ICT Policy

1. Introduction

It is a requirement of the Data Protection Acts 1984 and 1998 that personal data must be held and processed securely and this is a component of the Company Data Protection policy, the full details of which may be found on the Company Web. The processing of personal data, in the Company has to be registered with the Company Data Protection Officer. In accordance with the Act, personal data has to be handled in compliance with a set of eight principles. The Act also gives rights to persons about whom data is held (Data Subjects) which must be observed.

 

2. Registration/Notification

Any personal data held on computer, or manually in relevant structured files, as defined in the Act, may be processed for a particular purpose only if that purpose has first been registered with the Company Data Protection Officer, and subsequently notified to the Information Commissioner. Where a user downloads personal data from a database for his/her own use, this constitutes a new database and must be registered accordingly. The Company is also required to lodge with the Commissioner the details of the systems it has put in place to ensure the security of personal data held on those databases.

 

3. Compliance with the Data Protection Principles

 

Any personal data held on computer, or manually in relevant structured files, as defined in the Act, may be processed for a particular purpose only if that purpose has first been registered with the Company Data Protection Officer, and subsequently notified to the Information Commissioner. Where a user downloads personal data from a database for his/her own use, this constitutes a new database and must be registered accordingly. The Company is also required to lodge with the Commissioner the details of the systems it has put in place to ensure the security of personal data held on those databases.

The Data Protection Act 1998 sets out 8 Principles with which those collecting, storing and disclosing personal data, whether dealing with manual data or data processed by computer, must comply: Data must:

 

3.1 be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met; special additional conditions apply to sensitive data;

 

3.2 be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;

 

3.3 are adequate, relevant and not excessive for those purposes;

 

3.4 be accurate and kept up to date;

 

3.5 not are kept for longer than is necessary for that purpose;

 

3.6 are processed in accordance with the data subject’s rights;

 

3.7 are kept safe from unauthorised access, accidental loss or destruction;

 

3.8 not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

 

Staff and students of the Company or others who process or use any personal information for the Company must ensure that they follow these principles at all times.

 

4. Data Security

Ensuring that personal data is held securely is thus a key feature of the Data Protection Act. Personal data should not be disclosed either orally or in writing or accidentally to any unauthorised third party. If computerised it should be protected by password, encryption or firewall according to sensitivity or kept only on a disk which is itself kept securely. Unauthorised disclosure will usually be considered a disciplinary matter and may be considered gross misconduct in some cases.

Candidates work should be held can be uploaded on to the server database and pass word protected and accessible only by the assessors and moderators and external moderators. The information must be backed up using alternative storage systems such as disc, CDs or USB drive which are kept securely in learner file and in a lockable Internal Verifiers room in lockable filing cabinets that are only accessible by authorised personnel.

 

5. Subject Access

In accordance with the 1998 Act, a data subject is entitled to be given a description of the types of data about them being processed by the Company, the purposes for which they are being processed, a description of the types of potential recipients of this data and to be given any information as to the source of the data held where it was not from the data subject himself. In addition, where data is processed automatically, and is likely to be the sole basis for any decision affecting the data subject, then s/he is also entitled to know the logic involved in the decision making. A data subject also has a right, subject to certain exceptions, and subject to the payment of a fee, to see the actual data held about him/her. Subject access may not be granted where this may result in the disclosure of information about another individual or where it may be required for the purpose of safeguarding nation security or the prevention or detection of crime. Students may not be given access to information they have recorded on their examination papers although they are entitled to see the marks received.

 

When setting up and using databases of personal data, users must register the new database with the Company Data Protection Officer and act in compliance with the Data Protection Principles to ensure that personal data is held and processed securely and the rights of the individual are preserved.

Information Systems Security Policy – Supporting Policy 2: Conditions of Use of IT Facilities

 

The User agrees and accepts that:

 

1. Use of Company IT facilities, and their use to access non-Company IT facilities, must be for the purpose of University research, teaching, coursework, associated administration or other authorised use. No ‘private/commercial’ work is permitted without prior authorisation. Company IT facilities include the network, the virtual private network (VPN), computers, printers and the associated services e.g. software, data, email, Web, E-journals, bulletin boards, data bases but do not exclude any other part of the Company IT facilities.

 

Occasional personal use of the Desk top computer, e-mail and web access is permitted provided such use does not disrupt the conduct of Company business or other Users. Recreational use of the Halls of Residence network is also permitted, subject to these conditions.

 

2. When using Company IT facilities the user must comply with the Company Information Systems Security Policy and all relevant statutory and other provisions, regulations, rules and codes of practice. Specifically, but not exclusively, the User must:

 

2.1 Not disclose to others her/his Company login name/password combination(s) or access or attempt to access IT facilities at Company or elsewhere for which permission has not been granted or facilitate such unauthorised access by others.

2.2 Not use or produce materials or resources to facilitate unauthorised corruption, changes, malfunction or access to any IT facilities at the Company or elsewhere. Attempted access to IT facilities includes scanning activities (e.g. port scanning).

2.3 Not display, store, receive or transmit images or text which could be considered offensive e.g. material of a sexual, pornographic, paedophilic, sexist, racist, libellous, threatening, defamatory, of a terrorist nature or likely to bring the Company into disrepute.

2.4 Not forge email signatures and/or headers, initiate and/or forward ‘chain’ or ‘junk’ or ‘harassing’ email.

2.5 Not play unauthorised games.

2.6 Respect the copyright of all material and software made available by the Company and third parties and not use, download, copy, store or supply copyright materials including software and retrieved data other than with the permission of the Copyright holder or under the terms of the license held by the Company.

2.7 When holding data about living individuals, covered by the Company Data Protection Policy, register that data and its uses, and treat it in accordance with the Principles, as required by the Data Protection Act. Student users must not construct or maintain computer files of personal data for use in connection with their academic studies/research without the express authority of the Departmental/Divisional Data Protection Co-ordinator.

2.8 When responsible for Information Servers or the information held thereon abide by the Company Code of Practice for Information Servers and be aware that a User may be considered in law to be a Publisher in certain circumstances.

 

3. All data/programs created/owned/stored by the user on or connected to Compny IT facilities may, in the instance of suspected wrong doing, be subjected to inspection by Company or by statutory authorities. Should the data/programs be encrypted the User shall be required to provide the decryption key to facilitate decryption of the data/programs.

 

4. Other than any statutory obligation, the Company will not be liable for any loss, damage or inconvenience arising directly or indirectly from the use of, or prevention of use of, any IT facility provided and/or managed by the Company.

 

5. Whilst the Company takes appropriate security measures against unauthorised access to, alteration, disclosure, destruction or accidental loss of personal and other data it cannot and does not give any warranties or undertakings to the USER about security, confidentiality or integrity of data, personal or other. The same applies to other IT material submitted to or processed on facilities provided or managed by the Company or otherwise deposited at or left on its premises.

 

6. His/her name, address, photograph, status, e-mail name, login name, alias, Company Identifier (CID) and other related information will be stored in computerised form for use for administrative and other purposes e.g. monitoring system usage.

 

7. As provided by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, made under the Regulation of Investigatory Powers Act 2000 the Company will intercept and monitor electronic communications for the purposes permitted under those Regulations in accordance with the Code of Practice on Monitoring Electronic communications in the College Information Systems Security Policy.

 

8. These conditions apply to non-Company owned equipment e.g. personal Laptops, home PCs when connected to the Company network, directly and/or via the VPN, for the duration that the equipment is using the Company network.

 

Breach of these conditions may lead to Company disciplinary procedures being invoked, with penalties which could include suspension from the use of all Company computing facilities for extended periods and/or fines. Serious cases may lead to expulsion or dismissal from the Company and may involve civil or criminal action being taken against the User.

 

If you have any difficulty, please contact your Departmental/Divisional Computing Representative or the ICT Service Desk (Ext. 49000) or the ICT User Registration Office (Ext. 49008).

Information Systems Security Policy – Supporting Policy 3: Connecting to the Company Network/System Access Control

 

Introduction

1. The Company depends heavily upon its IT network for Research, Teaching and Administrative activities. It is essential that the stability, integrity and security of the Company IT network be safeguarded for use by all members of Company.

 

2. To assist in ensuring the availability of an effective, highly available network and to facilitate the rapid tracking down and resolution of any problems by the Information and Communications Technologies department (ICT), the following policy has been agreed by Company:

 

User Responsibilities

3. All users of the network must be aware that they are bound by the Imperial Company Systems Security Policy, the Conditions of Use of IT Facilities Policy and the JANET Acceptable Use Policy as operated by UKERNA.

 

4. All systems connected to the Company network must be accurately registered with ICT in the Host Database (hdb) and use only an IP address to which the registration entitles it. Registrations can be arranged via ICT Faculty Support teams or the ICT Service Desk.

 

5. All systems directly connected to the Company network must comply with the current technical networking requirements defined by ICT.

 

6. Custodians must ensure that only authorised Company users or properly registered guests have access to the Company network from their systems.

 

7. The use of local firewall technology should be considered to protect sensitive data. Any firewall installation must be done in consultation with ICT, and meet their requirements. Specifically, the use of hide-mode network address translation (NAT) firewalls is not permitted.

 

8. All systems connected to the Company network must be configured in accordance with the Information Systems Security Policy – Code of Practice 13: Security of Information Systems.

 

ICT Responsibilities

9. All network addresses, including IP addresses, will be allocated and administered by ICT.

 

10. Physical connections to the Company backbone may be made only by ICT. No extensions or modifications to the physical infrastructure of the IC network, including wireless, may be made without first obtaining permission from ICT. This includes the addition of network switches, hubs, wireless access points and router devices and cabling other than patch cable to a provided network wall socket. Any network infrastructure equipment or wiring is managed and controlled by ICT.

 

11. ICT may, on behalf of the Company, and subject to appropriate consultations, restrict excessive use of the backbone bandwidth.

 

12. In the event of unacceptable network events occurring on a LAN, ICT has the right to gain access to and inspect the configuration of devices or equipment on that network and to request the immediate removal of any devices or equipment that it believes could be the source of the problem.

 

13. In the event of unacceptable events on a LAN causing problems on another part of the Company network or on an external network, ICT has the right to disable any part of the LAN, as necessary, in order to remove the source of the problem. While every effort will be made to contact the system custodian, Head of Department and/or other appropriate persons, this may not always be possible. All services will be reconnected at the first opportunity.

 

14. Failure to comply with the rules for connection to the Company network may result in immediate disconnection from the network.

 

15. To proactively protect the security and operation of the network and the systems thereon, ICT may carry out both manual and automated systematic vulnerability scans on computer systems connected to the Company network. Best efforts will be undertaken to minimize any disruption, but in the unlikely event of such a scan causing problems, ICT does not accept responsibility for any loss of availability or data. Where possible, advanced warning will be given.

 

Information Systems Security Policy – Supporting Policy 4: Electronic Mail

Introduction

1. Electronic mail (e-mail) is an important means of communication and it provides an efficient method of conducting much of the Company business. This document sets out the Company policy on the proper use of e-mail for Company purposes. Assistance in compliance with this policy can be obtained from the accompanying Guidelines.

 

Access

2. Access to Company e-mail is given to all staff, students, persons with honorary appointments, and approved third parties who agree to abide by Company Policies, rules and regulations.

 

2.1 Staff and students are given access to e-mail systems for the conduct of Company-related business. Incidental and occasional personal use of e-mail is permitted as long as it does not disrupt or distract the individual from the conduct of Company business (e.g. due to volume, frequency or time expended) or restrict the use of those systems to other legitimate users.

 

2.2 Trades Union representatives who are members of the Company may use the e-mail system to transact union business with their members.

 

2.3 All users should assume that privacy cannot be guaranteed when transmitting and receiving information by e-mail unless it is encrypted. Care should also be taken to ensure that e-mail is addressed to the correct recipient.

 

2.4 The Company provides anti-virus and SPAM (unsolicited e-mail) filtering services to members of Company using its Exchange e-mail service. Whilst efforts are made to keep these filtering services effective and up-to-date, the Company can provide no guarantee that they will be effective against all viruses or SPAM. In cases where members of Company experience distress caused by the receipt of offensive or excessive amounts of unsolicited e-mail, they may contact the Information and Communications Technologies department (ICT) for further guidance. ICT can limit an e-mail account to internal use only, or facilitate a change of e-mail address to alleviate the problem where requested.

 

2.5 All users are advised to make arrangements, if necessary, to facilitate access to their e-mail and/or work files if they are likely to be absent from the Company.

 

2.6 A central email gateway handles email entering and leaving Company. This gateway then communicates with all internal email servers. Email servers are a common source of security issues and so all email will be handled by central mail servers unless specific exception has been granted to a department / group.

 

 

 

 

Appropriate Use of Company E-mail Resources

3. Use of e-mail facilities is subject to all relevant laws, policies, and codes of practice. In particular, users must comply with the Company Policy on Conditions of Use of Information Technology (IT) Facilities at ICT.

 

Improper Use of E-mail Facilities

4. If a complaint is raised which alleges improper use of a Company e-mail account, the Director of ICT (or delegated assignee) will carry out an initial investigation. If the complaint appears to have a reasonable basis, the matter will be referred to the appropriate part of the Company so that further measures may be considered in accordance with Company policy and regulations.

 

5. Failure to comply with this e-mail policy could result in access to the facility being withdrawn or, in more serious cases, to disciplinary or legal action being taken.

 

Privacy

6. No person may monitor another user’s e-mail account unless they have obtained specific authorisation to do so. The inspection of e-mail accounts may only be undertaken in strict accordance with the provisions of Code of Practice 8 Inspection of File space and e-mail.

 

7. The Company reserves the right to access and disclose the contents of a user’s e-mail messages, in accordance with its legal and audit obligations, and for legitimate operational purposes. The College also reserves the right to demand that decryption keys, where used, be made available so that it is able to fulfil its right of access to a user’s e-mail messages in such circumstances. It may also monitor an e-mail account where necessary as set out in Code of Practice 7: Regulation of Investigatory Powers Act (RIP) 2000 and The Telecommunications (Lawful Business Practice) Interception of Communications) Regulations 2000 [3].

 

 

Information Systems Security Policy – Supporting Policy 5: Use of Information Servers Connected to the Campus Network

 

1. All Information Servers.

The provision and use of any Information Server connected to the Company Network is subject to the following conditions:

 

1.1 Each Information Owner(s) agrees to be bound by the “Conditions of Use of Information (IT) Facilities” and the Acceptable Use Policy.

 

1.2 Each Information Owner and Systems Administrator agrees to take at all times every reasonable care to ensure that all material held on a server:

 

  • Is lawful
  • Complies with the “Conditions of Use of Information Technology (IT) Facilities”
  • Does not contain links to unlawful material or material that does not comply with the College Conditions of Use of (IT) Facilities
  • Does not, purport to promote or comment, in the Company’s name, upon any commercial goods, products or services, unless approved by a CAO.
  • Does not purport to promote or comment upon any company, partnership, consortium or consultancy or any “private” activity of the Information Owner or any other person, unless approved by a CAO.

1.3 Each Information Server may serve either official or personal information but not both.

 

1.4 The Company reserves the right to bar access to Information Servers containing material considered illegal or likely to bring the College into disrepute. Such action will be normally invoked as a result of a request by a CAO to the Head of ICT. The Company also reserves the right to take disciplinary action in these circumstances.

 

1.5 The Company will not be liable for any loss or damage suffered by the Information Owner as a result of barring access to or removal of material. Where the Information Owner considers that the Company has acted disproportionately, inappropriately or ultra vires in barring access to and/or removing the material then s/he has the right of appeal through the normal Company grievance procedures.

 

1.6 The Information Owner or Systems Administrator must ensure that procedures exist for the immediate disconnection of the Information or Information Server from the campus network at all times including evenings, nights, weekends, and bank holidays and during periods of Company closure.

 

2. Additionally for Official Company Information and Information Servers:

2.1 All Official Information servers must be authorised by a CAO and registered with ICT using form ISR.

 

2.2 All material published must be duly authorised by a CAO;

 

2.3 All material is subject to both the statutory requirements applying to any publisher and also to the Company Regulations applying to College publications.

 

2.4 An approved Company identifier must appear on official information.

 

3. Additionally for Personal Information and Information Servers:

3.1 No coat-of-arms, crest, logo, logotype, page layout, format or any other device belonging to Imperial Company may appear.

 

3.2 The material must be relevant to or associated with the information owner’s authorisation to use Company IT facilities.

 

3.3 These regulations and the appearance of Personnel Information, howsoever referenced, do not imply in any way whatsoever that the Company approves or endorses the Personal Information or takes any responsibility for the Personal Information itself or any material or opinions contained therein.

 

3.4 An approved disclaimer must appear on all PI indicating that this information is not formally published by the Company.