INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Transcription

1 INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most recent Conditions of Use for Computing Facilities 11-1

2 Introduction Why Information Security? The access, availability, confidentiality and integrity of the College s information is essential to the success of its academic and administrative activities. Effective information security can only be achieved by working with proper discipline, in compliance with legislation, JANET and College Policies and by adherence to approved College Codes of Practice and Guidelines. Purpose The purpose of the IS Policy is to identify risks and introduce measures to protect the RCA from internal and external threats to its information systems and assets and to ensure compliance with UK and EU legislation and JANET and RCA regulations. Standards This policy, procedures and guidelines are based on the British security standard BS 7799, adapted for use in Higher Education by UCISA (Universities and Colleges Information Systems Association) as the UCISA Information Security Toolkit 2005 Edition 2.0: - 2

3 1. Policy Statement 1.1 The College will ensure that the information assets it manages are appropriately secured to protect it against breaches of confidentiality, failures of integrity or interruptions to availability, and that information assets are adequately protected against loss, misuse or abuse. 1.2 This policy provides direction and support for information security across the College. Codes of Practice for information managers and User Guidelines for staff are considered part of this information security policy and have equal authority. This policy is applicable to all staff, students and approved visitors. 1.3 This Policy has been approved by the Rector and ratified by the College Senate in February 2007 and forms part of its policies and procedures. 1.4 This policy shall be reviewed and monitored regularly to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. 1.5 The college will carry out risk assessments of the business value of the College s information assets and the IS security controls currently in place, taking into account changes to operating procedures or technologies, changing business requirements and priorities and any changes to relevant legislation and revise security arrangements accordingly. 1.6 A committee, to include one senior manager, will be established to give clear direction and visible management support for security initiatives and to promote security through appropriate commitment and adequate resourcing. 1.7 The Information Security Working Group (ISWG), comprising management representatives from all relevant parts of the organisation, will devise and coordinate the implementation of information security controls. 1.8 Information Security will be managed and enforced by Heads of College academic and administrative departments. 1.9 Specialist advice on information security shall be made available throughout the organisation The College will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its Information Security policy The College will ensure that all staff are aware of the policy and understand their own responsibilities for protecting the confidentiality and integrity of the data they manage, and ensure that staff and students are sensitive to new or unsuspected risks to information assets, and engender a natural caution in using information systems. - 3

4 1.12 The College will ensure that its staff, students and approved visitors comply with this Policy and are aware of, and operate in accordance with relevant UK and European Community legislation. - 4

5 Information Security at the RCA 1. Scope 1.1 This policy covers all information assets (documents, software and hardware) used by the College, including data files, workstations, servers, connectivity devices, peripherals, applications, data, storage, security and communication systems. 1.2 The Policy applies to all staff and students of the College and any other users authorised by the College. The policy relates to anyone s use of IT devices, when connected to the College network directly or indirectly, to all College-owned information assets or those on private systems, and to all information services provided to or by the College, by or for external agencies. 2. Responsibilities 2.1 The Director of Administration is responsible for approving Information Security (IS) policies and for ensuring that they are discharged to the whole College through the relevant departments and channels. The Rector or Director of Administration has the authority to take whatever action is deemed necessary to protect the College against breaches of this Policy. 2.2 Heads of department are responsible for ensuring the protection of information assets and ensuring that specific security processes are carried out by the department staff managing that information asset. 2.2 Information and Learning Services are responsible for the regular review, drafting updating and re-issue of the IS Policy and for the provision of support and advice on IS to College staff and students. 2.3 The Information Security Working Group (ISWG) is responsible for advising the College on effective compliance with this Policy, and its promotion throughout the College and for maintaining records of Information Security incidents in the College. 2.4 IS policy is drafted, reviewed and maintained by the ISWG, chaired by the Computing Services Manager (CSM) with technical advice from the Systems Administrator and UCISA/JISC Legal. 2.5 Suspected security incidents and breaches are reported to Computing Services, who will then report to the Head of ILS. Requests for information on who to inform and how to deal with security matters will be managed by the Head of ILS. 2.6 Investigation of breaches, special measures and sanctions will be initiated and determined by Director of Administration. 2.7 ISWG will establish effective Contingency Plans appropriate to the outcome of any risk assessment. - 5

6 3. Sanctions 3.1 Anyone who is found to have breached the Information Security Policy may be subject to disciplinary proceedings. Where there is evidence that, in breaching the policy a criminal act has been committed, this will be reported to the police. 3.2 Sanctions will depend on the severity, frequency, impact and context of Information Security incidents, as determined by the CSM and the Head of ILS. Sanctions will be based on precedent at similar institutions or on previously effective actions. 4. Information Security Working Group 4.1 This group will meet twice a year with representatives from: ILS, Estates, the Rectorate, Registry, Finance, the Students Union, Academic Departments and Personnel. 5. Acceptance and Enforcement 5.1 Upon signing the RCA Conditions of Use (CoU Annexe B), staff, students and visitors accept all CoU current and future clauses and JANET Acceptable Use policy. The CoU provides the opportunity to notify users that their use of RCA s computing facilities is bound by UK government legislation such as the Computer Misuse Act 1990, Data Protection Act. 6. Reviews 6.1 Regular reviews of the Policy and testing of compliance with JANET and government regulations are carried out by the Head of ILS and CSM, in consultation with ISWG, reporting to SMT. Informal reviews and discussion may take place at any time throughout the year between the CS Manager and IT technical staff. CoU and guidelines will be reviewed and updated as necessary by Computing Services in the light of new risks and usage. 7. Communication and Awareness 7.1 The primary method is the issuing of RCA Conditions of Use (CoU), which is signed by users as they are issued with an RCA network account. This is a prerequisite for any use of the RCA network. The CoU defines the types of user, their responsibilities and describes acceptable use with reference to all relevant legislation and JANET policies. The CoU also states that ANY usage binds users to these conditions. 7.2 The CoU, Policy, Codes of Practice and Guidelines are published on the College Intranet. Significant changes are notified via and memo. Staff, students, alumni and visitors are referred to these online documents when they start working or studying at RCA. - 6

7 8 Policy Awareness and Disciplinary Procedures 8.1 A copy of this Policy Statement will be given to all new members of staff by the Personnel Office and to all new students by the Registry. Existing staff and students of the College, authorised third parties and contractors given access to the College network will be advised of the existence of this Policy Statement and the availability of the associated policies, codes of practice and guidelines which are published on the College Intranet. 8.2 Failure of an individual student or member of staff to comply with this policy may lead to the instigation of the relevant disciplinary procedures as set out in the College Statutes for staff and College Regulations for students. Failure of a contractor to comply could lead to the cancellation of a contract. Under certain circumstances, legal action may be taken. 9 Compliance with Legislation 9.1 The College has an obligation to abide by all UK legislation and relevant legislation of the European Community. Of particular importance in this respect are: The Computer Misuse Act 1990, The Regulation of Investigatory Powers Act 2000, The Human Rights Act 1998, The Data Protection Act 1998, The Lawful Business Practice Regulations 2000 and various copyright laws. 9.2 Summaries and interpretation of the legislation most relevant to the College s IS Policy may be found in the Annexes. 10 Supporting Policies, Codes of Practice and Guidance Notes 10.1 Codes of Practice and User Guidelines are published in conjunction with the IS policy and are available on the College Intranet. All users of the College network and information systems are required to familiarise themselves with these and to work in accordance with them. - 7

8 Annexe A 1. Interpretation of The Regulation of Investigatory Powers Act (RIP) RIP establishes a legal framework to govern the interception of electronic communications. It sets the rules regarding activities such as recording, monitoring or diverting communications in the course of their transmission over a public or private telecoms system. It establishes a basic principle that communications may NOT be intercepted without consent. A person who intercepts communications will need to be certain that their actions are authorised under the Regulation of Investigatory Powers Act and comply with the requirements of the Data Protection Act. The Act brings the interception of electronic communications in organisations within the scope of the regulations. If an organisation intercepts a communication without legal authority, the sender or the recipient of the communication will be able to seek an injunction or, if they can show that they suffered a loss as a result of the interception, sue for damages. The Act also establishes the circumstances in which it is lawful to intercept communications. It authorises interception in cases where the interceptor has reasonable grounds to believe that both the sender and intended recipient have consented. It also provides the Secretary of State (CHECK) to make "Lawful Business Practice" Regulations setting out the circumstances in which businesses can lawfully intercept communications without consent. 2. Interpretation of The Telecommunications (Lawful Business Practice) (interception of Communications) Regulations The Lawful Business Practice Regulations make an exception to the rule established in the RIP that consent is needed before an interception can take place. If a business intercepts a communication in accordance with the Regulations, it will not risk civil liability under the RIP for unlawful interception. These allow businesses to intercept, without consent, for purposes such as recording evidence of transactions, ensuring regulatory compliance, detecting crime or unauthorised use and ensuring the effective operation of their telecommunications systems. Businesses will not need to gain consent before intercepting for these purposes, although they must have informed the users of the systems that interceptions may take place. Interception which involves obtaining, recording or otherwise processing personal data (for example recording calls or filtering s) also falls within the scope of the - 8

9 Data Protection Act So too does the holding or processing of personal data after the interception has taken place. The purposes for which the College will be able to intercept electronic communications without consent under the Regulations are shown below. Depending on circumstances RCA may make use of some or all of these purposes. a) Establishing the existence of facts relevant to the business, for example keeping records of transactions and other communications in cases where it is necessary or desirable to know the specific facts of the communication. b) Ascertaining compliance with regulatory or self-regulatory practices or procedures relevant to the business, for example monitoring as a means to check that the business is complying with regulatory or self-regulatory rules or guidelines. c) Ascertaining or demonstrating standards which are or ought to be achieved by persons using the system, for example monitoring for purposes of quality control or staff training. d) Preventing or detecting crime, for example, monitoring or recording to detect fraud, computer misuse or other illegal activities. e) Investigating or detecting the unauthorised use of the systems, for example monitoring to ensure that employees do not breach College rules e.g. as listed in the Conditions of Use of IT and the College IT Security Policy. Monitoring and inspecting packet content to detect misuse. f) Ensuring the effective operation of the system, for example monitoring for and deleting viruses, checking for and stopping other threats to the system e.g. hacking or denial of service attacks, monitoring automated processes such as net flow logs, s logs, caching activity and load distribution. g) Determining whether or not the communications are relevant to the business, for example checking accounts to access business communication in staff absence. 3. The Data Protection Act These policies satisfy the Data Protection Act s requirement for a formal statement of the College s security arrangements for personal data. The requirement for compliance devolves to all users, who may be held personally responsible for any breach of the legislation. 4. The Human Rights Act 1998 Article 8 This part of the Act covers the issue of personal privacy in relation to personal electronic communications that are made on and held by the College s information systems such as telephone calls, and weblogs. The College, as far at it allows - 9

10 personal use of its communication systems, has a duty to protect this information from accidental or operational damage, deletion or disclosure. Article 8: RIGHT TO RESPECT FOR PRIVATE AND FAMILY LIFE 1) Everyone has the right to respect for his private and family life, his home and his correspondence. 2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. - 10

11 Annexe B Conditions of Use of Computing Facilities To use Royal College of Art ("the College") computing facilities requires that you comply with the following conditions. Contravention of any of these conditions may result in immediate withdrawal of your access to all IT services and possible legal action. 1. I may only use those College computing facilities for which I have permission, and by using these facilities, I agree to comply with these Conditions of Use. 2. College computing facilities are to be used solely for purposes authorised by the College: coursework, research, teaching and associated administration and communication. 3. I am bound by the conditions of use and codes of conduct for any external computing facilities and services, including the JANET Acceptable Use Policy, and agree that my use of such facilities and services must not bring the College into disrepute. 4. I am bound by all current UK legislation, including the Computer Misuse Act 1990, and agree not to misuse, cause damage to, or make unauthorised use of College or external computing facilities. 5. I am bound by all current UK legislation relating to libel, pornography and harassment, including: storing or propagating libellous and/or offensive information; using computing facilities to distribute defamatory information. 6. I am entitled to a single user account only, for and other network-based services, and agree not to access another user's account or computer without authorisation, or disclose to others my password, or facilitate unauthorised access by others. 7. I must not send unsolicited electronic communications to multiple recipients, unless authorised by the College. 8. I must not attempt to conceal or falsify the authorship of any electronic communication. 9. I agree, in accordance with the Copyright, Designs and Patents Act 1988, not to undertake or facilitate the illegal copying or distribution of software, licenses or data. 10. I agree to abide by the Data Protection Act 1998, and agree that stored data about living individuals must be authorised by a Head of Department, and secured and used in accordance with the Act. - 11

12 11. I am bound by all agreements and contracts made by the College concerning use of software, data and hardware that I use. This includes full cooperation with the software, data and hardware audits. I agree to notify my department of any software or hardware purchase and agree to make available for inspection by authorised personnel any computing equipment used by me within the College. 12. The College may, if necessary monitor computer and network device usage, electronic files and communications, to prevent, test or investigate breaches of College regulations or UK legislation, in accordance with the Regulation of Investigatory Powers Act (RIP) 2000 and The Telecommunications Interception of Communications Regulations The College cannot guarantee the security, confidentiality or integrity of data, and therefore will not be liable for any inaccuracies, damages or losses arising from the use of College or external facilities. 14. My name, photograph, status and related information will be stored in computerised form for administrative purposes. 15. I agree that access to College facilities is restricted to holders of ID cards, issued by Buildings & Estates. My ID card must be carried at all times while at the College, and be used only by myself, and will be surrendered if requested by College staff. Replacement of ID cards is subject to a 5 charge. 16. These Conditions are subject to change at any time. Changes will be reported on the Intranet at /computing/ under 'Computing Services Policies and Procedures'. For applicable laws and policies see: /computing/legislation/: Last updated: 11 June 2008 Computing Services computing@rca.ac.uk - 12