Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012



Similar documents
INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

If you have any questions about any of our policies, please contact the Customer Services Team.

Acceptable Use and Publishing Policy

Dene Community School of Technology Staff Acceptable Use Policy

Broadband Acceptable Use Policy

Fraud and Abuse Policy

Acceptable Use Policy

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Using Public Computer Services in Somerset Libraries

Sample Employee Network and Internet Usage and Monitoring Policy

Acceptable Usage Policy

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

Acceptable Use Policy

Acceptable Usage Policy

How to Monitor Employee Web Browsing and Legally

Nova ADSL Broadband Service Application Form

ACCEPTABLE USAGE PLOICY

West Lothian College. and Computer Network Responsible Use Policy. September 2011

Institute of Education University of London Computer Security Policy

HUMAN RESOURCES POLICIES & PROCEDURES

INFORMATION SECURITY MANAGEMENT POLICY

Network Service, Systems and Data Communications Monitoring Policy

MelbourneOnline.com.au Hosting Terms and Conditions

Information Incident Management Policy

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

RIPA (Regulations and Investigatory Powers Act)

Policy and Code of Conduct

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Acceptable Use Policy

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Conditions of Use. Communications and IT Facilities

Information Technology Services Information Security Incident Response Plan

Information Technology and Communications Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Service Protection Under The Provider's Acceptable Use Policy

INTERNET, USE AND

Acceptable Use Policy

Information Systems Acceptable Use Policy for Learners

ABERDARE COMMUNITY SCHOOL. Policy. Drafted June 2014 Revised on ... (Chair of Interim Governing Body)

ELECTRONIC MAIL ( ) September Version 3.1

INTERNET ACCEPTABLE USE POLICY

ICT Acceptable Use Policy. August 2015

ICT Student Usage Policy

Service Monitoring Discrimination. Prohibited Uses and Activities Spamming Intellectual Property Violations 5

U 16 Internet Monitoring Policy & Investigation Protocol

The University of Information Technology Management System

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

How To Protect Decd Information From Harm

Acceptable Use Policy

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Usage Policy Document Profile Box

SPECIAL CONDITIONS FOR THE WEBSTORAGE CDN SERVICE Latest version dated 13/11/2013

Internet Use Policy and Code of Conduct

Harper Adams University College. Information Security Policy

Acceptable Use Policy. This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name.

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

Rules for the use of the IT facilities. Effective August 2015 Present

& Internet Policy

University of Liverpool

ATHLONE INSTITUTE OF TECHNOLOGY. I.T Acceptable Usage Staff Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

E Safety Policy. 6 th March Annually. 26 th February 2014

The potential legal consequences of a personal data breach

INTERNET AND POLICY

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Acceptable Use Policy

TECHNOLOGY ACCEPTABLE USE POLICY

Shared Hosting Terms of Service

University of Sunderland Business Assurance Information Security Policy

Acceptable Use Policy

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Commercial in confidence TELSTRA WHOLESALE ACCEPTABLE USE POLICY. Commercial-in-Confidence. Issue Number 1.5, 20 November 2012

Information Security and Electronic Communications Acceptable Use Policy (AUP)

How To Use The School Network Safely

ACCEPTABLE USAGE POLICY

ACCEPTABLE USE AND TAKEDOWN POLICY

ADDENDUM TO THE BLACKBERRY SOLUTION LICENSE AGREEMENT FOR BLACKBERRY BUSINESS CLOUD SERVICES FOR MICROSOFT OFFICE 365 ( the ADDENDUM )

INFORMATION SECURITY POLICY

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

USAGE GUIDELINES FOR CLOUD SERVICES

Hosting Acceptable Use Policy

Acceptable Use Policy

Acceptable Use Policy

Hosting Services Supplementary Terms. We re The Hideout. Hosting Services Supplementary Terms. The Hideout

Medford Public Schools Medford, Massachusetts. Software Policy Approved by School Committee

Responsible Use of Technology and Information Resources

GENERAL CONDITIONS OF USE OF COMPUTING AND NETWORK FACILITIES

LCC xdsl Usage Policy

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

UTC Cambridge ICT Policy

COUNSEL S CHAMBERS LIMITED

Updated January Hosting and Managed Services Acceptable Use Policy

Acceptable Use Policy

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY

Transcription:

Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History 1

Contents Monitoring and Logging Policy... 1 Document Status... 1 1. Introduction... 3 2. Scope... 3 3. Monitoring... 4 4. Email Scanning... 4 5. Consent... 5 6. Unauthorised Use... 5 7. Roles and Responsibilities... 5 8. Law... 5 9. Regulations Explained... 6 Regulation of Investigatory Powers Act 2000... 6 Data Protection Act 1998... 6 Digital Economy Act 2010... 7 Terrorism Act 2006... 7 2

1. Introduction 1.1 The information held within and managed by the institute of Education (IOE) shall, where possible, be protected against the consequences of breaches of confidentiality, failures of integrity or interruptions to its availability to authorised users. For an effective approach to information security, the participation and support are required of all IOE staff, students and other authorised users of its information technology systems. 1.2 The necessity of monitoring and logging is covered by ISO27001 control sets A.10.3 and A.10.10, concerning capacity management and the detection of unauthorized processing activities. 1.3 Failure of the IOE to monitor and filter content could lead to failures in confidentiality, integrity and availability of IOE data and systems through the following conditions: Systems and servers confiscated and/or destroyed by the police due to the presence of illegal content Prosecution of IOE data owners due to the presence of illegal content Removal of IOE internet access due to illegally copied material IOE fined up to 250,000 for hosting illegally copied material IOE blacklisted by Internet Service Providers due to spam sent from compromised accounts. Accounts compromised by entering data into phishing websites. Phishing websites available due to lack of content filtering. IOE blocked from using JANET due to spam sent from compromised IOE accounts Integrity of data unverifiable after access by compromised accounts Confidentiality, Integrity and Availability of data destroyed by unmonitored malicious and/or mobile code activity IOE system and network performance degradation due to the operation of unmonitored and/or unapproved applications, affecting availability of legitimate and business critical applications IOE system and network performance degradation due to inadequate capacity planning 1.4 Information security at the Institute is governed by its Information Security Policy and a number of subsidiary policies. This subsidiary policy covers the monitoring and logging of all uses of information technology within the IOE. It is the responsibility of every user of the Institute s IT systems to know these policies, and to conduct their activities accordingly. 2. Scope 2.1 This policy applies to all IOE networks, IT systems, authorised users and unauthorised users 3

3. Monitoring 3.1 Networks, computers, internet usage and email usage will be monitored by authorised members of the Systems Support Group and usage logged. Logs are kept secure and are only available to personnel authorised by the Head of IT Services and will only be kept as long as necessary, in line with current data protection guidelines. 3.2 The IOE s networks, computers, internet usage and email usage will be monitored and logged for all lawful purposes including: Tracking the flow of network traffic Facilitating and improving capacity planning Maintaining good availability of network bandwidth Ensuring use of resources is authorised Management of systems Protecting against unauthorised access Ensuring system and operational security Compliance with IOE policies and regulations Avoiding or mitigating legal liabilities and complying with legal obligations Preventing and detecting crime 3.3 Monitoring will include active attacks by users authorised by the IOE to test or verify the security of its system. 3.4 During monitoring, information will be examined, recorded, copied and used for authorised purposes. 3.5 All information, including personal information, placed on or sent over IOE systems may be monitored. 3.6 During the monitoring process, personal data may be inadvertently seen or accessed by staff authorised to perform monitoring 3.7 Monitoring will be automated in the detection and removal of viruses, malware, spam, pornography, inappropriate content and other activities not lawful to IOE business. 4. Email Scanning 4.1 Incoming e-mail will be scanned by the IOE mail filtering system. This includes using virus-checking software. 4.2 The software may block unsolicited marketing e-mail (spam), e-mail which has potentially inappropriate content or unscannable attachments (including encrypted attachments), e-mail which breaks any legal or contractual 4

agreement held by the Institute or which contains any other inappropriate material. 4.3 A trace log of emails sent by user accounts will be kept on a 30-day rolling basis. 5. Consent 5.1 Use of IOE information technology, authorised or unauthorised, constitutes consent by the user to the monitoring of these systems. 6. Unauthorised Use 6.1 Unauthorised use, as outlined in the Information Security Policy and associated policies, will give rise to disciplinary procedures and/or criminal prosecution. 6.2 Evidence of unauthorised use collected during monitoring may be used subsequently in disciplinary, criminal or other proceedings. 7. Roles and Responsibilities 7.1 Monitoring and log analysis will only be undertaken by authorised members of the Systems Support Group, with permission given by the Head of IT Services. 7.2 Logs are kept secure and will only be accessed by authorised members of the Systems Support Group, with permission given by the Head of IT Services. Logs will only be kept as long as necessary, in line with current data protection guidelines. 8. Law 8.1 Within the terms of the Regulation of Investigatory Powers Act 2000, and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, provisions for this monitoring have been made. The above mentioned Regulations establish formal notice that communications may be intercepted for reasons allowed within this Act. The purposes cover, but are not limited to: monitoring for criminal or unauthorised use; monitoring for the activity of viruses, Trojans and worms; threats to the system e.g. hacking and denial of service attacks; ensuring the effectiveness of operations; compliance with Institute policies and regulations. 5

9. Regulations Explained Regulation of Investigatory Powers Act 2000 As required by UK legislation, all users of the IOE's Data and Telephone Networks must be aware of the fact that their communications may be intercepted as permitted by legislation. The legislation allows the IOE to intercept without consent for purposes such as recording evidence of transactions, ensuring regulatory compliance with IOE policies, detecting crime or unauthorised use, and ensuring the operation of systems. The IOE is not required to gain consent before intercepting for these purposes, but needs to inform staff and students that interception may take place In the course of their normal duties some authorised staff have the authority and may be required to carry out certain monitoring activities in order to ensure the correct operation of IT and telecommunications systems. This does not imply that all communications are monitored, just that they may be for the above purposes. The Act is available here: http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_1 Data Protection Act 1998 IT Services hold user registration data and information on the use of the IOE s computer systems and network. Information concerning when and where users have accessed systems, print logs, Internet caches, access control system data, network traffic statistics and other similar data may be logged. While normally only used for resolving operational problems, these logs will be analysed (under the remit of the IOE's Security Policies) in the case where a breach of IOE regulations and policies, or other misuses and abuses of facilities, is suspected. Information contained within the logs referred to above may also be used to communicate with users to alert them to malfunctions within IOE IT facilities or to request action to correct the malfunctions which may be putting normal operations of the IT facilities in jeopardy. In addition, statistical analysis may take place, which does not identify any individual, in order to provide management information on IT service usage. The Data Protection Act 1998 is available here: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1 6

Digital Economy Act 2010 Under the Digital Economy Act 2010 Internet Service Providers are required to provide copyright holders with lists of copyright infringements by service users where such lists are either requested by copyright holders or required to be published by an obligations code. Persistent copyright infringers can be fined (up to a current maximum of 250,000, or a greater amount if determined by the Secretary of State) and have their internet access modified, suspended or withdrawn. The Digital Economy Act is available here: http://www.opsi.gov.uk/acts/acts2010/pdf/ukpga_20100024_en.pdf Terrorism Act 2006 The Terrorism Act 2006 makes it an offence to write, publish or circulate any material that could be seen by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism. It also prohibits the writing, publication or circulation of information which is likely to be useful to any one or more persons in the commission or preparation of terrorist acts or is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful. In addition, it prohibits the glorification of the commission or preparation (whether in the past, in the future or generally) of terrorist acts or such offences; and the suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances. The Terrorism Act is available here: http://www.opsi.gov.uk/acts/acts2006/ukpga_20060011_en_2 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information