TECHNICAL SECURITY AND DATA BACKUP POLICY



Similar documents
ULH-IM&T-ISP06. Information Governance Board

Development / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Security Policy. Policy and Procedures

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

How To Write A Health Care Security Rule For A University

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Roles and Responsibilities The following section outlines the e-safety roles and responsibilities of individuals and groups within Heath Farm School:

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Information Technology Security Procedures

Supplier Security Assessment Questionnaire

4. The Importance of Internet Use in the Primary Curriculum

How To Protect Decd Information From Harm

HIPAA Security COMPLIANCE Checklist For Employers

How To Ensure Network Security

Network Security Policy

Rotherham CCG Network Security Policy V2.0

Client Security Risk Assessment Questionnaire

Mike Casey Director of IT

Security Management. Keeping the IT Security Administrator Busy

CHIS, Inc. Privacy General Guidelines

Secondary School 1/04/2015. ICT Service Specification by: Andrea Warburton ONE IT SERVICES AND SOLUTIONS

Information Technology Policy and Procedures

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

How To Protect School Data From Harm

E- Safety and Digital Photography - College ICT

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

IT Security Standard: Computing Devices

HIPAA Security Alert

Education and Workforce Development Cabinet POLICY/PROCEDURE. Policy Number: EDU-06 Effective Date: April 15, 2006 Revision Date: December 20, 2012

Supplier Information Security Addendum for GE Restricted Data

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Security Policy JUNE 1, SalesNOW. Security Policy v v

The Ministry of Information & Communication Technology MICT

LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan

ABERDARE COMMUNITY SCHOOL

Countering and reducing ICT security risks 1. Physical and environmental risks

HIPAA Security Matrix

Physical Protection Policy Sample (Required Written Policy)

Policies and Compliance Guide

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

SECTION 15 INFORMATION TECHNOLOGY

Service Children s Education

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Critical Controls for Cyber Security.

Policy Document. Communications and Operation Management Policy

Acceptable Use of ICT Policy. Staff Policy

Protection of Computer Data and Software

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Information Systems and Technology

Consensus Policy Resource Community. Lab Security Policy

How To Protect Your School From A Breach Of Security

Policy Title: HIPAA Security Awareness and Training

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Cyber Security Best Practices

IBX Business Network Platform Information Security Controls Document Classification [Public]

Network & Information Security Policy

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Page 1 of 5

Karen Winter Service Manager Schools and Traded Services

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ADMINISTRATION COMPUTER NETWORK

HIPAA Information Security Overview

Web-Based Data Backup Solutions

SECURITY DOCUMENT. BetterTranslationTechnology

Birkenhead Sixth Form College IT Disaster Recovery Plan

HIPAA Privacy and Security Risk Assessment and Action Planning

Procedure Title: TennDent HIPAA Security Awareness and Training

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Small Business IT Risk Assessment

State HIPAA Security Policy State of Connecticut

Transcription:

TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training. The school will be responsible for ensuring that the school infrastructure/network is as safe and secure as is reasonably possible and that: users can only access data to which they have right of access no user should be able to access another s files (other than that allowed for monitoring purposes within the school s policies). access to personal data is securely controlled in line with the school s personal data policy logs are maintained of access by users and of their actions while users of the system there is effective guidance and training for users there are regular reviews and audits of the safety and security of school computer systems there is oversight from senior leaders and these have impact on policy and practice. GUIDELINES Responsibilities The management of technical security will be the responsibility of the ICT Manager 1. Technical Security The school will be responsible for ensuring that the school infrastructure/network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented. It will also need to ensure that the relevant people will receive guidance and training and will be effective in carrying out their responsibilities: Stroud High School technical systems will be managed in ways that ensure that the school meets recommended technical requirements There will be regular reviews and audits of the safety and security of school academy technical systems Servers, wireless systems and cabling must be securely located and physical access restricted Appropriate security measures are in place to protect the servers, firewalls, switches, routers, wireless systems, work stations, mobile devices etc from accidental or malicious attempts which might threaten the security of the school systems and data. Responsibilities for the management of technical security are clearly assigned to appropriate and well trained staff All users will have clearly defined access rights to Stroud High School technical systems. Details of the access rights available to groups of users will be recorded by the Network Manager/ Technical Staff and will be reviewed, at least annually. Users will be made responsible for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security. The ICT Manager is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations Stroud High School technical staff regularly monitor and record the activity of users on the school technical systems and users are made aware of this in the Acceptable Use Agreement. Remote management tools are used by staff to control workstations and view users activity

An agreed protocol is in place (to be described) for the provision of temporary access of guests (eg trainee teachers, supply teachers, visitors) onto the school system. The Personal Information Handling Policy describes the extent of personal use that users) and their family members are allowed on school devices that may be used out of school. The Personal Information Handling Policy describes the use of removable media (eg memory sticks) by users on school devices. The school infrastructure and individual workstations are protected by up to date software to protect against malicious threats from viruses, worms, trojans etc. 2. Password Security A safe and secure username/password system is essential if the above is to be established and will apply to all school technical systems, including networks, devices, email and Virtual Learning Environment (VLE). All users will have clearly defined access rights to school technical systems and devices. Details of the access rights available to groups of users will be recorded by the Network Manager (or other person) and will be reviewed, at least annually, by the E-Safety Committee (or other group). All Stroud High School networks and systems will be protected by secure passwords that are regularly changed The master/administrator passwords for the Stroud High School systems, used by the technical staff must also be available to the Headteacher and Leadership ICT Strategy Lead and kept in a secure place eg school safe. Consideration should also be given to using two factor authentication for such accounts. Passwords for new users, and replacement passwords for existing users must comply with the complexity protocols identified below All users (adults and young people) will have responsibility for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security. Users will change their passwords at regular intervals as described in the staff and student sections below The level of security required may vary for staff and student accounts and the sensitive nature of any data accessed through that account Staff/Governor passwords: All staff/governor users will be provided with a username and password by (insert name or title) who will keep an up to date record of users and their usernames. the password should be a minimum of 8 characters long and must include three of uppercase character, lowercase character, number, special characters the account should be locked out following five successive incorrect log-on attempts temporary passwords e.g. used with new user accounts or when users have forgotten their passwords, shall be enforced to change immediately upon the next account log-on passwords shall not be displayed on screen, and shall be securely hashed (use of one-way encryption) passwords should be different for different accounts, to ensure that other systems are not put at risk if one is compromised and should be different for systems used inside and outside of school should be changed at least every 30 days the last four passwords cannot be re-used by the same user.

Student passwords: All users will be provided with a username and password by the ICT Manager Users will be required to change their password every 30 days. Students will be taught the importance of password security The complexity (ie minimum standards) will be set with regards to the cognitive ability of the children Training/Awareness Members of staff will be made aware of the school s password policy: o at induction o through the school s e-safety policy and password security policy o through the Acceptable Use Agreement Pupils/students will be made aware of the school s password policy: o in lessons o through the Acceptable Use Agreement Audit/Monitoring/Reporting/Review The ICT Manager will ensure that full records are kept of: User log-ons Security incidents related to this policy 3. Data Backup Data held on the schools IT network will be backed up to ensure it can be recovered in case of any disaster. The strategies/systems in place must be robust enough to ensure the recovery of data in any circumstance. i. Regular data back-up is a requirement for the following: All school data (see Appendix 1 for definition) MIS Database Finance System Database Email System Virtual Servers Library Database ii. Backup Logs The ICT Manager will monitor backup logs to ensure that all data is being backed up correctly. iii. Data Stored on Laptops The school does not backup any data stored on school owned laptops. All data should be stored on the schools IT network (H:, G: drive etc.). There are instances where users may want to store data locally on their laptop to work on at home, in these circumstances it is the responsibility of the member of staff to make their own backup of these files. This can simply be achieved by saving these files back to the school network when they are back in school. iv. Data Restore Only the IT Support team have access to restore any data. The ICT Manager will determine if a restore is possible depending on circumstances. v. Backup Hardware and Software The ICT Manager is responsible for the appropriate hardware and software backup systems that are necessary to provide reliable backup and restore facilities. These systems will be reviewed as necessary and

should the needs of the school change the IT Manager will submit plans to the Leadership Team for new systems. vi. Reviewing the Backup Strategy The ICT Manager will be responsible for reviewing the backup strategy annually and making any changes that are required. vii. Off Site Storage In the event of a disaster (fire, flooding etc.) it is good practice to store a copy of data off-site. Our off-site location is the Junior School building and every other monthly tape backup set will be stored off-site. viii. Testing Data Restoration The backup system is only as good as any successful restoration of data. The system should be regularly tested and improvements made if needed. For Current Backup Strategy see Appendix 2

Appendix 1 All School Data (see i above) All School Data listed by DFS Share Name: School Staff Students Yearfolders ICTdept Leadership_Staff The ICT Manager must keep this list updated Appendix 2 - Current Backup Strategy (October 2014) Daily Backups to NAS (Network Attached Storage) Backup runs overnight All School Data (incremental changed files only) SIMS Database PS Financials Database Eclipse Library Database Email Backup to SAN (Storage Array Network) Backup runs overnight All email accounts fully backed up on Mon, Weds & Friday Monthly Backup to Tape (stored off site) Backup runs over a weekend All School Data (full) SIMS Database PS Financials Database Eclipse Library Database Yearly Backup to Tape (stored off site) Backup runs over a weekend All School Data (full) SIMS Database PS Financials Database Eclipse Library Database Daily Volume Shadow Copy Backup This is enabled to cover the period during the school day when a new file could be created and deleted without being backed up in the evening, Volume Shadow Copy makes a backup of these file at various times during the school day. Everyday @ 11am, 13:15 & 15:30 All School Data

Data Replication All school data is replicated to the second server room on the junior site, should we have a disaster not only do we have tape backups but also a live copy of all school data. VMWare Server Backups All virtual servers are replicated across the school site between the 2 server rooms, should we lose a server room for any reason we have a copy of all the servers on each site. The ICT Manager must keep the strategy updated. Date of Policy: Dec 2014 Next Review: Dec 2016 Monitored by: Finance Committee

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information