IT Security Policy
This policy has been approved by the Executive Committee and any amendments to it require the Committee's approval.
Last approval: Executive Committee, 15 July 2009
Last review: November 2010
Next review: 1 July 2012
1. Introduction
1.1 This policy defines a framework by which the University of Bath’s computer systems, assets, infrastructure and computing environment will be protected from threats whether internal, external, deliberate or accidental.
2. Key Principles
2.1 All central computer systems, environments and information contained within them will be protected against unauthorised access.
2.2 All use of the University’s IT facilities will comply with the IT Acceptable Use Policy.
2.3 Information kept within these systems will be managed securely, to comply with relevant data protection laws and to satisfy the University’s expectations that such assets will be managed in a professional, safe and dependable manner.
(See Guidance and Advice at Conditions of Use - IT Information Security)
2.4 All members of the University are required to familiarise themselves with this policy, to adhere to it and comply with its requirements.
2.5 Heads of Department and line managers have a responsibility for ensuring the implementation of, adherence to and compliance with this policy throughout their areas of functional responsibility.
2.6 The integrity of all central computer systems, the confidentiality of any information contained within or accessible on or via these systems is the responsibility of Bath University Computing Services (BUCS).
2.7 All regulatory and legislative requirements regarding computer security and IT based information confidentiality and integrity will be addressed by Bath University Computing Services (BUCS) and the University.
2.8 All breaches of security will be reported to and initially investigated by BUCS.
2.9 All users have a responsibility to report promptly (to BUCS) any incidents which may have an IT security implication for the University.
3. The Computing Environment
3.1 BUCS manages, maintains and operates a range of central computing servers, systems, core network switches, edge network switches, backup systems, and the overall network infrastructure interconnecting these systems.
3.2 The computing environment is defined as all central computing resources and network infrastructure managed and overseen by BUCS and all computing devices that can physically connect to it, and have been authorised (See Guidance and Advice at Conditions of Use - Connection) to connect to this environment. All are covered by this policy, including computing hardware and software, any University related data residing on these machines or accessible from these machines within the campus network environment and any media such as CD-ROMs, DVD-ROMs, portable storage devices and backup tapes.
3.3 All temporary and permanent connections via the University network, casual laptop docking points, the Wireless network, ResNet and, the Virtual Private Network (VPN) are similarly subject to the conditions of this policy.
3.4 Computing resources not owned by the University may be connected to the University's network. However, all such resources must comply with University Guidance governing the use of computing resources.
(See Guidance and Advice at Conditions of Use - Connection)
3.5 Computing Services reserves the right to monitor, log, collect and analyze the content of all transmissions on networks maintained by both Computing Services and individual departments and organisations at any time deemed necessary for performance, fault diagnostic and IT Acceptable Use Policy compliance purposes.
4 Physical Security
4.1 Computing Services provides secure machine room facilities with protected power arrangements and climate controlled environments. Although primarily for the provision of central computing and network facilities, individual departments and, if appropriate, individuals are encouraged to consult BUCS where they have local systems in less than comparable environments with a view to those systems being housed in BUCS Machine Room environs.
4.2 Any computer equipment in general office environments should be secured behind locked doors or protected by user log-out and or password protected screensavers whenever it is left unattended; and outside of general office hours.
4.3 Desktop machines in public areas should contain a device or mechanism for securing and protecting the main components and contents of the computer from theft.
4.4 Any portable equipment (such as laptops, memory sticks, CDs, PDAs etc) should use a log-on or power-on password wherever possible. Any unattended portable equipment should be physically secure, for example locked in an office or a desk drawer. When being transported in a vehicle they should be hidden from view. Staff should avoid storing sensitive information on portable equipment whenever possible (see data security section, at 5. below).
4.5 Staff who store confidential information on University owned portable equipment must ensure that such data is thoroughly and securely cleansed from that equipment when they leave the University’s employment. Staff should consult BUCS personnel (IT Supporters) for assistance and guidance on appropriate cleansing techniques and tools.
5. Data Security
5.1 The University attaches great import to the secure management of the data it holds and generates and will hold staff accountable for any inappropriate mismanagement or loss of it.
5.2 The University holds a variety of sensitive data including personal information about students and staff. If you have been given access to this information, you are reminded of your responsibilities under data protection law.
5.3 The University provides secure and practical remote access to information and data held within its various systems environments and IT infrastructure. In most cases, gaining access to such data from an off campus point of electronic access will prove sufficient – and safe - for most needs and is the recommended general mode of remote use of such data and information.
5.4 Any copying – or original creation – of sensitive data and information onto any form of portable media transport device or mechanism (Memory Stick, CD, DVD, External Hard Drive, PDA, portable music player, Laptop, etc.) or its transportation beyond the secure environment it was intended to be used within (systems environment, PC environment, campus, office etc) carries additional responsibilities for the individual undertaking such activity.
5.5 These responsibilities should be clarified by performing a risk analysis, which considers the following rules/principles:
5.5.1 Employee/Student (personal) data should never leave the campus. In this context “leave” implies its physical transport to an external, and insecure location. Remote access to such data through an individuals approved access levels and permissions is distinct and not intended to be included in the term “leave”.
5.5.2 If it is a unique or master version of data/information that has not been safely copied to a secure electronic or physical location or environment within the University’s Computing Environment (implying that its subsequent loss is irrecoverable) then a copy should be made and stored securely prior to its off site transportation for use.
5.6 If, following such a risk analysis, an individual identifies an imperative to take sensitive data off campus (in any media form) they are not to do so without prior consultation with BUCS who can offer a range of suitable encryption solutions for the data prior to its removal from campus. Failure to comply with this requirement will be considered a serious breach of this policy.
6. Loss or Theft of Confidential Information
6.1 All incidences of loss or theft of confidential information should be reported so that they may be investigated. A data or IT security incident relating to breaches of security and/or confidentiality could range from computer users sharing passwords to the loss or theft of confidential information either inside or outside the University.
6.2 A security incident is any event that has resulted or could result in:
6.2.1 The disclosure of confidential information to any unauthorised person.
6.2.2 The integrity of the system or data being put at risk.
6.2.3 The availability of the system or information being put at risk.
6.2.4 Adverse impact, eg:-
6.2.4.1 Negative impact on the reputation of the University.
6.2.4.2 Threat to personal safety or privacy.
6.2.4.3 Legal obligation or penalty.
6.2.4.4 Financial loss or disruption of activities.
6.3 All incidents must be reported to your immediate line manager and to the director and relevant Assistant Director of BUCS. Serious incidents should be reported immediately to the University Secretary. A written report should be submitted containing the following information:
6.3.1 Details of the incident.
6.3.2 Date of discovery of the incident.
6.3.3 Place of the incident.
6.3.4 Who discovered the incident.
6.3.5 Category/classification of the incident.
6.3.6 Action already taken if risk to organisation.
6.3.7 Any action taken by the person discovering the incident at the time of discovery, eg report to police.
6.4 In the case of a serious potential breach, the University Secretary will instigate an investigation into the incident and will decide whether it needs to be reported to any regulatory bodies or other third parties, eg insurers. The University Secretary will retain a central register of all such incidents occurring within the University.
6.5 The following is a list of examples of breaches of security and breaches of confidentiality. It is neither exclusive or exhaustive and should be used as a guide only. If there is any doubt as to what constitutes an incident, it is better to inform your line manager who will then decide whether a report should be made.
6.6 Examples of breach of security:-
6.6.1 Loss of computer equipment due to crime of carelessness.
6.6.2 Loss of portable media devices, eg – memory sticks etc.
6.6.3 Accessing any part of a database using someone else’s password.
6.6.4 Finding doors and/or windows broken and/or forced entry gained to a secure room/building in which computer equipment exists.
6.7 Examples of a breach of confidentiality:-
6.7.1 Finding confidential/personal information either in hard copy or on a portable media device outside University premises or in any of the University’s common areas.
6.7.2 Finding any records about a staff member, student, or applicant in any location outside the University’s premises.
6.7.3 Passing information to unauthorised people either verbally, written or electronically.
7. Specific Systems
7.1 Computer and network systems access is only via individual user accounts. See Guidance and Advice at Conditions of Use - User Accounts for further details and account eligibility.
7.2 Email
7.2.1 Email is not a completely secure medium. You should be conscious of this and consider how emails might be used by others. Remember that emails can easily be taken out of context, that once an email is sent you cannot control what the recipients might do with it, and that it is very easy to forward large amounts of information.
7.2.2 Similarly you should not necessarily trust what you receive in an email - in particular, you must never respond to an email request to give a username or password.
7.2.3 See the Electronic Communications Guidelines for further advice.
7.3 File Storage
7.3.1 All users have access to the centrally managed file storage. Use of the file storage is governed by the Guidance and Advice at Conditions of Use - User Filestore.
7.3.2 For the vast majority of applications the security of files stored centrally is appropriate. In particular this means they will be backed up. However if your files require a higher level of security, please contact Computing Services.
7.4 The Web
7.4.1 Users should consider the security implications of any information they put on the University’s web-site, and the University reserves the right to remove any material which it deems inappropriate, illegal or offensive.
7.4.2 Users should not in any way use any areas of the University web site for commercial purposes.
7.4.3 Users shall not in any way use web space to publish material which undermines IT security at the University. In particular this covers making information available about how IT security is implemented at a practical level, or any known weaknesses.
7.5 Campus Network
7.5.1 Individuals must seek permission from local support representatives before connecting any machine to the LAN. Authorised connections will comply with the Guidance and Advice at Conditions of Use - Connection and IP Address Allocation. Computing Services may disconnect any unauthorised host from the network without warning.
7.6 Remote Access to Systems
7.6.1 Remote access is defined as accessing systems from a physically separate network. This may include:
7.6.1.1 Connections direct across the Internet
7.6.1.2 VPN Connections
7.6.2 Any user with a valid University of Bath computer account may access systems as appropriate. Remote access is allowed via secure methods only. Remote connections to any campus IT services are subject to the same rules and regulations, policies and practices just as if they were physically on the campus. Computing Services shall provide the only VPN that may be used.
7.6.3 All connections via these services will be logged. No other remote access service shall be installed or set up, including single modems connected to servers or workstations. Any active dial-in services found to be in existence will be removed from the network.
7.7 Anti-Virus Security
7.7.1 Computing Services will provide means by which all users can download and install current versions of site-licensed virus protection software.
7.7.2 Users must ensure that they are running with adequate and up-to-date anti-virus software at all times. If any user suspects viral infection on their machine, a complete virus scan should be performed. If Computing Services detect a machine behaving abnormally due to a possible viral infection it will be disconnected from the network until deemed safe. Reconnection will usually only be after liaison with local IT support.
8. Related Documentation