IT Data Security Policy



Similar documents
Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Data Security Policy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Information Security

Standard Operating Procedure. Secure Use of Memory Sticks

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

University of Liverpool

Estate Agents Authority

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Technology Acceptable Usage Policy

Information Security Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Acceptable Use Guidelines

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Policy Document. Communications and Operation Management Policy

Summary Electronic Information Security Policy

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Governance Policy (incorporating IM&T Security)

A Guide to Information Technology Security in Trinity College Dublin

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Document Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0

Third Party Security Requirements Policy

Merthyr Tydfil County Borough Council. Information Security Policy

Acceptable Use of ICT Policy For Staff

University of Limerick Data Protection Compliance Regulations June 2015

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Supplier Information Security Addendum for GE Restricted Data

DATA PROTECTION AND DATA STORAGE POLICY

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

University of Aberdeen Information Security Policy

Supplier IT Security Guide

Rotherham CCG Network Security Policy V2.0

Information Governance Framework. June 2015

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Data Protection Breach Management Policy

So the security measures you put in place should seek to ensure that:

IS INFORMATION SECURITY POLICY

Human Resources Policy documents. Data Protection Policy

Information Security Policy. Appendix B. Secure Transfer of Information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

IBX Business Network Platform Information Security Controls Document Classification [Public]

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

INFORMATION SECURITY POLICY

Guideline for Roles & Responsibilities in Information Asset Management

Enterprise Information Security Procedures

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

ECSA EuroCloud Star Audit Data Privacy Audit Guide

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

Physical Security Policy

How To Protect Decd Information From Harm

Information Security Policy

Dene Community School of Technology Staff Acceptable Use Policy

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

University of Sunderland Business Assurance Information Security Policy

Policy on the Security of Informational Assets

Network Security Policy

Newcastle University Information Security Procedures Version 3

ELECTRONIC INFORMATION SECURITY A.R.

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Data Security and Extranet

U06 IT Infrastructure Policy

Policies and Procedures. Policy on the Use of Portable Storage Devices

Abertay Data Storage Policy

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

How To Audit Health And Care Professions Council Security Arrangements

The Ministry of Information & Communication Technology MICT

Terms of use of information and communication technologies at the University of Burgundy

Data and Information Security Policy

Acceptable Use of Information Systems Standard. Guidance for all staff

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

Web Site Download Carol Johnston

Storing and securing your data

Best Value toolkit: Information management

Transcription:

IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data... 3 Business continuity... 4 Transmission and storage of data... 4 Use of external contractors... 5 4. Forms/Instructions...6 5. Links/Dependencies...6 6. Appendices...6 Policy control Approved by Contact/s Wojtek Adamek (ICT CIO) Gary Nye (ICT) History/Revision dates Nov 13, Dec 14 Audience Internal (Intranet only) External (Internet) Page 1

1. Purpose 1.1 The University computer network holds a variety of data relating to commercial activities, student activity and student and staff personal data. Much of this data is confidential in nature and it essential that all reasonable precautions are taken to ensure the security of this data. 1.2 The Chief Information Officer is responsible for ensuring that an adequate framework is in place to enable ICT staff to maintain the security of centrally held data, including password and access controls, system security, back-up procedures, disaster recovery procedures and secure means for the destruction of such data. He/she is also responsible for ensuring that all contractors working on University computer systems operate within appropriate data security guidelines. 2. Scope 2.1 ICT will provide guidance to staff on maintaining the security of data held on local devices, including local PC drives, laptops, disks or other portable devices, but the responsibility for this security and secure destruction of the data remains with the user. 2.2 This policy outlines the measures in place that allow all staff involved in the processing of data, including the entering of data, extraction of data for reporting purposes or the transmission of data internally or externally, to meet their responsibilities. Particular care must be taken when engaging external parties who may have access to confidential information. 3. Policy 3.1 All University staff are bound by their conditions of employment to observe the Access to Confidential Data conditions outlined in the Code of Conduct for Employees. 3.2 The University is bound by the Data Protection Act 1998 and related legislation to safeguard all personal data it controls on behalf of its students and staff. The Act covers personal data which is held on computers, networks, emails, mobile devices (including laptops, telephones and USB pens) and in structured manual filing systems. Colleagues are obliged to familiarise themselves with the University s Data Protection Policy and Guidance, which can be accessed via the Legal Office s page on the staff website. Page 2

Access to the University computer network 3.3 All staff and students are provided with an ID and password to access the University computer network. Access is controlled through a network wide Identity and Access Management system. 3.4 Access to individual systems is granted following written application and confirmed by the Head of Department or other official as identified by the data owner. The application will contain the appropriate rights for data entry and access that should be allocated to the individual. 3.5 Staff are reminded of the need to change their access passwords on a regular basis. Security of computer network 3.6 The University computer network is protected from intrusion by an industry standard, best of breed, firewall. This system is reviewed and updated regularly to ensure that a robust security level is maintained against external attacks. 3.7 All incoming e-mails to University addresses pass through a high quality spam filter which is reviewed and updated regularly. Data backup 3.8 Data backup procedures vary across the University network according to the data requirements. All centrally managed computer systems are backed up overnight to magnetic tape and organised into daily, weekly and monthly tape sets. Refer to the separate Data Backup procedures for further details. Secure destruction of data 3.9 All desktop PCs and network data storage equipment are destroyed at end of life, with suitable precautions taken to ensure the security and destruction of data contained on the devices. 3.10 Responsibility for the destruction of data held on local or portable storage equipment (see 7.2 (iii) below) rests with the user. Page 3

Business continuity 3.11 Business continuity plans are held by the University secretariat. Plans are prepared to describe the procedures to be followed to recover from key risks identified in the University business continuity plan. These include:- i. Local network node outage ii. Loss of student record system iii. Loss of financial information system iv. Loss of academic support system v. UCAS link failure. Transmission and storage of data 3.12 Where it is necessary to move data from one computer system to another, care must be taken to ensure the security of the data during the transfer. 3.13 Data should be transferred by one of the following means, in order of preference:- i. Direct transfer to the destination system Wherever possible, a direct link should be established between the source and destination systems. Where the destination system is external to the University network, due consideration must be given to the security of the data whilst in transit, with appropriate encryption used where necessary. ii. Data storage shared drive/folder After extract from the source system, files should be stored in a dedicated folder in an appropriate shared drive. Access to the shared drive/folder must be restricted to only those staff members or systems that require access in order to process the data. Once the data transfer or processing is completed, the files must be deleted from this folder. iii. Portable data device Where it is necessary to use a portable device (e.g. CD/DVD/data pen) every precaution must be taken to ensure the security of the data, both in the format of the data on the device, and in the physical security whilst the device is in transit. The device should be kept in the possession of those staff who are authorised to hold or have access to the data. Data files must be encrypted and password protected before being transferred to the device. Page 4

Once the data transfer or processing is completed, the files must be deleted from this device. iv. E-Mail Whilst the e-mail system may be considered secure, e-mails are not encrypted and the content may be intercepted and read by unauthorised persons. Personal or confidential information should not be transferred by e-mail. There is a high risk that the communication may be sent to the wrong e-mail address, and hence to an unauthorised recipient. This method of transfer must only be used when no other method is possible and must be sanctioned by the department head. Data files should be encrypted and password protected before being transferred to the e-mail. The password to access the data must not be contained in the e-mail. Use of external contractors 3.14 Where external contractors or suppliers are engaged to work in areas or on systems where confidential data may be held, then it is essential that the appropriate Confidentiality and Non-disclosure Agreement (please see 4. Forms/Instructions) is completed. 3.15 These procedures also apply where potential suppliers are invited to make a sales presentation to the University, which may include the disclosure of confidential information by the University. In this case, a Confidentiality and Non-disclosure Agreement should be completed before any information is disclosed. 3.16 For new suppliers, when a standard University contract is completed by the supplier, then this should be accompanied by the standard Confidentiality and Non-disclosure Agreement, to be completed at the same time as the contract. Note that this Agreement must not be completed before the main contract, as the terms in the later agreement will apply. 3.17 When a contractor is engaged without the completion of the standard contract, then a Confidentiality and Non-disclosure Agreement must be completed. A copy of this Agreement must be provided to the contractor prior to or at the commencement of the engagement. They must complete, sign and return a copy of the Agreement before any access to the University computer network is provided. 3.18 8.5 A copy of the Agreement should be retained by the contractor, and the University copy provided to the departmental Office Administrator for filing. 3.19 Where access to the University computer network is required, a bespoke user account should be created, with access rights strictly restricted to those areas required Page 5

for completion of the contract. On the completion of the contract and the departure of the contractor, the user account should be closed. 3.20 Where personal data is passed to an external party, the sanctioning officer is responsible for ensuring that the necessary Data Protection legislation is complied with. 4. Forms/Instructions Confidentiality and Non-Disclosure Agreement for external contractors or suppliers: https://in.beds.ac.uk/ data/assets/word_doc/0012/304032/confidentiality-agreement- 2013.docx 5. Links/Dependencies This policy should be read and its use considered with reference to: Code of Conduct for Employees http://in.beds.ac.uk/secretariat Data Protection Policy and Guidance http://in.beds.ac.uk/secretariat/legal/dp 6. Appendices Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information