with a copy of the Belfast Metropolitan College and Internet Policy and Procedure Appendix 3). Staff will be required to accept the terms of the Acceptable User Policy incorporating the above Policy on first logon. Accepting a user account and / or using the
3 College's ICT resources shall constitute an agreement on behalf of the user to abide and be bound by the provisions of this policy 5.3 While the use of information and communication technologies is a required aspect of the College's academic programmes, access to the College ICT systems remains a privilege and not a right. It is given to students and staff who act in a considerate and responsible manner, and shall be withdrawn from those failing to maintain acceptable standards of use. 5.4 When any user terminates his or her relationship with the College, their ID and password shall be removed so as to deny further access to College ICT resources. 5.5 User accounts which have been inactive for a period of 6 months shall be removed from the system at the discretion of the IT and Network services manager. 6 Procedures for Use 6.1 Where user names and/or passwords are in place to provide authorised access, the sharing of these user names and/or passwords with any other individual is prohibited. 6.2 Prior to leaving their workstation unattended, users must ensure they are logged out from the network. 6.3 Users are to only access accounts to which they have been authorised. 6.4 Each user will be responsible for maintenance of files on their account. It is necessary for the user to review various documents that exist and remove those that are no longer required to make best use of storage space. 6.5 No person shall jeopardise the integrity of the ICT resources, its operating programs or other stored information. Lack of system protection to the resources does not constitute permission to use it. 6.6 Students may not install software on to the hard drives or any of the ICT networks. 6.7 Users must immediately report suspected unauthorised use of accounts to their lecturer or to the IT Services Staff. 6.8 Academic staff may request access to a student s directories and files for the purpose of assessing progress of and/or marking their student assignments. 6.9 All users must exercise appropriate measures to maintain the confidentially and integrity of any information of a confidential nature acquired through ICT access. 7 Copyright 7.1 All software, in any medium, is protected under National and International Copyright Law. College agreements with the Copyright Licensing Authority (CLA) currently do not apply to material in electronic or digital format. The College has a responsibility to protect against the improper use or illegal copying of software. For guidance on the use of electronic material refer to Appendix Only members of the College IT Services staff are permitted to install software on College machines. Procedures to request software installation are outlined in Appendix I.
4 7.3 The College has a standard set of software for each machine. This must not be changed in any way (including screen savers). 7.4 All copies of software owned by the College must contain a label indicating that the software is the property of the Belfast Metropolitan College. 7.5 IT Services Staff will not install any software onto any College workstation unless a valid licence for the software is provided or the staff member is aware that the software license is legal for this machine. 7.6 The copyright of software, learning materials and other computer programmes produced by College staff on College equipment during working hours, belongs to the College and should be marked accordingly. 7.7 Once IT Services Staff have reason to believe that the copyright laws are being violated, they must request verification of a valid software licence for the software on the workstation. If it cannot be produced, then the software will be removed until the situation can be resolved. In order to protect the College the software may be removed first, without warning. 8 Acceptable Use. 8.1 The College believes that computing resources should be available on as wide a basis as possible, and should be used for the purpose of College business and related activities. 8.2 All users must respect the rights of other computer users, respect the integrity of physical facilities and controls, and respect all licence and contractual agreements related to College ICT systems. 8.3 Examples of acceptable use include: Communication between colleagues, between students and lecturers, between students and students, and between the College and other colleges, businesses and government agencies. Production of papers, portfolios and assignments; Research and investigation of topics; Storage and retrieval of information Development of competence in ICT and general research skills. Investigation of career and progression opportunities for College students. Use of the and internet as set out in the and Internet policy (Appendix 3) 9 Unacceptable use. 9.1 It is important to note that in an educational facility users are learning as they work and errors occur which may cause system disruption. Ordinary errors of this type are beyond the scope of inappropriate use. For example a poorly written computer programme is not necessarily a violation. It may be an accident. The intent of the user is the critical point. 9.2 Misuse of College ICT systems is prohibited. Specific examples of misuse include, but are not limited to the following:
5 Using ICT systems for any unauthorised purpose. Copying licensed software from workstations is considered theft. Intentionally wasting resources (such as on line time and consumables) Circumventing, or attempting to circumvent logon, filtering and other security measures Erasing or changing another user's files or ICT environment without the users permission. 'Mail bombing' someone with a deluge of unsolicited messages. The content of the messages is irrelevant; it is the intent to inhibit productivity or damage a user's environment that is of issue here. Adding unauthorised software to a College resource is not permitted. The intent of this statement is largely to maintain a stable environment for users. Adding a game, for example is unacceptable. Adding a statistical package is also unacceptable because it also can disrupt the operation of the workstation for others. Intentionally modifying workstation interfaces (the look of the screen) so that the machine becomes difficult or impossible to use. For example, removing programs or scrambling the icons on a Windows, Macintosh (etc.) machine. Unauthorised use of College facilities, including buildings, grounds and equipment. Computing facilities are only for the use of Belfast Metropolitan College student, and staff as well as visitors who have applied for access. Use of the facility by an unauthorised individuals. For example, you may not permit other students to use your ID card or your password to use College facilities. User accounts and IDs are not to be shared. Trespassing in another user's folders, work or files. Accessing, downloading or ing obscene or damaging material using the College computer network. 9.3 Grave misuse of computing facilities will lead to implementation of disciplinary action as outlined in section 13 below. Examples of grave misuse include, but are not limited to: Intentionally crashing a server, network or printer or intentionally making them difficult to access or use. Using Belfast Metropolitan College ICT systems for any illegal purpose. Copying licensed software from workstations. Circumventing logon, filtering and other security measures with the intention of accessing or altering private information or disabling or disrupting the Network. Deliberately launching a rogue computer programme, computer virus or other destructive software element. The use of Belfast Metropolitan College ICT facilities to harass or threaten other individuals or organisations.
6 Broadcasting, transporting or posting illegal, obscene or damaging material to a College or computer or network or to other systems anywhere in the world. The use of Belfast Metropolitan College ICT facilities to attack other systems at Belfast Metropolitan College or anywhere in the world (the Internet or any associated network or personal computer) Intentionally acquiring privileges or rights in a system which are normally beyond the scope of the user; for whatever purpose. acquiring files for the purpose of using them or reading them when it is clear that the file(s) were intended to be erased. Some systems cannot absolutely guarantee that files are destroyed once deleted and the intentional recovery of someone else's deleted files is construed to be unauthorised access and a violation of rights of privacy. Academic dishonesty. 10 User Privacy A user can expect the files and data he or she generates to be private information, unless the creator of the file or data takes action to reveal it to others. However, no information system is completely secure and persons both within and outside the College may find ways to access files. Accordingly the College cannot and does not guarantee user privacy and users should be continuously aware of this fact Duly authorised College IT Services Staff have the authority to access individual user files or data in the process of repair or maintenance of ICT equipment If a user is suspected of using ICT resources to contravene elements of this policy then data files and electronic communications may be monitored, upon the authorisation of the Head of Business Services The College will comply with any lawful administrative or judicial order requiring the production of electronic files or data stored in the College's Information systems, and will provide information on electronic files or data stored in response to legitimate requests for discovery of evidence in litigation in which the College is involved. 11 Data Security and Backup 11.1 Daily and weekly backups will be made of critical and non-critical servers according to the backup policy contained in Appendix 5. The College will endeavour to maintain the operational integrity of the computing network at all times. However, no system is foolproof and the College cannot guarantee the integrity of files and data stored on College equipment It is the responsibility of the user to maintain adequate backup of all stored files and programmes they require. The Network and IT Services manager will be pleased to advise users on the backup procedures they should adopt Use of usb pen drives, CDs/DVDs and laptops to carry sensitive data is prohibited (see Appendix1). The College has no infrastructure for transferring sensitive data outside of the College network.
7 11.4 Regular system audits will be undertaken, identifying accounts with excess privileges, excessive intruder lockouts, and inactive accounts Disciplinary action for non-compliance with this policy may be taken as a result of system audits Inactive accounts will be reviewed on a six monthly basis and account holders written to, encouraging them to use the account, before the account is removed. 12 Physical Security IT Services will maintain an up to date inventory of all College computer hardware and software. This will be updated on a termly basis. Procedures for ordering hardware, ordering or installing software, relocating hardware, the loan of computer equipment and network access requests are contained in the ''Network and Computer Security Procedure Documents" - refer to Appendix I. These procedures must be followed at all times so that the inventory can be kept up to date Reasonable measures will be taken to ensure adequate physical security of College hardware, including the use of desktop padlocks, security wire, and CCTV where appropriate Any action or attempt to subvert or overcome physical security measures is prohibited Unauthorised removal of hardware from College premises is theft Users wishing to borrow equipment must follow the Loan of Computer Equipment procedure (refer to Appendix 1) Only IT Services staff may move or relocate computer hardware as outlined in the procedures in Appendix I Only IT Services staff may install software on College equipment (refer to Appendix I). 13 Data Protection Act All persons responsible for the College's Information Systems will meet the requirements of the Data Protection Act by adhering to the following principles: 13.1 Data will be processed fairly and lawfully Personal data will only be obtained for specified and lawful purposes, and will not be processed in an incompatible manner Personal data will be adequate relevant and not excessive in relation to the purpose for which they are processed Personal data will be accurate and where necessary kept up to date Personal data processed for any purpose will not be kept for longer than necessary for such purpose Personal data will be processed in accordance with the rights of the subject Appropriate technical and organisational measures shall be taken against unlawful or unauthorised processing of personal data, and against accidental loss or destruction or damage to personal data.
8 13.8 Personal data will not be transferred to other countries that do not have "adequate protection" as outlined in the Data Protection Act. 14 Non Compliance The first case of non-compliance by an individual will be considered by the Deputy Head of Business Services and the IT and Network services manager, in consultation with the relevant Programme Area Manager. In serious cases the procedure in 14.2 will be followed Further cases of non-compliance will be considered by the Head of Business Services or their Deputy, the IT and Network Services manager, and the relevant Programme Area Manager or their representative If confirmed the first incidence of non-compliance to this policy will result in a written warning unless the offence is thought to be so serious as to warrant further immediate action as detailed below If confirmed the second incidence of non-compliance will result in a loss or suspension of all ICT privileges. It is understood that the second incidence may not necessarily be of the same type as the first The consequences for non-compliance will usually be the suspension or loss of access but may include probation, suspension from Belfast Metropolitan College or in the case of a salaried employee, even termination is possible. The exact consequence will vary depending upon the specific violation Gravely destructive computing could be considered destruction of College property and the accused may be subject to civil action. Using the network to distribute obscene material is a criminal offence and will result in legal action Nothing in these procedures precludes the implementation of disciplinary action under normal College Disciplinary Procedures.
9 Appendix 1 Mobile Data Security In June 2008 alone there were reported several high profile instances of data loss involving mobile devices. Virgin Media admit it left a CD with bank details of 3000 customers on a train; The Scottish Ambulance Service lost the names and medical records of 900,000 emergency-call patients on a hard drive being transported by a courier; Six laptops containing details of 20,000 patients including 3000 children stolen from St. George s Hospital Tooting; The retailer Cotton Traders admit that thousands of payment details were stolen from its system in January. Prior to this the personal details of 25 million people in receipt of child benefit were lost while 2 dvds were being moved between offices. The following is an extract from guidance produced by the JISC relating to data protection :- 8.8 Processing of Personal Data Off-site, on Home Computers, or at Remote Sites Off-site processing of personal data for which an institution is Data Controller in manual or computerised form by employees or students presents a potentially greater risk of loss, theft or damage to personal data. Staff and students should thus be aware of both the institutional and the personal liability that may accrue from their off-site use of personal data. Employees and students should take particular care when laptop computers or personal machines are used to process institutional personal data at home or in other locations (e.g. in public places, or on public transport) outside the institution. Laptops containing personal data should have properly implemented security measures that are proportionate to the anticipated risks and appropriate to the type of personal data to be transferred. These may include passwording, biometric security mechanisms and encryption. The increasing capacity and declining size of storage media, such as CDs, mini hard disk drives, and USB flash memory datasticks means that it is possible for employees and students to carry considerable amounts of personal data on media that are easily lost or forgotten. Institutions should consider the provision of advice to employees and students about the appropriate use of such media and the need for adequate security measures to reduce data breaches in the event of loss or theft.
10 Employees and students should be required to ensure that when processing personal data for which the institution is Data Controller at home or in other locations: They take reasonable precautions to ensure that the data is not accessed, disclosed or destroyed as a result of act or omission on their part They ensure personal data held in manual form is stored as securely as possible, and ideally is locked away when not in use They have an up-to-date firewall and a virus-scanning program installed on laptop computers or personal machines and scan all disks, s, and other potential virus vectors for viruses They back up system hard drives to avoid loss of data They report all computer security incidents including virus infections to the institution Employees and students should be required to ensure that when using laptops to process personal data for which the institution is Data Controller they: Keep the laptop constantly in view when travelling, especially in busy places/terminals such as airports Do not check the laptop as baggage unless it is placed inside luggage that has been locked Record the model number and serial number of each hardware component associated with the laptop and keep this information in a separate location Notify the institution immediately in the event of loss or theft of personal data on any laptop, PDA, or other digital storage mechanism or media 8.9 Disposal of Data The proper disposal of personal data should be the final element in an institutional framework designed to ensure the security of personal data. The method of disposal should be proportionate to the anticipated risks and appropriate for the type of personal data to be destroyed. The minimum standard for the destruction of paper and microfilm documentation should be shredding; paper and microfilm documentation containing sensitive personal data should be horizontally and vertically shredded or incinerated. The minimum standard for the destruction of data stored in electronic form should be reformatting or overwriting, and electronic storage media containing sensitive personal data should either be overwritten to a suitable standard or destroyed. FE and HE institutions should ensure that: All paper or microfilm documentation containing personal data is permanently destroyed by shredding or incinerating, depending on the sensitivity of the personal data. All computer equipment or media to be sold or scrapped have had all personal data completely destroyed, by re-formatting, over-writing or degaussing. Employees and, where appropriate, students are provided with guidance as to the correct mechanisms for disposal of different types of personal data and regular audits should be carried out to ensure that this guidance is adhered to. In particular, employees and students should be made aware that erasing electronic files does not equate to destroying them. Where disposal of equipment or media is contracted to a third party, institutions should ensure that the contract contains a term requiring the third party to ensure that all personal data is completely destroyed, The college and takes permitting the issue the institution of mobile to audit data the third security party's performance very seriously of that and term at in regular light intervals. of the above has made the following stipulation. The College cannot condone the removal of data from College systems for any purpose other than transfer to an appropriate body such as the DEL. In the case of DEL measures have been put in place by DEL for the safe transfer of the data. There are no accepted circumstances where personal data as defined in the Data Protection Act or Confidential Business Data needs to be taken off the premises (or transferred between parts of the Business) using any medium such as USB, DVD or even on the hard drive of a laptop etc.
11 Brief guide for staff Belfast Metropolitan College provides computer access for its students and staff to local, national, and international sources of information, and encourages an atmosphere that supports the sharing of knowledge, the sharing of resources, and assists the creative process of learning. Access to ICT resources is a privilege, not a right, and all users must act honestly and responsibly and not infringe on the rights of others. Belfast Metropolitan College ICT systems are only to be used for College related purposes. Limited personal use outside working hours is acceptable. Staff user accounts can only be established using a Network Access Request form, obtained through the Intramet and ed to Personnel. All staff will be required to accept the Acceptable Usage Policy in the first instance and approximately once per term thereafter. User names and passwords must not be shared. The responsibility for activity on your personal account is yours alone. Obscene, inappropriate or offensive material must not be accessed or distributed. No user should attempt to trespass in another user's folders, work or files. Users can expect files or data generated to be private information, unless they take action to reveal them to others. However the College cannot and does not guarantee user privacy. Daily and weekly backups will be made of all servers according to a predetermined programme. However, the College cannot guarantee the integrity of files and data stored on College equipment. Confidential Data should not be taken from the College premises without authorisation. Even where authorisation has been given the College has no infrastructure for encrypting data and so it is seen as a risky activity. Each user is responsible for maintaining an adequate backup of all stored files they require. The IT and Network Services Manager can advise. On leaving a workstation, you must log out from the network. For copyright reasons, only members of the College IT Services staff are permitted to install software. Copyright law applies to all material held in electronic format. All users are expected to have read and understood the Belfast Metropolitan College Security Policy and Procedures. A copy is available from the IT Support and Network Services manager. Using the College's ICT systems shall constitute an agreement on behalf of the user to abide and be bound by the provisions of this policy. Regular system audits will be undertaken. Misuse of ICT systems will be subject to disciplinary action as identified in our Security Policy If there is anything you do not understand please contact the IT Support and Network Services manager on ext 5083,