Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History 1
Contents Monitoring and Logging Policy... 1 Document Status... 1 1. Introduction... 3 2. Scope... 3 3. Monitoring... 4 4. Email Scanning... 4 5. Consent... 5 6. Unauthorised Use... 5 7. Roles and Responsibilities... 5 8. Law... 5 9. Regulations Explained... 6 Regulation of Investigatory Powers Act 2000... 6 Data Protection Act 1998... 6 Digital Economy Act 2010... 7 Terrorism Act 2006... 7 2
1. Introduction 1.1 The information held within and managed by the institute of Education (IOE) shall, where possible, be protected against the consequences of breaches of confidentiality, failures of integrity or interruptions to its availability to authorised users. For an effective approach to information security, the participation and support are required of all IOE staff, students and other authorised users of its information technology systems. 1.2 The necessity of monitoring and logging is covered by ISO27001 control sets A.10.3 and A.10.10, concerning capacity management and the detection of unauthorized processing activities. 1.3 Failure of the IOE to monitor and filter content could lead to failures in confidentiality, integrity and availability of IOE data and systems through the following conditions: Systems and servers confiscated and/or destroyed by the police due to the presence of illegal content Prosecution of IOE data owners due to the presence of illegal content Removal of IOE internet access due to illegally copied material IOE fined up to 250,000 for hosting illegally copied material IOE blacklisted by Internet Service Providers due to spam sent from compromised accounts. Accounts compromised by entering data into phishing websites. Phishing websites available due to lack of content filtering. IOE blocked from using JANET due to spam sent from compromised IOE accounts Integrity of data unverifiable after access by compromised accounts Confidentiality, Integrity and Availability of data destroyed by unmonitored malicious and/or mobile code activity IOE system and network performance degradation due to the operation of unmonitored and/or unapproved applications, affecting availability of legitimate and business critical applications IOE system and network performance degradation due to inadequate capacity planning 1.4 Information security at the Institute is governed by its Information Security Policy and a number of subsidiary policies. This subsidiary policy covers the monitoring and logging of all uses of information technology within the IOE. It is the responsibility of every user of the Institute s IT systems to know these policies, and to conduct their activities accordingly. 2. Scope 2.1 This policy applies to all IOE networks, IT systems, authorised users and unauthorised users 3
3. Monitoring 3.1 Networks, computers, internet usage and email usage will be monitored by authorised members of the Systems Support Group and usage logged. Logs are kept secure and are only available to personnel authorised by the Head of IT Services and will only be kept as long as necessary, in line with current data protection guidelines. 3.2 The IOE s networks, computers, internet usage and email usage will be monitored and logged for all lawful purposes including: Tracking the flow of network traffic Facilitating and improving capacity planning Maintaining good availability of network bandwidth Ensuring use of resources is authorised Management of systems Protecting against unauthorised access Ensuring system and operational security Compliance with IOE policies and regulations Avoiding or mitigating legal liabilities and complying with legal obligations Preventing and detecting crime 3.3 Monitoring will include active attacks by users authorised by the IOE to test or verify the security of its system. 3.4 During monitoring, information will be examined, recorded, copied and used for authorised purposes. 3.5 All information, including personal information, placed on or sent over IOE systems may be monitored. 3.6 During the monitoring process, personal data may be inadvertently seen or accessed by staff authorised to perform monitoring 3.7 Monitoring will be automated in the detection and removal of viruses, malware, spam, pornography, inappropriate content and other activities not lawful to IOE business. 4. Email Scanning 4.1 Incoming e-mail will be scanned by the IOE mail filtering system. This includes using virus-checking software. 4.2 The software may block unsolicited marketing e-mail (spam), e-mail which has potentially inappropriate content or unscannable attachments (including encrypted attachments), e-mail which breaks any legal or contractual 4
agreement held by the Institute or which contains any other inappropriate material. 4.3 A trace log of emails sent by user accounts will be kept on a 30-day rolling basis. 5. Consent 5.1 Use of IOE information technology, authorised or unauthorised, constitutes consent by the user to the monitoring of these systems. 6. Unauthorised Use 6.1 Unauthorised use, as outlined in the Information Security Policy and associated policies, will give rise to disciplinary procedures and/or criminal prosecution. 6.2 Evidence of unauthorised use collected during monitoring may be used subsequently in disciplinary, criminal or other proceedings. 7. Roles and Responsibilities 7.1 Monitoring and log analysis will only be undertaken by authorised members of the Systems Support Group, with permission given by the Head of IT Services. 7.2 Logs are kept secure and will only be accessed by authorised members of the Systems Support Group, with permission given by the Head of IT Services. Logs will only be kept as long as necessary, in line with current data protection guidelines. 8. Law 8.1 Within the terms of the Regulation of Investigatory Powers Act 2000, and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, provisions for this monitoring have been made. The above mentioned Regulations establish formal notice that communications may be intercepted for reasons allowed within this Act. The purposes cover, but are not limited to: monitoring for criminal or unauthorised use; monitoring for the activity of viruses, Trojans and worms; threats to the system e.g. hacking and denial of service attacks; ensuring the effectiveness of operations; compliance with Institute policies and regulations. 5
9. Regulations Explained Regulation of Investigatory Powers Act 2000 As required by UK legislation, all users of the IOE's Data and Telephone Networks must be aware of the fact that their communications may be intercepted as permitted by legislation. The legislation allows the IOE to intercept without consent for purposes such as recording evidence of transactions, ensuring regulatory compliance with IOE policies, detecting crime or unauthorised use, and ensuring the operation of systems. The IOE is not required to gain consent before intercepting for these purposes, but needs to inform staff and students that interception may take place In the course of their normal duties some authorised staff have the authority and may be required to carry out certain monitoring activities in order to ensure the correct operation of IT and telecommunications systems. This does not imply that all communications are monitored, just that they may be for the above purposes. The Act is available here: http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_1 Data Protection Act 1998 IT Services hold user registration data and information on the use of the IOE s computer systems and network. Information concerning when and where users have accessed systems, print logs, Internet caches, access control system data, network traffic statistics and other similar data may be logged. While normally only used for resolving operational problems, these logs will be analysed (under the remit of the IOE's Security Policies) in the case where a breach of IOE regulations and policies, or other misuses and abuses of facilities, is suspected. Information contained within the logs referred to above may also be used to communicate with users to alert them to malfunctions within IOE IT facilities or to request action to correct the malfunctions which may be putting normal operations of the IT facilities in jeopardy. In addition, statistical analysis may take place, which does not identify any individual, in order to provide management information on IT service usage. The Data Protection Act 1998 is available here: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1 6
Digital Economy Act 2010 Under the Digital Economy Act 2010 Internet Service Providers are required to provide copyright holders with lists of copyright infringements by service users where such lists are either requested by copyright holders or required to be published by an obligations code. Persistent copyright infringers can be fined (up to a current maximum of 250,000, or a greater amount if determined by the Secretary of State) and have their internet access modified, suspended or withdrawn. The Digital Economy Act is available here: http://www.opsi.gov.uk/acts/acts2010/pdf/ukpga_20100024_en.pdf Terrorism Act 2006 The Terrorism Act 2006 makes it an offence to write, publish or circulate any material that could be seen by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism. It also prohibits the writing, publication or circulation of information which is likely to be useful to any one or more persons in the commission or preparation of terrorist acts or is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful. In addition, it prohibits the glorification of the commission or preparation (whether in the past, in the future or generally) of terrorist acts or such offences; and the suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances. The Terrorism Act is available here: http://www.opsi.gov.uk/acts/acts2006/ukpga_20060011_en_2 7