Schools Information and ICT Security Model Policy Reviewed November 2014

Transcription

1 Schls Infrmatin and ICT Security Mdel Plicy Reviewed Nvember 2014 Name f schl St Jhns Cathlic Primary Date established by the Gverning Bdy... April 2015 Date fr full implementatin June 2015 Date fr Review... April 2016 Senir Infrmatin Risk Officer Mrs J paytn The plicy is available fr staff at: St Jhn s Cathlic Primary

2

3 Table f Cntents 1 Status Purpse Cnsultatin Relatinship with ther plicies Intrductin t Guidance Definitins Scpe Respnsibilities The Gverning Bdy The Headteacher Senir Infrmatin Risk Owner (SIRO) Infrmatin Asset Owner (IAO) Audit Services Users Legislatin Backgrund Management f the Plicy Physical Security Lcatin Access Siting f Equipment Inventry Persnal Hardware and Sftware System Security Legitimate Use ICT Security Facilities Authrisatin Access t the Cuncil Services Passwrds Backups Virus Prtectin Dispsal f Infrmatin and Equipment Repair f Equipment Gd Practice in Infrmatin Handling Backgrund Risk Assessment Encryptin Security Incidents /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 3 f 28

4 Infrmatin and ICT Security Plicy and Guidance 1 Status This plicy is recmmended t schls and is based n gd practice. 2 Purpse The bjectives f this Plicy are t: Ensure the prtectin f cnfidentiality, integrity and availability f schl infrmatin and assets. Ensure users are aware f and fully cmply with all relevant legislatin. Ensure all staff understand the need fr infrmatin and ICT security and their wn respnsibilities in this respect. 3 Cnsultatin At lcal authrity level, cmments have been sught frm the fllwing grups: Secndary schl netwrk managers ICT Advisers Infrmatin Gvernance Headteachers ICT and elearning Grup Dicese f Shrewsbury 4 Relatinship with ther plicies Plicies are written and reviewed at different times and they shuld nt cntradict. Nte ther guides and plicies here t enable a cherent apprach. Arrangements fr mnitring and evaluatin - it is the Gverning Bdy s respnsibility t mnitr r review this plicy and fr this t be dne within a framewrk f planned plicy review via the GB's cmmittees. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 4 f 28

5 5 Intrductin t Guidance Schls have made a significant investment in cmputer systems and netwrks and reliable ICT services are vital t teaching, learning and management tasks. In additin, schls manage persnal and sensitive infrmatin. The majrity f Shrpshire schls have access t the Shrpshire wide area netwrk (WAN), prviding them with access t crprate resurces such as Samis and ResurceLink. This wider access places a respnsibility n all participating schls t ensure that their wn lcal area netwrk and the Shrpshire WAN, as well as the persnal infrmatin they manage, is nt cmprmised by pr security and irrespnsible user actins. 6 Definitins Infrmatin means infrmatin in any frmat, eg paper, electrnic, vide, audi. Authenticatin means the prcess f identifying an individual, usually based n a username and passwrd, ie determining whether smene is, in fact, wh they claim t be. 7 Scpe This Plicy is intended fr all schl staff, including gvernrs, wh have cntrl ver r wh use r supprt the schl s administrative and/r curriculum ICT systems r data r handle ther schl manual (paper) and electrnic data. The Plicy shuld be reviewed by the Gverning Bdy/Schl n an annual basis. All users f the schl s ICT systems r data are als cvered by this plicy. Mdel acceptable use plicies are als incrprated as appendices t this dcument. Thse fr learners, adults wrking with yung peple and the guidance ntes fr schls and gvernrs are thse riginally issued by WMNet in /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 5 f 28

6 8 Respnsibilities 8.1 The Gverning Bdy The Gverning Bdy has ultimate respnsibility fr ensuring that the schl cmplies with the legislative requirements relating t the use f infrmatin and ICT security and fr disseminating plicy n ICT security and ther ICT related matters. In practice, the day t day respnsibility fr implementing these legislative requirements rests with the Headteacher. 8.2 The Headteacher The Headteacher is respnsible fr ensuring that the legislative requirements relating t the use f infrmatin and ICT system security are met and that the schl s Infrmatin and ICT Security Plicy is adpted and maintained by the schl. The Headteacher is als respnsible fr ensuring that any special security measures relating t the schl s infrmatin r ICT facilities are applied and dcumented as an integral part f the Plicy. The Headteacher is als respnsible fr ensuring the requirements f the Data Prtectin Act 1998 are cmplied with fully by the schl. In additin, the Headteacher is respnsible fr ensuring that users f systems and data are familiar with the relevant aspects f the Plicy and t ensure that the apprpriate cntrls are in place fr staff t cmply with the Plicy. Appendix E prvides a checklist fr headteachers. 8.3 Senir Infrmatin Risk Owner (SIRO) The Senir Infrmatin Risk Owner (SIRO) is a senir member f staff wh is familiar with infrmatin risks and the rganisatin s respnse. Typically, the SIRO shuld be a member f the senir leadership team in a secndary schl and may be the headteacher in a primary schl. The fllwing respnsibilities attach t the rle f SIRO: They wn the infrmatin risk plicy and risk assessment They appint the Infrmatin Asset Owners (IAOs) see sectin 8.4 They act as an advcate fr infrmatin risk management Additinally, the SIRO will be respnsible fr ensuring that: Suitable training fr all users and dcumentatin t prmte the prper use f infrmatin and ICT systems is prvided. Users will als be given adequate infrmatin n the plicies, prcedures and facilities t help safeguard these systems and related data. A recrd f the training prvided thrugh the schl t each individual user will be maintained. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 6 f 28

7 Users are made aware f the value and imprtance f such ICT systems and data, particularly data f a cnfidential r sensitive nature, and be made aware f their persnal respnsibilities fr infrmatin and ICT security. T help achieve these aims, the relevant parts f the Infrmatin and ICT Security Plicy and any ther infrmatin n the use f particular facilities and techniques t prtect the systems r data will be disseminated t users. The practical aspects f ICT prtectin are perfrmed, such as maintaining the integrity f the data, prducing the requisite back-up cpies f data and prtecting the physical access t systems and data. The SIRO may als be respnsible fr the schl s ICT equipment and systems and will have direct cntrl ver these assets and their use, including respnsibility fr cntrlling access t these assets and fr defining and dcumenting the requisite level f prtectin. In line with these respnsibilities, the SIRO will be the fficial pint f cntact fr ICT r infrmatin security issues and as such is respnsible fr ntifying the Headteacher r Chair f Gvernrs f any suspected r actual breach f ICT r infrmatin security ccurring within the schl. The SIRO r Chair f Gvernrs shuld ensure that details f the suspected r actual breach are recrded and made available t the Cuncil s Infrmatin Gvernance team upn request. The SIRO r Chair f Gvernrs must advise the ICT Services Help Desk (01743) f any suspected r actual breach f ICT r infrmatin security immediately. It is vital, therefre, that the SIRO is fully cnversant with the Infrmatin and ICT Security Plicy and maintains an up t date knwledge f best practice and fllws the assciated apprved practices. The schl s Senir Infrmatin Risk Officer (SIRO) is Mr Gerge Sabin 8.4 Infrmatin Asset Owner (IAO) Schls must identify their infrmatin assets including persnal data fr pupils and staff, assessment recrds, medical infrmatin and special educatinal needs data, fr example and fr each ne, identify an infrmatin asset wner. The rle f the IAO is t understand: What infrmatin is held and fr what purpses Hw infrmatin has been amended r added t ver time Wh has access t prtected data and why An infrmatin asset is regarded as the cllectin f data r an entire dataset. It is imprtant t distinguish between an infrmatin asset and the infrmatin (usually a /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 7 f 28

8 subset f the asset) that needs prtectin. Fr example, reprts run frm an infrmatin asset, such as SIMS, are nt infrmatin assets themselves. There shuld be an IAO fr each asset r grup f assets as apprpriate. Fr example, the SIMS database shuld be identified as an asset and shuld have an IAO. The IAO is respnsible fr managing and addressing risks t the infrmatin and ensuring that infrmatin handling bth cmplies with legal requirements and is used t the full t supprt the delivery f educatin. The schl s Infrmatin Asset Owners are: Mrs J Paytn Mrs C Millar Miss K Millar 8.5 Audit Services The Audit Services sectin f the Cuncil is respnsible fr checking peridically that the measures prescribed in each schl s apprved Infrmatin and ICT Security Plicy are cmplied with. 8.6 Users All users f the schl s ICT systems and data must cmply with the requirements f the Schl s Infrmatin and ICT Security Plicy. Users are respnsible fr ntifying the SIRO f any suspected r actual breach f ICT security. In exceptinal circumstances, users may reprt any such breach directly t the Headteacher r Chair f Gvernrs. Althugh the abve rles have been explicitly identified, the handling f secured data is everyne s respnsibility. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 8 f 28

9 9 Legislatin 9.1 Backgrund The respnsibilities referred t in the previus sectins recgnise the requirements f the current legislatin relating t the use f ICT systems and infrmatin security. A full list f legislatin can be fund n the ICO (Infrmatin Cmmissiner s Office website ic.rg.uk It is imprtant that all staff are aware that any infringement f the prvisins f legislatin may result in disciplinary, civil and/r criminal actin. 10 Management f the Plicy The Headteacher shuld allcate sufficient resurces each year t ensure the security f the schl s infrmatin and ICT systems and t enable users t cmply fully with the guidance cvered in this plicy. If insufficient resurces are available t fully implement this plicy, then the ptential risks must be dcumented and reprted t Gvernrs. The Headteacher must ensure that adequate prcedures are established in respect f the ICT security implicatins f persnnel changes. Suitable measures shuld be applied t prvide fr cntinuity f ICT security when staff vacate r ccupy a pst. These measures as a minimum must include: a recrd that new staff have been issued with, have read the apprpriate dcumentatin relating t infrmatin and ICT security, and have signed the list f rules; a recrd f the access rights t systems granted t an individual user; a recrd that thse rights have been amended r withdrawn due t a change t respnsibilities r terminatin f emplyment. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 9 f 28

10 11 Physical Security 11.1 Lcatin Access Adequate cnsideratin shuld be given t the physical security f rms cntaining sensitive infrmatin and ICT equipment (including assciated cabling). As far as practicable, nly authrised persns shuld be admitted t rms that cntain servers r prvide access t data. The SIRO must ensure apprpriate arrangements are applied fr the remval f any ICT equipment frm its nrmal lcatin. These arrangements shuld take int cnsideratin the risks assciated with the remval and the impact these risks might have. All schl wned ICT equipment shuld be recrded and security-marked. Advice n security marking is available frm Shrpshire Cuncil s Crime Preventin Officer Pwer supply prtectin frm vltage surges will prevent servers frm failing. Uninterruptible Pwer Supply (UPS) units will ensure a cntrlled shutdwn f servers shuld a pwer failure ccur. Uninterruptible Pwer Supply units are als recmmended fr netwrk cabinets which cntain sensitive equipment, ie netwrk switches Siting f Equipment Reasnable care must be taken in the siting f cmputer screens, keybards, printers r ther similar devices. Wherever pssible, and depending upn the sensitivity f the data, users shuld bserve the fllwing precautins: Infrmatin (paper r electrnic) shuld be prtected in such a way that it cannt be accessed r viewed by persns nt authrised t access it. devices shuld be psitined in such a way that infrmatin stred r being prcessed cannt be viewed by persns nt authrised t knw the infrmatin. Specific cnsideratin shuld be given t the siting f devices n which cnfidential r sensitive infrmatin is prcessed r retrieved; equipment shuld be sited t avid envirnmental damage frm causes such as dust and heat; users shuld enable passwrd prtected screen savers t prtect screen cntent if unauthrised access t the data held can be gained when left unattended a clear desk plicy shuld be adpted, ie hard cpies f sensitive data are nt left unattended n desks; netwrk servers and infrastructure shuld be lcated in a temperature cntrlled, secure envirnment. If temperature cntrl is nt feasible, then the rm shuld be well ventilated. The same rules apply t fficial equipment in use at a user s hme. Strage and access t paper/manual infrmatin shuld be sited in such a way. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 10 f 28

11 Physical Security Checklist Set up passwrd prtected screen savers fr staff access Adpt a clear desk plicy Psitin cmputer screen s that infrmatin displayed cannt be read by an unauthrised persn Ensure server rms are secure and well ventilated Sensitive r persnal infrmatin shuld nt be left n a cmputer screen whilst a teacher is away frm the PC Sensitive r persnal infrmatin shuld nt be prjected in a classrm envirnment 12 Inventry The SIRO, in accrdance with the Schl s Financial Regulatins, shall ensure that an inventry f all ICT equipment (hwever financed) is maintained and all items accunted fr at least annually. A current and up t date sftware inventry shuld als be maintained. See appendix D fr a sample frm t recrd the dispsal f assets Persnal Hardware and Sftware Dangers can ccur frm the use f unlicensed sftware and sftware infected with a cmputer virus. It is therefre vital that any private sftware permitted t be used n the schl s equipment is acquired frm a respnsible surce and is used strictly in accrdance with the terms f the licence. The use f all persnal hardware and sftware fr schl purpses must be apprved by the SIRO. Many free t use pieces f sftware may require payment fr business use. The SIRO must be satisfied that use is permitted r paid fr where required. Inventry Checklist Keep an up t date hardware inventry Keep an up t date sftware inventry Keep a recrd f equipment dispsals /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 11 f 28

12 13 System Security Any cntractrs r third parties wh require access t the schl s ICT systems fr supprt r ther reasns, shuld sign the agreement Access t Systems and Facilities by Cntractrs befre access is granted.(see appendices) 13.1 Legitimate Use The schl s ICT facilities must nt be used in any way that breaks the law r breaches Schl plicy. Such breaches include, but are nt limited t: making, distributing r using unlicensed sftware r data; making r sending threatening, ffensive, r harassing messages; creating, pssessing r distributing bscene material; unauthrised private use f the schl s cmputer facilities ICT Security Facilities The schl s ICT systems and data will be prtected using apprpriate security arrangements utlined belw. In additin cnsideratin shuld als be given t including apprpriate prcessing cntrls such as audit trails, input validatin checks, cntrl ttals fr utput, reprts n attempted unauthrised access, etc. Administrative and curriculum netwrk traffic is separated by the use f virtual LANs (Vlans) acrss the bradband netwrk. Schls wishing t allw crss netwrk traffic must ensure that there are adequate security measures in place t preserve the cnfidentiality, integrity and availability f sensitive data. If Wireless LANs are implemented, they must be cnfigured fr encryptin f netwrk traffic and with n bradcast t prevent unauthrised access t schl data. Encryptin passwrds shuld be stred securely by the SIRO. Administrative PCs shuld nt be accessible via wireless netwrking unless there is an apprved managed wireless slutin in place prviding authenticated access t secure data Authrisatin Only persns authrised by the SIRO, are allwed t use the schl s ICT systems. The permissins allcated t a user will be sufficient fr needs but nt excessive. Failure t establish the limits f any authrisatin may result in the schl being unable t use the sanctins f the Cmputer Misuse Act Nt nly will it be difficult t demnstrate that a user has exceeded the authrity given, it will als be difficult t shw definitively wh is authrised t use a cmputer system. All ICT systems shuld display a message t users warning against unauthrised use f the system. Access eligibility will be reviewed cntinually, including remte access t systems and external web services, eg Secure Access. In particular the relevant access /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 12 f 28

13 capability will be remved when a persn leaves the emplyment f the schl r their rle changes. In additin, access cdes, user identificatin cdes and authrisatin rules will be reviewed whenever a user changes duties. Failure t change access eligibility and passwrds will leave the ICT systems vulnerable t misuse. See appendix B fr a sample Checklist fr Leavers dcument 13.4 Access t the Cuncil Services The SIRO must seek permissin n behalf f the schl fr any ICT user t access Cuncil services. In the schl envirnment this currently applies t the access granted in schls t the Cuncil s Samis finance system r the ResurceLink HR system (cntact the Payrll team. 13.5Passwrds Passwrds prtect access t ICT systems. All accunts with administratr rights shuld have strng passwrds. The recmmendatin fr strng passwrds is a minimum f 8 characters, using a cmbinatin f upper and lwer case, numbers and symbls and changed termly. The level f passwrd cntrl will be defined by the SIRO based n the value and sensitivity f the data invlved, including the pssible use f time ut passwrds where a device is left unused fr a defined perid. Pwer n passwrds are recmmended fr mbile devices, fr example laptps which are highly prtable and less physically secure. Devices such as tablet cmputers, eg ipads, r smartphnes shuld prtected by a cmplex passcde if sensitive data accessed by r held n the device. Default passwrds must be changed the first time a system is used. Passwrds shuld be memrised. If an infrequently used passwrd needs t be written, this recrd must be stred securely. Users shuld be advised abut the ptential risks f written passwrds and shuld be given clear written instructins n the safeguards t adpt. Passwrds shuld nt be bvius r guessable and their cmplexity shuld reflect the value and sensitivity f the systems and data invlved, ie master user passwrds are mre critical. Users shuld be instructed n apprpriate techniques fr selecting and setting a new passwrd. Passwrds shuld be changed frequently t previusly unused passwrds. Many systems have the capability t prmpt r frce the user t peridically select a new /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 13 f 28

14 passwrd. The SIRO shuld decide n the apprpriate duratin that users culd leave their passwrd unchanged. A typical passwrd change frequency is termly. The interval chsen and the methds by which the passwrd changes will be enfrced must be suitably dcumented fr users. A passwrd must be changed if it is affected by a suspected r actual breach f security r if there is a pssibility that such a breach culd ccur, such as: when a passwrd hlder leaves the schl r is transferred t anther pst; when a passwrd may have becme knwn t a persn nt entitled t knw it. The need t change ne r mre passwrds will be determined by the risk f the security breach. Users must nt reveal their passwrd t anyne. Users wh frget their passwrd must request the SIRO issue a new passwrd. Where a passwrd has t be shared, eg t pwer n a device r access an internal netwrk, users must take special care t ensure that it is nt disclsed t any persn wh des nt require access t the device r netwrk. Finally, d nt save passwrds in web brwsers if ffered t d s Backups In rder t ensure that essential services and facilities are restred as quickly as pssible fllwing an ICT system failure, backup cpies f stred data shuld be taken at regular intervals as determined by the SIRO, dependent upn the imprtance and quantity f the data cncerned. It is the respnsibility f the schl and SIRO t develp a suitable backup strategy with the schl s ICT supprt prvider. Security cpies shuld be clearly marked as t what they are and when they were taken and stred away frm the system t which they relate in a restricted access fireprf lcatin and/r ff site. Security cpies shuld be regularly tested t ensure that they enable the systems/relevant file t be reladed in cases f system failure Virus Prtectin The SIRO will ensure current and up t date anti-virus sftware is applied t all schl ICT systems. The SIRO will ensure perating systems are updated with critical security patches as sn as these are available and ensure that there is a mechanism in place fr ensuring that there is a mechanism fr keeping all perating systems up t date. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 14 f 28

15 The SIRO will ensure that where persnal equipment, eg pupil r staff wned device brught int schl, there is a clear plicy regarding the minimum security measures required befre the cnnectin f such devices t the schl netwrk. It is the schl s respnsibility t ensure that all schl wned equipment is managed s that anti virus and critical security updates are applied in a timely manner. All users take precautins t avid malicius sftware that may destry r crrupt data, eg checking all incming attachments r internet dwnlads fr malicius sftware befre use, and shuld be made aware f hw t recgnise and handle haxes. The schl will ensure that every ICT user is aware that any suspected r actual cmputer virus infectin must be reprted immediately t the SIRO wh must take apprpriate actin, including remving the surce f infectin. In the event f SITSS ntifying the schl f a virus infectin n the schl netwrk, the machine(s) must be discnnected immediately and apprpriate actin taken befre recnnectin Dispsal f Infrmatin and Equipment Dispsal f waste infrmatin and ICT media such as print-uts, CDs, memry sticks and magnetic tape will be carried ut in a secure manner t ensure that the infrmatin cntained cannt be recvered r recnstructed. Fr example, paper and CDs will be shredded if any cnfidential infrmatin frm them culd be derived. The Data Prtectin Act requires that persnal infrmatin is dispsed f securely.. Prir t the transfer r dispsal f any ICT equipment the SIRO must ensure that any persnal data r sftware is irreversibly remved frm the machine if the recipient rganisatin is nt authrised t receive the data. Where the recipient rganisatin is authrised t receive the data, they must be made aware f the existence f any persnal data t enable the requirements f the Data Prtectin Act t be met. A sample frm t recrd the dispsal f assets is prvided in appendix D. It is imprtant t ensure that any cpies f the sftware remaining n a machine being relinquished are legitimate. Care shuld be taken t avid infringing sftware and data cpyright and licensing restrictins by supplying unlicensed cpies f sftware inadvertently. The SIRO must ensure the requirements f the Waste frm Electrnic and Electrical Equipment (WEEE) Directive are bserved. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 15 f 28

16 13.9 Repair f Equipment If a machine, r its permanent strage (usually a disk drive), is required t be repaired by a third party the significance f any data held must be cnsidered. If data is particularly sensitive it must be remved frm hard disks and stred n ther media fr subsequent reinstallatin. System Security Checklist Ensure any cntractr r third party signs the frm Access t Systems by Third Parties befre access is granted Establish Acceptable Use Plicies and ensure that these are issued t all users Set rules gverning the use f private hardware and sftware Ensure access granted t users is sufficient Establish a leavers prcedure t ensure that accunts are deleted when users leave Enfrce strng passwrds where apprpriate Ensure all schl wned machines are managed s that AV and critical security updates are applied in a timely manner Ensure dispsal is carried ut in a secure manner as apprpriate and that equipment dispsals are recrded /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 16 f 28

17 14 Gd Practice in Infrmatin Handling 14.1 Backgrund Fllwing a number f high prfile persnal data lsses frm gvernment departments, plicies have been issued aimed at putting in place cre prtective measures, getting the wrking culture right and imprving accuntability and scrutiny f perfrmance. In additin, the Infrmatin Cmmissiner has the pwer t fine rganisatins up t 0.5 millin fr persnal data lss. Gd practice guides t supprt schls in reviewing their data handling prcedures are available: Infrmatin risk management and prtective marking Secure remte access Data Encryptin Audit lgging and incident handling Every schl hlds persnal data n learners, staff and thers. Infrmatin security is everyne s respnsibility and needs t be embedded int the culture and ways f wrking. Persnal data is any cmbinatin f data items that identifies an individual and gives specific infrmatin abut them, their families r their circumstances. This includes names, cntact details, gender, dates f birth, behavir and assessment recrds. The Data Prtectin Act 1998 specifies additinal data items as sensitive persnal data including medical recrds, criminal cnvictins and ethnic rigin. 14.2Risk Assessment It is recmmended that every schl undertakes a thrugh risk assessment n the infrmatin assets held. This will help identify what security measures are already in place and whether they are the mst apprpriate (and cst effective) available. Carrying ut an infrmatin risk assessment will generally invlve: Recgnizing which risks are present Judging the size f the risk(s) Priritising the risks Once the risks have been assessed, a decisin can be made n hw t reduce them r accept them. Risk assessment is an nging prcess and schls will need t review these at regular intervals as risks change ver time Encryptin Schls shuld use encryptin t help maintain the security f the persnal data they hld n learners, staff and thers and if sensitive r persnal infrmatin is held n a mbile device, then this must be encrypted. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 17 f 28

18 Data Handling Checklist Appint a Senir Risk Infrmatin Officer (SIRO) Identify infrmatin assets and fr each ne, identify an Infrmatin Asset Owner (IAO) Cnduct data security training fr all users Put in place a plicy fr reprting, managing and recvering frm incidents which put infrmatin at risk Shred, pulp r incinerate paper when n lnger required Make staff and learners (and parents where applicable) aware f what data is being held abut them and what it is being used fr by issuing privacy r fair prcessing ntices Encrypt media that cntains persnal data that is t be remved frm site r frm the rganizatin Make sure that, where apprpriate, cntracts fr emplyment state that misuse f such data is a disciplinary matter /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 18 f 28

19 15 Security Incidents All suspected r actual breaches f infrmatin r ICT security, including the detectin f cmputer viruses, must be reprted t the SIRO, r the Headteacher in their absence, wh shuld reprt the incident t the ICT Services Help Desk ( ). Security Incidents Checklist If yu suspect a cmputer has been used inapprpriately, d nt turn ff r allw anyne t access the cmputer as it may affect imprtance evidence Make sure all suspected r actual security breaches are reprted /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 19 f 28

20 Appendix A WMnet E-safety Acceptable Use Plicies fr Schls AUP Guidance ntes fr learners in YR and KS1 I want t feel safe all the time. I agree that I will: always keep my passwrds a secret nly pen pages which my teacher has said are OK nly wrk with peple I knw in real life tell my teacher if anything makes me feel scared r uncmfrtable n the internet make sure all messages I send are plite shw my teacher if I get a nasty message nt reply t any nasty message r anything which makes me feel uncmfrtable nt give my mbile phne number t anyne wh is nt a friend in real life nly peple I knw r if my teacher agrees nly use my schl talk t my teacher befre using anything n the internet nt tell peple abut myself nline (I will nt tell them my name, anything abut my hme and family and pets) nt uplad phtgraphs f myself withut asking a teacher never agree t meet a stranger Anything I d n the cmputer may be seen by smene else. I am aware f the CEOP reprt buttn and knw when t use it. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 20 f 28

21 AUP Guidance ntes fr learners in KS2 When I am using the cmputer r ther technlgies, I want t feel safe all the time. I agree that I will: always keep my passwrds a secret nly use, mve and share persnal data securely nly visit sites which are apprpriate wrk in cllabratin nly with peple my schl has apprved and will deny access t thers respect the schl netwrk security make sure all messages I send are respectful shw a respnsible adult any cntent that makes me feel unsafe r uncmfrtable nt reply t any nasty message r anything which makes me feel uncmfrtable nt use my wn mbile device in schl unless I am given permissin nly give my mbile phne number t friends I knw in real life and trust nly peple I knw r apprved by my schl nly use which has been prvided by schl btain permissin frm a teacher befre I rder nline discuss and agree my use f a scial netwrking site with a respnsible adult befre jining always fllw the terms and cnditins when using a site always keep my persnal details private. (my name, family infrmatin, jurney t schl, my pets and hbbies are all examples f persnal details) always check with a respnsible adult befre I share images f myself r thers nly create and share cntent that is legal never meet an nline friend withut taking a respnsible adult that I knw with me I am aware f the CEOP reprt buttn and knw when t use it. I knw that anything I share nline may be mnitred. I knw that nce I share anything nline it is cmpletely ut f my cntrl and may be used by thers in a way that I did nt intend. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 21 f 28

22 AUP Guidelines fr any adult wrking with learners The plicy aims t ensure that any cmmunicatins technlgy is used withut creating unnecessary risk t users whilst supprting learning. Please check that this is cmpatible with yur lcal authrity plicies befre using this AUP. I agree that I will: nly use, mve and share persnal data securely respect the schl netwrk security implement the schls plicy n the use f technlgy and digital literacy including the skills f knwledge lcatin, retrieval and evaluatin, the recgnitin f bias, unreliability and validity f surces respect the cpyright and intellectual prperty rights f thers nly use apprved accunts nly use pupil images r wrk when apprved by parents and in a way that will nt enable individual pupils t be identified n a public facing site. nly give permissin t pupils t cmmunicate nline with trusted users. use the ICT facilities sensibly, prfessinally, lawfully, cnsistent with my duties and with respect fr pupils and clleagues. nt use r share my persnal (hme) accunts/data (eg Facebk, , ebay etc) with pupils set strng passwrds which I will nt share and will change regularly (a strng passwrd is ne which uses a cmbinatin f letters, numbers and ther permitted signs). reprt unsuitable cntent and/r ICT misuse t the named e- Safety fficer prmte any supplied E safety guidance apprpriately. I knw that anything I share nline may be mnitred. I knw that nce I share anything nline it is cmpletely ut f my cntrl and may be used by thers in a way that I did nt intend. Cntinued /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 22 f 28

23 I agree that I will nt: visit Internet sites, make, pst, dwnlad, uplad r pass n, material, remarks, prpsals r cmments that cntain r relate t: prngraphy (including child prngraphy) prmting discriminatin f any kind prmting vilence r bullying prmting racial r religius hatred prmting illegal acts breach any Lcal Authrity/Schl plicies, e.g. gambling d anything which expses thers t danger any ther infrmatin which may be ffensive t thers frward chain letters breach cpyright law use persnal digital recrding equipment including cameras, phnes r ther devices fr taking/transferring images f pupils r staff withut permissin stre images r ther files ff site withut permissin frm the head teacher r their delegated representative. I will ensure that any private scial netwrking sites, blgs, etc that I create r actively cntribute t, d nt cmprmise my prfessinal rle. I understand that data prtectin plicy requires me t keep any infrmatin I see regarding staff r pupils which is held within the schl s management infrmatin system private, secure and cnfidential. The nly exceptins are when there is a safeguarding issue r I am required by law t disclse such infrmatin t an apprpriate authrity. I accept that my use f the schl and Lcal Authrity ICT facilities may be mnitred and the utcmes f the mnitring may be used. /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 23 f 28

24 AUP Guidance ntes fr schls and gvernrs The plicy aims t ensure that any cmmunicatins technlgy (including cmputers, mbile devices and mbile phnes etc.) is used t supprting learning withut creating unnecessary risk t users. Please check that this is cmpatible with yur lcal authrity plicies befre using this AUP. The gvernrs will ensure that: learners are encuraged t enjy the safe use f digital technlgy t enrich their learning learners are made aware f risks and prcesses fr safe digital use all adults and learners have received the apprpriate acceptable use plicies and any required training the schl has appinted an e-safety Crdinatr and a named gvernr takes respnsibility fr e-safety an e-safety Plicy has been written by the schl, building n the LSCB e Safety Plicy and natinal guidance the e-safety Plicy and its implementatin will be reviewed annually the schl internet access is designed fr educatinal use and will include apprpriate filtering and mnitring cpyright law is nt breached learners are taught t evaluate digital materials apprpriately parents are aware f the acceptable use plicy parents will be infrmed that all technlgy usage may be subject t mnitring, including URL s and text the schl will take all reasnable precautins t ensure that users access nly apprpriate material the schl will audit use f technlgy (using the Self-Review Framewrk) t establish if the e-safety plicy is adequate and apprpriately implemented methds t identify, assess and minimise risks will be reviewed annually cmplaints f internet misuse will be dealt with by a senir member f staff /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 24 f 28

25 Appendix B LEAVERS CHECKLIST FOR MANAGERS Please cmplete this checklist as apprpriate, ensuring it is signed,dated and returned t the SIRO fr audit purpses. If yu are uncertain abut any aspects f the checklist r require further explanatin, please cntact the SIRO. Please nte it is yur respnsibility t ensure that the items belw are returned as detailed. Emplyee Name Schl Pst Title Emplyee N Pst N Leaving Date Please ensure return f: Tick Initials ID/Security Badge returned Unifrm/Prtective Clthing Schl Prperty (keys, persnal alarm etc) Schl data (paper files, CDs, remvable media etc Schl hardware ( laptp, PC, mbile phne, memry stick etc) Yes N N/A Yes N N/A Yes N N/A Yes N N/A Yes N N/A Service/cntract cnsideratins Tick Initials Alarm/dr system is cde change required? Key Hlder cnsider new arrangements? Alert cntractrs t new cntact arrangements? Cnsider First Aid / Fire Warden requirements? Yes N N/A Yes N N/A Yes N N/A Yes N N/A IT cnsideratins Tick Initials SIMS database amended accunt(s) disabled Active Directry Accunt disabled Access t external websites disabled Yes N N/A Yes N N/A Yes N N/A Yes N N/A This declaratin is t be signed by the emplyee and line manager t cnfirm that all schl equipment and infrmatin has been returned r destryed as apprpriate. Please understand that the schl will seek t recver any claims/damages made against them as a result f inapprpriate use f infrmatin. The emplyee cnfirms that all persnal infrmatin has been remved and all business infrmatin transferred frm the emplyee s accunt(s) and cmputer netwrk flder(s). Emplyee signature Emplyee name Date Manager signature Manager name Date /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 25 f 28

26 Appendix C Access t Systems r Facilities by Cntractrs This agreement shuld be signed by all cntractrs accessing Cuncil systems r facilities prir t access being granted. By signing this frm yu are agreeing: t cmply with the Cuncil s Infrmatin Security Plicy and prcedures and take all necessary steps t ensure the security integrity and cnfidentiality f all data and ther infrmatin held by the Cuncil t which yu shall have access t cnfrm with the prvisins f all relevant legislatin inclusive f but nt limited t the Data Prtectin Act 1998, Cpyright Designs and Patents Act 1988, Cmputer Misuse Act 1990 and all subsequent relevant legislatin that yu will nt withut the prir cnsent f the Cuncil in writing divulge data r any ther infrmatin prvided t yu by the Cuncil r held by the Cuncil t which yu shall have access that yu will take all reasnable precautins t ensure that viruses r ther malicius sftware are nt intrduced nt r int the Cuncil s IT facilities r systems that yu will nt withut the previus cnsent f the Cuncil in writing make any change r alteratin t IT facilities r systems used by the Cuncil that yu will nt access any f the Cuncil s data infrmatin systems r facilities unless it is required t d s under the terms f the Cntract and in any event nt withut the Cuncil s prir cnsent in writing. This includes nly accessing infrmatin r systems specified by the Cuncil and in accrdance with agreed times f access. will nt disclse methds f access t facilities r systems t any persn withut the Cuncil s prir cnsent in writing will nt dwnlad the Cuncil s accessed data r ther infrmatin withut the Cuncil s prir cnsent in writing The Cntractr shall fully indemnify Shrpshire Cunty Cuncil against all damages (excluding cnsequential damages), csts, charges and expenses arising frm r incurred by its failure t cmply with the abve clauses and shall prmptly ntify Shrpshire Cunty Cuncil in writing f any alleged infringement f which the Cntractr has ntice f. The Cntractr will make n admissins f liability withut Shrpshire Cunty Cuncil s prir written cnsent. The prvisins f this Clause shall survive the expiratin r terminatin f this r any related Agreement. Please sign belw t acknwledge that yu have read and understd this dcument and agree t the cnditins therein. Signed: Name: Date: Organisatin: /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 26 f 28

27 Appendix D Sample Recrd f Asset Dispsal Frm Recrd f Asset Dispsal Schl: I hereby authrise the dispsal f the items detailed belw fr the net value shwn (where apprpriate): Inventry Ref: Descriptin f Items Methd f Dispsal: Sale / Transfer / Discarded (Damaged / Obslete) (delete as apprpriate) Details f Sale / Transfer Has the Inventry been amended? Yes /N Name f Certifying Officer Signature Date /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 27 f 28

28 Checklist fr Headteachers Appendix E This checklist is designed t assist Headteachers ensure that persnal infrmatin in either paper r electrnic frmat is being managed apprpriately. It is the Headteacher s respnsibility t: knw hw persnal infrmatin is being used. apprve what persnal infrmatin leaves the schl premises. ensure that staff are taking precautins t ensure that persnal infrmatin is apprriately prtected. Checklist Des persnal infrmatin need t be taken ff site? Is the amunt f persnal infrmatin leaving the schl limited t that which is actually needed, ie data isn t left n memry sticks r laptps if it is nt specifically required? Persnal data isn t stred n memry sticks r laptps unless the devices are encrypted. The Infrmatin Cmmissiner s Office des nt cnsider passwrd nly prtectin t be sufficient. When taken ut f the schl, persnal infrmatin is ging t be kept securely and access limited t the member f staff, either in transit r in the hme envirnment. Is anti-virus sftware and perating system sftware (Windws/Mac) kept up t date? At a minimum staff must ensure that laptps are updated as sn as they are returned t schl. If schl cmputer equipment is being taken hme, access t the cmputer is restricted t the member f staff s usage. Persnal phtgraphs, music, vide, nn-schl sftware shuld nt be stred n a schl cmputer. Staff are aware that they shuld use the cmputer in the hme envirnment as they wuld at schl, in line with any schl apprpriate usage guidance. When the schl is clsed persnal infrmatin and prtable cmputer equipment remaining at schl is secured ut f sight. When IT users change rle r leave, a Leaver s checklist is cmpleted and their access t cmputer systems/devices and external websites is changed/remved accrdingly. If yu require any advice in relatin t data prtectin, Freedm f Infrmatin r infrmatin security issues, please cntact the Infrmatin Gvernance team n / /Users/haywd/Dcuments/St Jhns Schl/updates june 2015/SCC-Schls-ICT-Security-Plicy-Reviewed-Nv-2014.dc Page 28 f 28