ALBAN CHURCH OF ENGLAND ACADEMY COMPUTER SECURITY POLICY. Approved by Governing Body on: 6 th May 2015

Transcription

1 ALBAN CHURCH OF ENGLAND ACADEMY COMPUTER SECURITY POLICY Gvernrs Cmmittee: Finance and General Purpses Apprved by Gverning Bdy n: 6 th May 2015 Signed: (Chair f Cmmittee) Signed: (Headteacher) Date t be reviewed: May 2017

2 1. Physical Equipment Security COMPUTER SECURITY POLICY 1.1 Where pssible, cmputer equipment will be sited s as t reduce the risk f unauthrised access and damage. Laptp trllies t be stred in lcked ICT rms at night. 1.2 The details f all cmputer equipment will be recrded in the fficial inventry. 1.3 Cmputer hardware will be security marked as apprpriate by the ICT Technician. 1.4 A recrd will be kept by the ICT Technician f any IT equipment, excluding items cvered by the Laptp Lan Agreement, taken ff site. The remval f equipment frm the Academy s premises must be authrised by the Headteacher. 1.5 Staff allcated r having use f Academy laptps must sign a laptp lan agreement n an annual basis. 1.6 The fficers respnsible fr physical equipment security are the Headteacher and the Netwrk Manager. 2. Backup Prcedures 2.1 All data held n the Academy s server will be backed up at least nce a day, excluding weekends. 2.2 All nsite backups will be stred n the NAS Drive and will be preserved fr at least furteen wrking days. 2.3 The latest versin f the cmputer backup will be stred ff site and the nsite set f backup disks will be kept in a fire-prf cabinet when nt in use. 2.4 The fficer respnsible fr backup prcedures is the Netwrk Manager. 3. Virus Detectin 3.1 All cmputers will have virus preventin and detectin sftware installed within their start-up prcedures. The sftware shuld be updated regularly. Currently, McAfee VirusScan Enterprise 8.8 is used. Staff with Academy laptps are respnsible fr manually checking these have updated n a daily basis. 3.2 The Virus Scan checks remvable strage devices fr viruses befre use althugh the use f such strage devices is strngly discuraged 3.3 The use f unlicensed sftware is prhibited. 3.4 All sftware must be authrised by the Netwrk Manager.

3 3.5 Any perceived virus attack shuld be immediately reprted t the Netwrk Manager r ICT Technician. 3.6 The fficer respnsible fr virus detectin prcedures is the Netwrk Manager. 4. Sftware Cntrls 4.1 All sftware maintained n the Academy s cmputers must be prperly wned by the Academy. Sftware may nly be used in accrdance with the licence agreements. 4.2 All licences and system disks will be held in a lckable cupbard in the ICT Office. 4.3 An inventry f all sftware maintained n the Academy s cmputers will be kept by the ICT Technician tgether with relevant serial numbers. 4.4 Access t sftware will be restricted t authrised staff. 4.5 The Schl Manager and Netwrk Manager are the Systems Managers fr PS Financials and SIMS. They are the nly peple wh may issue passwrds and amend access levels. The Netwrk Manager is the Systems Manager fr all ther cmputer matters. 4.6 Users f the Academy s cmputer system will be issued with individual user accunts. 4.7 It shuld be ensured that passwrds are kept cnfidential. They shuld be changed if it is felt that security has been cmprmised. 4.8 Staff must lck r lg ff the cmputer system befre leaving the cmputer unattended. All machines shuld be shut dwn at the end f each day. 4.9 When staff leave, their user accunts will be deleted immediately by the Systems Manager Any suspected breach f security will be immediately reprted t the Netwrk Manager The fficer respnsible fr sftware cntrls is the Netwrk Manager. 5. Legal Obligatins 5.1 All staff shuld be made aware f the requirements and their respnsibilities in relatin t the fllwing legal statutes: 1984 Data Prtectin Act 1986 Cpyright, Designs and Patents Act (extended t cver cmputing sftware) 1990 Cmputer Misuse Act 6. Acquisitin, Maintenance and Dispsal f Hardware 6.1 The Headteacher has verall respnsibility fr the acquisitin, maintenance and dispsal f equipment.

4 6.2 Three qutatins will be btained fr items csting mre than 5000 t ensure best value. 6.3 Official rders will always be used t make any purchases. 6.4 The write ff and dispsal f equipment shuld be authrised by the Headteacher and Gverning Bdy, if apprpriate. See Appendix Acquisitin and dispsal f equipment must be in accrdance with the Academies Financial Handbk. 7. User Training 7.1 Users shuld receive apprpriate training in the crrect use f the Academy s ICT facilities including use f sftware packages and security arrangements. 8. Disaster Recvery 8.1 There will be adequate arrangements in place fr disaster recvery, including emergency prcedures, manual fallback plans and resumptin prcedures. 8.2 The fficer respnsible fr disaster recvery is the Netwrk Manager. 8.3 The Academy has adequate backup facilities t enable a restre f all data in the event f a disaster. 8.4 Server Security prcedures will be fllwed at all times. See Appendix 2

5 Appendix 1 Dispsal f Redundant ICT Equipment Plicy All redundant ICT equipment will be dispsed f thrugh an authrised agency r via a reputable Business Services dispsal scheme. This shuld include a written receipt tgether with a certificate f data destructin in accrdance with current legislatin EN 15713:2009 fr the item / items including an acceptance f respnsibility fr the destructin f any data. All redundant ICT equipment that may have held persnal data will have the strage media ver written multiple times t ensure the data is irretrievably destryed. Or if the strage media has failed it will be physically destryed. We will nly use authrised cmpanies wh will supply a written guarantee that this will happen. Dispsal f any ICT equipment will cnfrm t: The Waste Electrical and Electrnic Equipment Regulatins 2006 The Waste Electrical and Electrnic Equipment (Amendment) Regulatins Data Prtectin Act Electricity at Wrk Regulatins The Academy will maintain a cmprehensive inventry f all its ICT equipment including a recrd f dispsal. The Academy s dispsal recrd will include: Date item dispsed f Authrisatin fr dispsal, including: verificatin f sftware licensing any persnal data likely t be held n the strage media? Hw it was dispsed f eg waste, gift, sale Name f persn & / r rganisatin wh received the dispsed item * if persnal data is likely t be held the strage media will be ver written multiple times t ensure the data is irretrievably destryed. Any redundant ICT equipment being cnsidered fr sale / gift will have been subject t a recent electrical safety check and hld a valid PAT certificate. Further infrmatin available at:

6 Waste Electrical and Electrnic Equipment (WEEE) Regulatins Envirnment Agency web site Appendix 2 Servers Newly installed servers hlding persnal data shuld be encrypted, therefre passwrd prtecting data. Always keep servers in a lcked and secure envirnment Limit access rights Always passwrd prtect and lck the server Existing servers shuld have security sftware installed apprpriate t the machine s specificatin Backup tapes shuld be encrypted by apprpriate sftware Data must be backed up regularly Backup tapes/discs must be securely stred in a fireprf cntainer Backup media stred ff-site must be secure