Godley Primary School E-Security Policy 23/05/2014 Schools ICT Security Policy 1
E-Security Information systems (IS) play a major role in supporting the school s activities. The reliability, confidentiality and data integrity of the information systems are all essential to the success of the school s educational and administrative work. To achieve a high level of IS security, all users and administrators will need to comply with the school s IS Security Policy. The policy applies to all staff and students of the school and all other authorised users. It relates to their use of school IS, to private systems when connected to the school network and to school-owned programs and data, whether used on school or on private systems. The objectives of this policy are to ensure that: The school s information systems, programs, data, network and equipment are adequately protected against loss, misuse or abuse; All users are aware of and implement this policy and associated policies including e-safety and data protection; All users are aware of and comply with the relevant UK and European Union legislation; Appropriate security measures are implemented as part of the effective operation and support of IS; All users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle. Schools ICT Security Policy 2
Introduction This material reflects effective IS security practice in Tameside schools. The value of a 75 station network is of the order of 60000.00 and it is sensible to protect this investment, to say nothing of the value and sensitivity of the data held. Furthermore, with the integration of curriculum and administration networks, and community access to school ICT facilities, the breadth of threat to systems, data and people grows wider. With broadband initiatives, schools become part of wider network community. No longer are they isolated and only at risk from dangers from within their own LAN (Local Area Network). WAN (Wide Area Network) connectivity places a responsibility on all participating schools to ensure that their own and other LANs are not compromised by poor security and irresponsible user actions. This document sets out areas for consideration to protect our own and other community networks and covers the following points: 1.1 User responsibility and behaviour. 1.2 ICT system integrity and security. 1.3 Hardware and software quality, maintenance and replacement. 1.4 Virus Prevention Strategies. 1.5 Password good practice. 1.6 Wireless Network. 1.7 Disaster recovery procedures. 1.8 References. Schools ICT Security Policy 3
1.1 User Responsibility and Behaviour. Everyone is involved in security; this is simply responsible citizenship. All adult users expect an acceptable level of ICT service. Similarly they should expect security and privacy of their data. This implies mutual respect for other peoples privacy and data. Safeguarding your own account and password details is an essential requirement. The Data Protection Act and Computer Misuse Act both apply to school networks and the data held within them. Staff and pupils need to develop responsible approaches to continue to enjoy the privilege of using the school ICT facilities. 1.2 Information Systems Integrity and Security. The school has a responsibility for ensuring that its capital investment in ICT is protected and secured, just as there are procedures for the security and safety of buildings. Network administrators must understand the principles of file level security and the consequences of network access. Users who have network administration rights must safeguard their access and understand their responsibilities. They are potentially the greatest security risk! 1.21 File Security. The network servers are located within a computer room. This room is kept locked when not under direct supervision. The system performs an automatic backup of each server hard disk to tape every night. A different tape is used for each night and then reused the following week. The backup tapes are stored in the school safe and one set is taken off the premises by the ICT Technician. A third level online back up also takes place automatically with out intervention. Workstation backups are not required. A faulty station can be quickly rebuilt by using an image. Precautions are taken to reduce the chances of infection by computer viruses via the Internet, email, or other disks. The antivirus software MS essentials which is installed on all school network stations and servers, is Schools ICT Security Policy 4
scheduled to update and run automatically on a weekly basis. Remedian will check that anti virus software is operating correctly once a month. All users have their own area for storing their work on the network server hard disk (the "My documents" folder). This means that they can access their work from any network station. Users do not have access to network drives nor are they able to alter or save files outside their own area (except in the authorised shared public drive). Staff can alter and save files on the public drive but pupils can only view the files. 1.2.2 Access to Software Only Remedian can install new software and hardware. Users can only access software and other resources as made available to them by Remedian. For example, pupils do not have access to staff programs and shared documents. Group policy and Desktop Redirect controls which programs the pupils have access to. An appropriate desk top is created for each year group. Sites visited on the Internet are filtered by Websense Lightspeed 1.3 Hardware and Software Security, Maintenance And Replacement. 1.3.1 Hardware Security/Inventory An inventory is maintained of all equipment together with make, model, serial number, date of purchase and location. A copy of the inventory is held by Remedian. Rooms with computers are locked overnight. Keys to ICT Suite are located in the key safe in the administrator s office. Schools ICT Security Policy 5
All external visitors are required to report to the office and wear identification at all times. All computer rooms and corridors are monitored by the school alarm system after school hours. All major items are security marked to identify them as the property of the school. 1.3.2 Software Security/ Inventory An inventory is maintained containing a record for each item of software that is available for use on the network and the number of licenses held. Licenses and invoices are held in the ICT Coordinator File or online (accessed via Remedian). 1.3.3 Network & Hardware Maintenance Equipment failure in a lesson can have a very negative effect on both teacher and pupil alike. It is essential to have technical support. The school has the following contracts. ICT Support Package provided by Remedian this covers the provision of a technical support service covering broadband; servers, network infrastructure and administration networks; liaison with third parties on behalf of the client. SIMS support is provided by Tameside. The school hardware maintenance contract is managed and sourced by Remedian ensuring value for money. All essential hardware including network components (hubs, routers and switches etc). Maintenance logs of equipment are kept up to date as the previous history of faults to be used to inform repair, or escalate a frequently reported problem for further analysis. Housekeeping procedures i.e. Defragmenting and Scan Disc are performed on all workstations/laptops at least once a year. More frequently, time permitting. Schools ICT Security Policy 6
1.34 Electrical Safety All equipment attached to the main electrical supply is safety tested annually. The servers operate from an Uninterruptable Power Supply (UPS) to protect against power surges and blackouts. This will ensure a controlled shutdown of servers should a power failure occur. The power switches of the ICT equipment in the classrooms should be turned off at the end of the day. 1.35 Fire Precautions Waste material i.e. paper/books should be frequently removed from the computer areas. Items should not be placed on laptops and left there. All workstation screens should be switched to off when the workstation is shut down. A carbon dioxide (CO2) fire extinguisher is fitted in ICT Suite. Staff know where it is and how to use it. 1.5 Virus Prevention Strategies At any one time, Tameside schools are vulnerable to virus threats through old software versions, un-patched machines and a lack of regular checking. Schools should regularly review security procedures and ensure compliance, even where staff illness, leave or high workload could disrupt the pattern. Here, the term virus covers worms, Trojans etc. Precautions are taken to reduce the chances of infection by computer viruses via the internet, e-mail or other discs. Schools ICT Security Policy 7
The antivirus software MS essentials software is installed on all the school network stations and servers. It is scheduled to update and run automatically on a weekly basis. Remedian will check that antivirus software is operating correctly once a month. All workstations are set automatically update Microsoft service packs and security patches. Care should be taken when opening e-mails and their attachments and images from the internet from unknown sources. The attachments in particular should not be opened if at all suspect. Removable media (e.g. external drives) must be scanned for viruses before being used on a machine connected to the network. 1.6 Wireless Network. Connection to the network is through 4 Wireless Access Points. As wireless LAN broadcasts may be monitored beyond the school boundary encrypted transmission must be configured to prevent access. As recommended by Tameside MBC ICT Internal Audit, WPA2 encryption protocol has been enabled. Remedian will connect hardware to the wireless network. Schools ICT Security Policy 8
1.7 Choosing and Using Passwords Sensitive medical data and pupil family details are all areas where access by the wrong person could produce problems. A professional approach to authentication will help establish trust that personal or business data is kept secure. The security of the identity / password pair is thus important. All staff will change their password each term. Staff should not disclose their password to anyone. All staff should read the attached Appendix A for password tips. The server automatically will prompt the users to change their password. A log will be kept of each change. 1.8 Disaster Recovery Procedures Risk assessment considering all possible ICT disaster situations and their consequences should be part of a school s management policy. This is the insurance policy. Most disasters are not predicted. Sometimes the warning signs are there network error logs of failing backups and hard disk crashes, but sometimes not. Acts of God such as lightning strikes are usually beyond your control. All users will be informed immediately if there is a loss of ICT services and advised of the cause. The server backup disc will be checked monthly to ensure the discs are readable. As a system crash may require recovery from recent tape backups. The backup tapes are stored in the school safe and a daily set taken off site with the ICT Technician. Schools ICT Security Policy 9
References CERT Computer Emergency Response Team The team that provides authoritative security advice to JANET http://www.janet.ac.uk/cert/ Becta e-safety Site www.becta.org.uk/schools/esafety Becta Data protection and Security a summary for schools http://publications.becta.org.uk/display.cfm (search on data protection) Becta National Network Standards including security http://industry.becta.org.uk/ Google directory on computer security sites http://directory.google.com/top/computers/security/policy/ Schools ICT Security Policy 10
Appendix A Choosing And Using Passwords A password chosen to be easy to remember by association such as matthew or Canterbury is easily guessed. Completely random, long passwords tend to result in people writing them down, a cardinal sin! What is reasonably secure and memorable? A password should not: Contain a dictionary word (to prevent breaking by substitution). Be the name of a pet, town, person or character in a film. Contain a space. A good password: Uses a wide range of characters as well as letters. Any keyboard character will make the password less easy to spot. E.g. qot78*tug or cat&56mice Must be over 6 characters long, but 10 is plenty. Will use some capitals (if passwords are case sensitive), digits and punctuation. For memorable passwords try: Nug78Mer - the consonant-vowel-consonant is pronounceable. Canterbury town wall is a quarter missing = Ctwia1/4m. Password tips We all have many passwords and it is tempting to use one for all systems. This is extremely poor practice! However some things are high security and some not. Never let Windows remember an important password for you! Change important passwords on say a monthly or termly basis. Arrange access for colleagues to shared files, so they don t need your password. Schools ICT Security Policy 11