IT02 - Informaton Technology (IT) Securty Polcy Introducton 1 Ths polcy apples to all IT serces admnstered by Southampton Solent Unersty. It contans: General prncples for nformaton securty, ts oerall objectes and scope and ts mportance as an enablng mechansm for nformaton sharng. A statement of management ntenton, supportng the goals. An explanaton of specfc securty polces, prncples, standards and complance requrements, ncludng: a b c d e Complance wth legslate and contractual requrements; Securty educaton requrements; Vrus preenton and detecton polcy; The general and specfc responsbltes for all aspects of nformaton securty; An explanaton of the process for reportng suspected securty ncdents. 2 Ths document s based on BS7799-1:1999. Securty Organsaton 3 Management Informaton and Technology Commttee (MITC) s responsble for reewng and recommendng the IT Securty Polcy. Informaton and Communcatons Technology (ICT) wll act as ts executor. From tme to tme, ICT wll present to MITC reports of major ntates to enhance nformaton securty and reports on threats and breaches. 4 ICT wll coordnate and prode support where approprate on ssues assocated wth nformaton securty. It s an ntegral part of the nducton programme for all users actng n a staff-capacty (hereafter referred to as staff). 5 Each School and Serce s responsble for settng authorsaton leels for ther own staff and where approprate for staff across the Unersty. Owners of nformaton systems are responsble for ts data and must clearly state the leel of access for each user. 6 To ensure that the nstallaton of new equpment wll not adersely affect the securty of the exstng nfrastructure, the followng process must be followed. 7 Each nstallaton of IT equpment must hae the approprate approal from ICT to ensure that t conforms to the releant securty polces and requrements before connecton to any Unersty IT serce. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 1 of 18
8 ICT offers specalst adce on ssues assocated wth nformaton securty threats. Ths coers possble unauthorsed access to data, as well as data corrupton due to ruses or other means. Thrd Partes 9 Ths secton concerns access by thrd partes, users other than the Unersty's staff or students, who requre non-publc access to the Unersty's nformaton and IT systems. All thrd partes who are gen access to the Unersty's nformaton and IT systems, whether supplers, customers or otherwse, must agree to follow the Unersty's IT polces. 10 All thrd partes who need to access the Unersty s nformaton and IT systems must hae a Unersty sponsor. The sponsor must be a member of staff who s responsble for mantanng the operatonal relatonshp between the Unersty and the thrd party. The sponsor must prode to ICT a clear statement of the busness requrements for access and must lase wth ICT to document and mantan a clearly defned access polcy statement that defnes the access rghts for each user or group of users. The polcy must take nto account the securty requrements of ther access and the polces for nformaton dssemnaton and enttlement. The sponsor must notfy ICT of any changes n relatonshps e.g. a need to wthdraw logn access. 11 All rsks nolng thrd party access to the Unersty's nformaton and IT systems must be dentfed and documented and sutable controls mplemented before access s granted. Access must be controlled such that the mnmum access necessary s proded. Unersty staff or students must not permt any nformaton securty safeguards to be bypassed or allow napproprate leels of access to the Unersty's nformaton and IT systems. Unersty staff or students must not dulge ther personal logn credentals to anyone else. 12 Confdentalty agreements must be sgned by the thrd partes where nformaton beng dsclosed or made accessble s of a confdental, senste or aluable nature. 13 Remote access by thrd partes to the Unersty's nformaton and IT systems must be controlled by secure access control protocols usng approprate leels of encrypton and authentcaton. 14 Unersty staff responsble for agreeng mantenance and support contracts wll ensure that the contracts beng sgned are n accord wth the content and sprt of Southampton Solent Unersty's nformaton securty polces. 15 Any facltes management, outsourcng or smlar company wth whch Southampton Solent Unersty may do busness must be able to demonstrate complance wth Southampton Solent Unersty's nformaton securty polces and enter nto bndng serce leel agreements that specfy the performance to be delered and the remedes aalable n case of non-complance. 16 All contracts wth external supplers for the supply of serces to Southampton Solent Unersty must be montored and reewed to ensure that nformaton securty requrements are beng satsfed. Contracts must nclude approprated prosons to ensure the contnued securty of nformaton and systems n the eent that a contract s termnated or transferred to another suppler. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 2 of 18
17 Arrangements nolng thrd party contracts must hae the followng securty tems ncluded n the contract: General polcy on nformaton securty; Permtted access methods; A descrpton of the serce to be made aalable; Tmes and dates when the serce s to be aalable; The respecte labltes of the partes to the agreement; Procedures regardng protecton of Unersty assets ncludng data; Responsbltes wth respect to legal matters e.g. data protecton legslaton; That the Unersty has the rght to montor and reoke thrd party actty; x x x x The responsbltes regardng hardware and software nstallaton and mantenance; The rght to audt contractual responsbltes; Any restrctons on copyng and dsclosng nformaton and ssues assocated wth ntellectual property rghts; Measures to ensure the return or destructon of nformaton at the end of the contract; x Any physcal protecton measures that are requred; x Any mechansms to ensure that securty measures are followed; x Measures to ensure protecton aganst the spread of computer ruses; x An authorsaton process for user access; x Arrangements for reportng and nestgatng securty ncdents; x Any arrangements for physcal access to on-ste equpment. Assets Classfcaton and Control 18 Inentores of assets help to ensure that effecte securty protecton s mantaned. An nentory should be drawn up for each major asset assocated wth each nformaton system. Each asset must be clearly dentfed and ts owner and ts securty classfcaton documented. 19 The assets assocated wth nformaton systems nclude the followng: The nformaton assets such as databases, documentaton, operatonal procedures etc.; Software assets such as applcaton software and systems software; IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 3 of 18
Physcal assets such as computers, communcatons equpment and magnetc meda. 20 The physcal and software assets nentores are managed by ICT. The Unersty classfes ts nformaton to ndcate the needs and prortes for securty protecton. The responsblty for defnng the classfcaton of an tem of nformaton and keepng an nentory of nformaton assets rests wth the orgnator. Personnel Securty 21 All Unersty staff wll recee approprate tranng on securty procedures and the correct use of IT serces before access to IT serces s granted. 22 Reports must be wrtten for any securty ncdents whch cause system falures, loss of serce, errors resultng from ncomplete or naccurate data, or breaches of confdentalty, and sent to the Drector of ICT. Physcal and Enronmental Securty 23 The followng lsts the controls for secure areas: Seeral rooms hae been dentfed as beng hgh securty areas. Major tems of network equpment are housed n secure areas throughout the Unersty. The computer room has been dentfed as hang the hghest securty; Hgh securty areas can only be entered through access-controlled doors. All other doors are kept locked except where access s requred for purposes such as delery of equpment. Access rghts to the secure areas wll be reoked mmedately for staff who leae employment. Thrd party personnel supplyng or mantanng systems should be granted access to the secure areas only when requred and authorsed. Where approprate, ther access may be restrcted and ther acttes montored. When acated, secure areas must be physcally locked; Computer consumables, such as statonery, must not be stored wthn the computer room untl requred. Fallback equpment and back-up meda must be sted n a dfferent buldng to aod damage from a dsaster at the man ste; Smoke detectors and fre extngushng systems are nstalled n the man computer room; 24 The followng lsts the controls to preent compromse or theft of nformaton: Confdental or senste data stored on paper, dskettes, CDs or USB memory keys should be kept n a locked cabnet when not n use; Computers must be ether shut down and powered off, logged out of and left at the logon screen or password locked (where allowed) when not n use; IT Equpment, data or software, must not be taken off ste by Unersty users wthout documented authorsaton from the Drector of ICT (or a sutable deputy). IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 4 of 18
25 The followng lsts the controls for equpment securty: IT equpment should be sted so as to reduce the rsk and opportuntes for unauthorsed access. Montor screens dsplayng senste data should be postoned to reduce the rsk of beng oerlooked. All equpment should be labelled and, f deemed necessary, marked wth INDSOL Tracer; Unnterruptble power supples should be proded for equpment supportng the crtcal busness operatons; Network cablng and network traffc should be protected from unauthorsed ntercepton or montorng by staff or students; Repars and sercng of the equpment must only be carred out by authorsed personnel. A record of all faults or suspected faults must be kept on the Helpdesk system; IT equpment, regardless of ownershp, used outsde the Unersty s premses to support the busness actty should be subject to Unersty management authorsaton and wth an equalent degree of securty protecton as that of on-ste IT equpment. The followng gudelnes should be used: a b c Personal computers should not be used at home for busness acttes unless up-to-date rus detecton software s nstalled; When traellng, equpment and meda must not be left unattended n publc places. Portable computers should be carred as hand luggage when traellng; Portable computers whch are ulnerable to theft, loss or unauthorsed access when traellng, must be proded wth an approprate form of access protecton e.g. passwords to preent unauthorsed access to ther content. All tems of equpment contanng storage meda or any remoal magnetc meda should be checked to ensure that any senste data or lcense software are remoed or oerwrtten pror to dsposal; Computers, Serers and Network Management Serers and Systems 26 Operatng procedures should exst to coer the followng areas: Serer start-up and shutdown procedures; Back-up procedures; Instructons for handlng errors and exceptonal condtons; System restart and recoery procedures for use n the eent of system falure. 27 Logs must be wrtten for any ncdents that cause system falures, loss of serce, or breaches of confdentalty. In seere eents, a report should be wrtten IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 5 of 18
analysng and dentfyng the cause of the ncdent, and recommendng the mplementaton of remedes to preent recurrence. Edence of the securty breach should be part of the report along wth any audt tral. Actons taken to correct and recoer from a securty breach should be documented. The tems that may appear n the report nclude: Edence n relaton to a potental breach of the employment contract or student regulaton; Edence n the eent of proceedng under a breach of the law. 28 Segregaton of dutes mnmses the rsk of neglgent or delberate system msuse and consderaton should be gen by management for separatng the executon of certan dutes and areas of responsblty. Areas of hgh rsk nclude fnancal, personnel and student records. 29 Segregaton of deelopment and operatonal serces s desrable to reduce the rsk of accdental changes or unauthorsed access to operatonal software and data. The followng controls should be consdered and may be mplemented dependng on fnancal consderatons: Deelopment and operatonal software should where possble be run on dfferent serers or n dfferent domans or drectores; Dfferent usernames and passwords should be used on deelopment systems than on operatonal systems. 30 Acceptance crtera for new systems should be establshed and sutable tests carred out pror to acceptance. The requrements and crtera for acceptance of new computer systems should be clearly defned, agreed, documented and tested. The followng tems should be consdered: Performance and computer capacty requrements; Preparaton of error recoery and restart procedures, and computer contngency plans; Preparaton and testng of routne operatng procedures to defned standards; Edence that nstallaton of the new system wll not adersely affect exstng systems, partcularly at peak processng tmes; Tranng n the operaton or use of new systems. 31 For major new deelopments, the users should be consulted at all stages n the deelopment process to ensure the operatonal effcency of the proposed system desgn. Approprate tests should be carred out to confrm that all acceptance crtera are fully satsfed. Vrus Detecton 32 Vrus detecton and preenton measures must be mplemented on all computers and users should ensure that the ant-rus software s beng used. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 6 of 18
33 Actons aganst major rus nfecton occurrences wll be managed by ICT, who may shutdown the network nfrastructure and/or serces wthout notce, to lmt the damage beng caused. Patches, fxes and rus eradcaton software may be forced to run on workstatons wthout the user s knowledge or consent. 34 Vrus 'repar' software should be used wth cauton and only n cases where rus characterstcs are fully understood and the correct repar s certan. Data and Software Backup 35 Backup copes of essental busness data and software are taken regularly. 36 Backup arrangements for central systems are the responsblty of ICT and must meet the followng mnmum standards: A mnmum leel of backup nformaton, together wth logs of the backup copes, are stored n a remote locaton, at a suffcent dstance to escape any damage from a dsaster at the man ste. At least three generatons of backup data should be retaned for mportant busness applcatons; Backup data should be gen an approprate leel of physcal control. The controls appled to meda at the man ste should be extended to coer the backup ste; Backup data should be regularly tested, where practcable, to ensure that t can be reled upon for emergency use when necessary. Data owners should specfy the retenton perod for essental busness data and also any requrement for arche copes to be permanently retaned. 37 Backup arrangements for Personal Computers are the responsblty of the School or Serce but must meet the followng mnmum standards: A mnmum leel of back-up nformaton, together wth accurate and complete records of the backup copes, should be stored n a remote locaton, at a suffcent dstance to escape any damage from a dsaster at the man ste. At least three generatons of back-up data should be retaned for mportant busness applcatons; Backup data should be gen an approprate leel of physcal securty, consstent wth the standards appled at the man ste; Backup data should be tested, where practcable, to ensure that they can be reled upon for emergency use when necessary; Procedures for handlng senste data such as cheques, noces and payroll records should be establshed n order to protect such data from unauthorsed dsclosure or msuse. Fault Logs 38 IT staff should mantan a log of all operatons carred out. A separate fault log should be kept for central serers and network systems that lst faults reported and actons taken. The fault logs should be reewed regularly to ensure that problems hae been satsfactorly resoled. Correcte measures should be IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 7 of 18
reewed to ensure that securty controls hae not been compromsed and that the acton taken s fully authorsed. Network Controls 39 A range of securty controls s requred for computer networks. Approprate controls must be establshed to ensure the securty of data n networks and the protecton of connected serces from unauthorsed access. In partcular, the followng tems should be addressed: Responsbltes and procedures for the management of remote access must be establshed; Specal controls should be establshed, f necessary, to safeguard the confdentalty and ntegrty of data passng oer publc networks; Staff and student data networks must be confgured to ensure that unauthorsed access through network lstenng s aoded; Protecton of the Unersty s nfrastructure and nformaton by the approprate use of frewall technology. Computer Meda and Documentaton 40 Procedures for the management of remoable computer meda such as CDs, USB storage and prnted reports should nclude the followng controls: Use a data storage system that aods the use of descrpte labels; Storage of meda n a safe secure enronment; All procedures and authorsaton leels to meda should be clearly documented. 41 Computer meda should be dsposed of securely and safely when and no longer requred. Clear procedures for the secure dsposal of meda should be establshed. The followng gudelnes should be ncluded: Meda contanng senste nformaton should be dsposed of securely and safely by ncneraton or shreddng or erasng the data from magnetc meda; Dsposal of some senste tems may requre loggng for future reference and to mantan an audt tral. 42 Procedures for handlng senste data such as cheques, noces, credt card detals and payroll records must be establshed n order to protect such data from unauthorsed dsclosure or msuse. The followng tems must be coered: Handlng and labellng of the meda; Where requred a mantenance of a formal record of the authorsed recpents of data; Reew of dstrbuton lsts and lsts of authorsed recpents. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 8 of 18
43 System documentaton may contan a range of senste nformaton e.g. descrptons of applcaton processes, procedures, data structures, authorsaton processes. The followng controls should be appled to protect system documentaton from unauthorsed access: System documentaton should be secure; The dstrbuton lst for system documentaton should be kept to a mnmum and access to such documentaton should be restrcted to authorsed personnel only; Computer generated documentaton should be stored separately from the applcaton system and assgned an approprate leel of access protecton. Data and Software Data Exchange 44 Formal agreements must be establshed for the exchange of data between the Unersty and external organsatons. The securty contents of such agreements must reflect the senstty of the nformaton noled. Agreements must nclude the followng: Management responsbltes for controllng and notfyng transmsson, despatch and recept; Procedures for notfyng transmsson, despatch and recept; Mnmum techncal standards for packagng and transmsson; The responsbltes and labltes n the eent of data loss; Data and software ownershp and responsbltes for data protecton and smlar consderatons; Any specal measures requred to protect ery senste tems. 45 Computer meda can be ulnerable to unauthorsed access, msuse or corrupton durng transportaton. The followng controls must be appled to safeguard computer meda when beng transported between stes: Relable transport or courers must be used; Packagng must be suffcent to protect the contents aganst any physcal damage lkely to rse durng transt; Specal measures must be adopted when necessarly to protect senste nformaton. Ths may nclude the use of locked contaners or delery by hand. 46 Controls should be appled, where necessary, to reduce the busness and securty rsks assocated wth electronc data nterchange, e-mal and onlne transactons. Issues that should be addressed nclude the followng: IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 9 of 18
The ulnerablty of data or messages to unauthorsed access or modfcaton; The ulnerablty to error, e.g. ncorrect addressng or msdrecton, and the general relablty and aalablty of the serce; The securty and data protecton mplcatons of publshng drectory entres; Legal requrements assocated wth proof of orgn; The need for securty measures to control remote user access to computer accounts. 47 Controls for electronc commerce must nclude: Authentcaton customer and trader dentty; Authorsaton restrctng access to authorsed staff only; Contract confdentalty, proof of despatch and recept; Prcng confdentalty; Lablty and Settlement guardng aganst fraud and who carres the rsk. 48 The Unersty has a separate polcy regardng the status and use of emal especally wth regard to ts use for authorsaton purposes. 49 Care must be taken to protect the ntegrty of electroncally publshed nformaton to preent unauthorsed modfcaton whch could harm the reputaton of the Unersty. Informaton stored on Web serers accessble a the Internet needs to comply wth UK laws and Unersty rules. All electronc publshng systems ncludng the web-based ones should be carefully controlled so that: Informaton s obtaned and dsplayed n complance wth the data protecton legslaton; Informaton nput to, and process by the publshng system wll be complete, accurate and current; Senste nformaton wll be stored correctly. 50 Care should be taken to ensure that the exchange of nformaton through the use of oce, fax and deo communcaton serces are protected. Informaton could be compromsed due to: Phone-call beng oerheard; Message stored on an answerng machne beng oerheard, or beng played back by an authorsed person; Accdentally sendng faxes to the wrong telephone number. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 10 of 18
Software 51 Formal software agreements should be establshed for procured software between the Unersty and the software company. The securty contents of such an agreement must reflect the senstty of the busness nformaton noled. Agreements must nclude the followng: A software escrow agreement; Software ownershp and software copyrght complance; The responsbltes and labltes n the eent of data loss though software malfuncton; Access controls for remote connectons to the system and any specal measures requred to protect senste data tems. 52 Clear procedures and gudelnes are requred to control the busness and securty rsks assocated wth electronc offce systems and the use of electronc sgnatures. Requrements and ssues whch should be addressed nclude the followng: The possble need to exclude categores of senste busness nformaton; The need for a clear polcy and controls to manage data and nformaton sharng, e.g. shared data fles or the use of corporate electronc notce boards; The possble need to restrct access to dary nformaton relatng to selected ndduals; The sutablty, or otherwse, of the system to support busness applcatons, such as communcatng requests and authorsatons; The categores of staff and students that are allowed to use the system and the locatons from whch t may be accessed; The possble need to restrct selected serces to specfc categores of user; The polcy regardng retenton and back-up of nformaton held on the system; The requrements and arrangements for fall-back. User Access Management 53 There must be a formal user regstraton and deregstraton procedure for access to all mult-user IT serces managed by ICT. The user regstraton process must nclude the followng. Check that the user has authorsaton from the system owner for the use of the serce; Check that the leel of access granted s approprate for the purpose and s consstent wth organsatonal securty procedures; IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 11 of 18
Requre users to sgn undertakngs to ndcate that they understand the condtons of access; Ensure serce proders do not prode access untl the authorsaton procedures hae been completed; Mantan records of all persons regstered to use the serce; Immedately dsable the access rghts of users who hae changed jobs or left the organsaton; Perodcally check for, and remoe, redundant usernames and accounts that are no longer requred; Ensure that redundant usernames are not re-ssued to another user. 54 The use of specal prleges must be restrcted and controlled. A formal authorsng process must nclude the followng. Identfy the prleges assocated wth each system product e.g. operatng system, database management system and the staff to whch they need to be allocated. Mantan an authorsaton process and record all prleges allocated. Users who are assgned hgh prleges for specal purposes should use a dfferent username for normal use. 55 Passwords are currently the prncpal means of aldatng a user s authorty to access a computer serce. The allocaton of passwords must be controlled by a formal management process, the requrements of whch are as follows: Requre users to undertake to keep personal passwords confdental and group passwords solely wthn the members of the group. Ensure, where users are requred to mantan ther own passwords that they are proded ntally wth a secure temporary password whch they are forced to change on frst use. Temporary passwords are also proded when users forget a password, always subject to poste dentfcaton of the user. Coney temporary passwords to users n a secure manner. Coneyance of passwords through thrd partes or through unprotected (clear text) emal should be aoded. Expry dates for passwords may be set for some accounts; the perod should be determned by the applcaton owner. Ths perod should not be too short as ths results n passwords been wrtten down rather than remembered. A perod of sx months s recommended. All passwords must hae a mnmum length set. At least sx alphanumercal characters s recommended. 56 To mantan effecte control oer access to data and formal process to reew users access rghts should be undertaken. Ths process should ensure that users IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 12 of 18
access capabltes are reewed at regular nterals; a perod of 12 months s recommended. Access Control Network Access Control 57 Network serces that can be accessed by an nddual user must be consstent wth the access control polcy. 58 Connectons by remote users to Unersty systems requres secure authentcaton, unless t s to access Internet-facng web serers contanng publc nformaton only. In cases where content s more senste ths may be supplemented by the use of secure access to thn clent serers or the use of VPN software. 59 Computers or serers that hae remote access for use by thrd party mantenance engneers must be protected. The access must be dsabled untl requred and only enabled followng an arrangement between ICT staff and the mantenance engneers. Each request for access must be documented. 60 Serers must be protected from unauthorsed access and the network from packet lstenng. The Unersty network as a whole must be protected by a defned securty permeter wth a sngle frewall actng as a network gateway. 61 All equpment connectons to the Unersty network must be authorsed by ICT pror to use. Equpment must neer be connected to more than one network at a tme wthout authorsaton from networkng specalsts n ICT. 62 Network routng control, rtual LANS and network protocols are the responsblty of ICT. Computer Access Control 63 Access to serers must be a a secure logon process whch mnmses the opportunty for unauthorsed access. Where possble, the procedure must nclude the followng: Lmt the number of unsuccessful, consecute, logn attempts allowed. A lmt of three s recommended; On falure dsconnect and ge no assstance to the end user; Lmt the maxmum tme allowed for the logon procedure. If exceeded the system should termnate the logon; Where possble, after a successful logon the date and tme of preous successful logon and detals of any unsuccessful logon attempts snce the last successful logon should be dsplayed. 64 All users wll be allocated a unque account username for ther sole use whch should not be gen to another nddual. Usernames should not ge any ndcaton as to the user s prleged leel. In exceptonal crcumstances, where there s a clear beneft, shared usernames may be used. Approal by ICT management should be documented for such cases. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 13 of 18
Applcaton Access Control 65 Users of applcaton systems and systems utltes must be proded wth access to data n accordance wth a defned access polcy based upon the nddual requrements. 66 The access polcy must contan the followng controls: Access control to the applcaton system functon or system utlty; Controllng the access capablty of the end user to data tems. Ths ncludes read, wrte, update and delete. 67 Systems utltes that may oerrde system applcaton controls must be restrcted and tghtly controlled. 68 In order to mnmse the corrupton of computer programs, strct control must be mantaned oer access to source code. 69 On systems contanng senste data, audt trals recordng exceptons and other securty releant eents must be kept for an agreed perod to assst n future nestgatons nto any possble breaches. Such systems may be montored to ensure usage s correct. Any audt tral should nclude usernames, dates and tmes. 70 Specal care s requred when usng moble computng facltes such as laptops, notebooks, smartphones and tablets. Protecton must be n place to aod the unauthorsed access to or dsclosure of nformaton stored by these facltes. The equpment should hae nstalled on t up-to-date rus detecton software and, f connected to an ISP, a personal frewall. Care must also be taken to ensure that the equpment s protected aganst theft. Remote Access to End-user Computng Deces 71 ICT staff may, followng permsson beng granted by the end user, take full remote control of the computng dece for the purposes of dagnosng problems or the nstallaton of software. Such operatons must be carred out wth an audt log recordng all actons. Systems Deelopment and Mantenance 72 An analyss of securty requrements must be carred out at the requrements analyss stage of each deelopment project. The securty requrements must nclude how the system and the network wll safeguard the confdentalty, ntegrty and aalablty of nformaton for all serer enronments of that project, for example deelopment serers and producton serers. The analyss must nclude the followng: Access control to nformaton; Data ntegrty checks; Back-up and archng requrements; Protecton of the system from unauthorsed amendments. IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 14 of 18
73 Wthn applcaton systems, data nput must be aldated whereer possble. Such controls must nclude:-out of range, nald characters, mssng or ncomplete data and nconsstent data. Where possble batch controls, balancng controls, aldaton processng and hash totals should be used to mnmse any data corrupton. 74 The need for cryptographc, encrypton or dgtal sgnature technques should be consdered to ensure confdentalty, authentcty and ntegrty of nformaton. 75 Strct control must be exercsed oer the mplementaton of software on operatonal systems. The followng controls must be exercsed: The updatng of operatonal programs must only be performed after authorsaton; If possble, source code should not be held on operatonal systems; Executable code must only be mplemented on operatonal systems after edence of successful testng and user acceptance s obtaned; An audt log must be mantaned for all updates; Preous ersons of software should be retaned as a contngency measure and le data must be backed up pror to mplementaton of a new erson of the program. 76 Testng usually requres substantal amounts of test data that s as close as possble to the le data. The use of test databases contanng real personal data must be aoded. If such data s used, t must be depersonalsed before use. 77 Formal change control procedures should be produced and should nclude the followng: Mantanng agreed authorsaton leels and obtanng approal before work commences; Reewng securty controls and ntegrty procedure to ensure that they wll not be compromsed by the changes; Identfyng all computer software, data fles, database enttes and hardware that requre amendments; Ensurng that the system documentaton s updated; Mantanng erson control and a log of all changes. 78 When the operatng system or the database management system s updated, the applcaton system should be reewed to ensure that there s no aderse mpact on securty or data ntegrty. 79 Modfcatons to endor suppled software packages should be dscouraged. In crcumstances where t s deemed essental to modfy the package or ts data, the followng ponts should be consdered: IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 15 of 18
Whether any bult-n controls or ntegrty processes are compromsed by the modfcatons; Possble endor support problems; Possble problems assocated wth later ersons of the endor standard program; The Unersty becomng responsble for future mantenance of the software. 80 Programs should only be purchased or downloaded from a reputable source. Where software deelopment s outsourced, the followng must be consdered: Lcensng arrangements, ownershp and ntellectual property rghts; Contractual requrements for qualty, accuracy of work done. Busness Contnuty Management 81 There should be a managed process for mantanng a busness contnuty plan. The key elements should be: Understandng the rsks; Understandng the mpact of nterruptons; Consderng the acquston of a busness contnuty contract; Documentng plans; Regular testng and updatng of plans; Identfyng responsbltes. Complance wth Legal Requrements 82 The Unersty should draw to the attenton of all users the legal restrctons on the use of copyrght materal. Regular audts of software should be taken and software regsters mantaned. 83 Important Unersty records should be protected from loss or destructon. The followng steps should be taken: Gudelnes should be ssued on the retenton, storage, handlng and dsposal of records and nformaton; A retenton schedule should be drawn up by dentfyng record types and the perod of tme for whch they should be retaned. Legslaton 84 Personal nformaton (on lng ndduals who can be dentfed from the nformaton) that s stored or processed on a computer s subject to the Data IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 16 of 18
Protecton Act 1998 and to all types of nformaton under the Freedom of Informaton Act 2000. 85 Complance wth legslaton wll requre some form of management structure and control. An Offcer should prode gudance to managers, users and serce proders on ther nddual responsbltes and the specfc procedures that should be followed. It should be the responsblty of the owner of the data to nform the Offcer about any proposals to keep personal nformaton on a computer, and to ensure awareness wth the legslaton. 86 The use of Unersty IT serces s authorsed by ICT management. Any use of these serces for non-busness or unauthorsed purposes, wthout management approal wll be regarded as mproper use of the serces. If such actty s dentfed by usage montorng or by other means, t wll be brought to the attenton of the lne management concerned for approprate dscplnary acton. 87 Unersty users are adsed that no access s permtted except that whch s formally authorsed. Securty Reews of IT Systems 88 All areas wthn the Unersty should consder undertakng regular reews to ensure or complance wth a securty polces and standards. 89 IT serces should be regularly checked for complance wth securty mplementaton standards. Other Sources of Informaton 90 Other Unersty IT polces: IT01 IT Acceptable Use Polcy; IT03 Internet Usage Polcy; IT04 Emal and Instant Messagng Usage Polcy; IT05 Telephone and Moble Phone Usage Polcy; IT06 IT Hardware and Software Polcy; IT07 Dsposal of IT Equpment and Meda Polcy; IT08 Applcaton Systems Polcy; IT09 Identty Management Polcy http://portal.solent.ac.uk/support/offcal-documents/polces-proceduresgudelnes/nformaton-communcaton-technology.aspx 91 Other Unersty polces, ncludng but not lmted to, the followng: Data Protecton Polcy; IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 17 of 18
Freedom of Informaton Polcy; Confdentalty Markers Polcy; Mantenance of Records Polcy; Dscplnary Procedure Polcy; Management of Informaton Polcy; Web Publshng Polcy. http://portal.solent.ac.uk/support/offcal-documents/polces-proceduresgudelnes/polces-procedures-gudelnes.aspx 92 Southampton Solent Unersty s Internet connectons are goerned by: JANET Connecton Polcy; JANET Securty Polcy; JANET Acceptable Use Polcy. https://communty.ja.net/lbrary/janet-polces Author(s): Keth Baker, ICT Securty and Standards Manager Ownng commttee: Management Informaton and Technology Commttee Approed by: Paul Colbran, Drector of ICT Date of approal: 9 July 2015 Verson: 3.0 Next reew date: August 2016 IT02 - Informaton Technology (IT) Securty Polcy 3.0 - Page 18 of 18