Vous êtes sur la page 1sur 12

INFORMATION SECURITY POLICY

Ratified by RCA Senate, February 2007

Contents

POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information

Introduction

2

Policy Statement

3

Information Security at RCA

5

Annexes

A. Applicable legislation and interpretation

8

B. Most recent Conditions of Use for Computing Facilities

11

- 1 –

INFORMATION SECURITY POLICY.doc

Introduction

Why Information Security? The access, availability, confidentiality and integrity of the College’s information is essential to the success of its academic and administrative activities. Effective information security can only be achieved by working with proper discipline, in compliance with legislation, JANET and College Policies and by adherence to approved College Codes of Practice and Guidelines.

Purpose The purpose of the IS Policy is to identify risks and introduce measures to protect the RCA from internal and external threats to its information systems and assets and to ensure compliance with UK and EU legislation and JANET and RCA regulations.

Standards This policy, procedures and guidelines are based on the British security standard BS 7799, adapted for use in Higher Education by UCISA (Universities and Colleges Information Systems Association) as the UCISA Information Security Toolkit 2005 Edition 2.0:

http://www.ucisa.ac.uk/ist

- 2 –

INFORMATION SECURITY POLICY.doc

1. Policy Statement

1.1 The College will ensure that the information assets it manages are appropriately

secured to protect it against breaches of confidentiality, failures of integrity or interruptions to availability, and that information assets are adequately protected against loss, misuse or abuse.

1.2 This policy provides direction and support for information security across the

College. Codes of Practice for information managers and User Guidelines for staff are

considered part of this information security policy and have equal authority. This policy is applicable to all staff, students and approved visitors.

1.3 This Policy has been approved by the Rector and ratified by the College Senate in

February 2007 and forms part of its policies and procedures.

1.4 This policy shall be reviewed and monitored regularly to ensure that it remains

appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

1.5 The college will carry out risk assessments of the business value of the College’s

information assets and the IS security controls currently in place, taking into account changes to operating procedures or technologies, changing business requirements and priorities and any changes to relevant legislation and revise security arrangements accordingly.

1.6 A committee, to include one senior manager, will be established to give clear

direction and visible management support for security initiatives and to promote security through appropriate commitment and adequate resourcing.

1.7 The Information Security Working Group (ISWG), comprising management

representatives from all relevant parts of the organisation, will devise and coordinate the implementation of information security controls.

1.8 Information Security will be managed and enforced by Heads of College academic

and administrative departments.

1.9 Specialist advice on information security shall be made available throughout the

organisation.

1.10 The College will establish and maintain appropriate contacts with other

organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its Information Security policy.

1.11 The College will ensure that all staff are aware of the policy and understand their

own responsibilities for protecting the confidentiality and integrity of the data they manage, and ensure that staff and students are sensitive to new or unsuspected risks

to information assets, and engender a natural caution in using information systems.

- 3 –

INFORMATION SECURITY POLICY.doc

1.12 The College will ensure that its staff, students and approved visitors comply with this Policy and are aware of, and operate in accordance with relevant UK and European Community legislation.

- 4 –

INFORMATION SECURITY POLICY.doc

Information Security at the RCA

1.

Scope

1.1

This policy covers all information assets (documents, software and hardware) used

by the College, including data files, workstations, servers, connectivity devices,

peripherals, applications, data, storage, security and communication systems.

1.2 The Policy applies to all staff and students of the College and any other users

authorised by the College. The policy relates to anyone’s use of IT devices, when connected to the College network directly or indirectly, to all College-owned information assets or those on private systems, and to all information services provided to or by the College, by or for external agencies.

2.

Responsibilities

2.1

The Director of Administration is responsible for approving Information Security

(IS) policies and for ensuring that they are discharged to the whole College through the relevant departments and channels. The Rector or Director of Administration has

the authority to take whatever action is deemed necessary to protect the College against breaches of this Policy.

2.2 Heads of department are responsible for ensuring the protection of information

assets and ensuring that specific security processes are carried out by the

department staff managing that information asset.

2.2 Information and Learning Services are responsible for the regular review, drafting

updating and re-issue of the IS Policy and for the provision of support and advice on IS to College staff and students.

2.3 The Information Security Working Group (ISWG) is responsible for advising the

College on effective compliance with this Policy, and its promotion throughout the College and for maintaining records of Information Security incidents in the College.

2.4 IS policy is drafted, reviewed and maintained by the ISWG, chaired by the Computing Services Manager (CSM) with technical advice from the Systems Administrator and UCISA/JISC Legal.

2.5 Suspected security incidents and breaches are reported to Computing Services,

who will then report to the Head of ILS. Requests for information on who to inform

and how to deal with security matters will be managed by the Head of ILS.

2.6 Investigation of breaches, special measures and sanctions will be initiated and

determined by Director of Administration.

2.7 ISWG will establish effective Contingency Plans appropriate to the outcome of any

risk assessment.

- 5 –

INFORMATION SECURITY POLICY.doc

3.

Sanctions

3.1 Anyone who is found to have breached the Information Security Policy may be

subject to disciplinary proceedings. Where there is evidence that, in breaching the policy a criminal act has been committed, this will be reported to the police.

3.2 Sanctions will depend on the severity, frequency, impact and context of Information Security incidents, as determined by the CSM and the Head of ILS. Sanctions will be based on precedent at similar institutions or on previously effective actions.

4.

Information Security Working Group

4.1

This group will meet twice a year with representatives from: ILS, Estates, the

Rectorate, Registry, Finance, the Students’ Union, Academic Departments and Personnel.

5.

Acceptance and Enforcement

5.1

Upon signing the RCA Conditions of Use (CoU – Annexe B), staff, students and

visitors accept all CoU current and future clauses and JANET Acceptable Use policy. The CoU provides the opportunity to notify users that their use of RCA’s computing facilities is bound by UK government legislation such as the Computer Misuse Act

1990, Data Protection Act.

6. Reviews

6.1 Regular reviews of the Policy and testing of compliance with JANET and government regulations are carried out by the Head of ILS and CSM, in consultation with ISWG, reporting to SMT. Informal reviews and discussion may take place at any time throughout the year between the CS Manager and IT technical staff. CoU and guidelines will be reviewed and updated as necessary by Computing Services in the light of new risks and usage.

7.

Communication and Awareness

7.1

The primary method is the issuing of RCA Conditions of Use (CoU), which is

signed by users as they are issued with an RCA network account. This is a pre- requisite for any use of the RCA network. The CoU defines the types of user, their responsibilities and describes acceptable use with reference to all relevant legislation and JANET policies. The CoU also states that ANY usage binds users to these conditions.

7.2 The CoU, Policy, Codes of Practice and Guidelines are published on the College

Intranet. Significant changes are notified via email and memo. Staff, students, alumni

and visitors are referred to these online documents when they start working or studying at RCA.

- 6 –

INFORMATION SECURITY POLICY.doc

8

Policy Awareness and Disciplinary Procedures

8.1 A copy of this Policy Statement will be given to all new members of staff by the

Personnel Office and to all new students by the Registry. Existing staff and students of the College, authorised third parties and contractors given access to the College network will be advised of the existence of this Policy Statement and the availability of the associated policies, codes of practice and guidelines which are published on the College Intranet.

8.2 Failure of an individual student or member of staff to comply with this policy may

lead to the instigation of the relevant disciplinary procedures as set out in the College Statutes for staff and College Regulations for students. Failure of a contractor to comply could lead to the cancellation of a contract. Under certain circumstances, legal action may be taken.

9 Compliance with Legislation

9.1 The College has an obligation to abide by all UK legislation and relevant legislation of the European Community. Of particular importance in this respect are:

The Computer Misuse Act 1990, The Regulation of Investigatory Powers Act 2000, The Human Rights Act 1998, The Data Protection Act 1998, The Lawful Business Practice Regulations 2000 and various copyright laws.

9.2 Summaries and interpretation of the legislation most relevant to the College’s IS

Policy may be found in the Annexes.

10 Supporting Policies, Codes of Practice and Guidance Notes 10.1 Codes of Practice and User Guidelines are published in conjunction with the IS policy and are available on the College Intranet. All users of the College network and information systems are required to familiarise themselves with these and to work in accordance with them.

- 7 –

INFORMATION SECURITY POLICY.doc

Annexe A

1. Interpretation of The Regulation of Investigatory Powers Act (RIP)

RIP establishes a legal framework to govern the interception of electronic communications. It sets the rules regarding activities such as recording, monitoring or diverting communications in the course of their transmission over a public or private telecoms system. It establishes a basic principle that communications may NOT be intercepted without consent.

A person who intercepts communications will need to be certain that their actions are

authorised under the Regulation of Investigatory Powers Act and comply with the requirements of the Data Protection Act.

The Act brings the interception of electronic communications in organisations within the scope of the regulations.

If an organisation intercepts a communication without legal authority, the sender or

the recipient of the communication will be able to seek an injunction or, if they can show that they suffered a loss as a result of the interception, sue for damages.

The Act also establishes the circumstances in which it is lawful to intercept communications. It authorises interception in cases where the interceptor has reasonable grounds to believe that both the sender and intended recipient have consented. It also provides the Secretary of State (CHECK) to make "Lawful Business Practice" Regulations setting out the circumstances in which businesses can lawfully intercept communications without consent.

2. Interpretation of The Telecommunications (Lawful Business Practice)

(interception of Communications) Regulations

The Lawful Business Practice Regulations make an exception to the rule established

in the RIP that consent is needed before an interception can take place. If a business

intercepts a communication in accordance with the Regulations, it will not risk civil liability under the RIP for unlawful interception.

These allow businesses to intercept, without consent, for purposes such as recording evidence of transactions, ensuring regulatory compliance, detecting crime or unauthorised use and ensuring the effective operation of their telecommunications systems. Businesses will not need to gain consent before intercepting for these purposes, although they must have informed the users of the systems that interceptions may take place.

Interception which involves obtaining, recording or otherwise processing personal data (for example recording calls or filtering emails) also falls within the scope of the

- 8 –

INFORMATION SECURITY POLICY.doc

Data Protection Act 1998. So too does the holding or processing of personal data after the interception has taken place.

The purposes for which the College will be able to intercept electronic communications without consent under the Regulations are shown below. Depending on circumstances RCA may make use of some or all of these purposes.

a) Establishing the existence of facts relevant to the business, for example keeping

records of transactions and other communications in cases where it is necessary or desirable to know the specific facts of the communication.

b) Ascertaining compliance with regulatory or self-regulatory practices or procedures

relevant to the business, for example monitoring as a means to check that the business is complying with regulatory or self-regulatory rules or guidelines.

c) Ascertaining or demonstrating standards which are or ought to be achieved by

persons using the system, for example monitoring for purposes of quality control or

staff training.

d) Preventing or detecting crime, for example, monitoring or recording to detect fraud, computer misuse or other illegal activities.

e) Investigating or detecting the unauthorised use of the systems, for example monitoring to ensure that employees do not breach College rules e.g. as listed in the Conditions of Use of IT and the College IT Security Policy. Monitoring and inspecting packet content to detect misuse.

f) Ensuring the effective operation of the system, for example monitoring for and

deleting viruses, checking for and stopping other threats to the system e.g. hacking or denial of service attacks, monitoring automated processes such as net flow logs,

emails logs, caching activity and load distribution.

g) Determining whether or not the communications are relevant to the business, for

example checking email accounts to access business communication in staff

absence.

3. The Data Protection Act

These policies satisfy the Data Protection Act’s requirement for a formal statement of the College’s security arrangements for personal data. The requirement for compliance devolves to all users, who may be held personally responsible for any breach of the legislation.

4. The Human Rights Act 1998 – Article 8

This part of the Act covers the issue of personal privacy in relation to personal electronic communications that are made on and held by the College’s information systems such as telephone calls, email and weblogs. The College, as far at it allows

- 9 –

INFORMATION SECURITY POLICY.doc

personal use of its communication systems, has a duty to protect this information from accidental or operational damage, deletion or disclosure.

Article 8:

RIGHT TO RESPECT FOR PRIVATE AND FAMILY LIFE 1) Everyone has the right to respect for his private and family life, his home and his correspondence.

2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

- 10 –

INFORMATION SECURITY POLICY.doc

Annexe B

Conditions of Use of Computing Facilities

To use Royal College of Art ("the College") computing facilities requires that you comply with the following conditions. Contravention of any of these conditions may result in immediate withdrawal of your access to all IT services and possible legal action.

1. I may only use those College computing facilities for which I have permission, and

by using these facilities, I agree to comply with these Conditions of Use.

2. College computing facilities are to be used solely for purposes authorised by the

College: coursework, research, teaching and associated administration and

communication.

3. I am bound by the conditions of use and codes of conduct for any external

computing facilities and services, including the JANET Acceptable Use Policy, and agree that my use of such facilities and services must not bring the College into

disrepute.

4. I am bound by all current UK legislation, including the Computer Misuse Act 1990,

and agree not to misuse, cause damage to, or make unauthorised use of College or external computing facilities.

5. I am bound by all current UK legislation relating to libel, pornography and

harassment, including: storing or propagating libellous and/or offensive information; using computing facilities to distribute defamatory information.

6. I am entitled to a single user account only, for e-mail and other network-based

services, and agree not to access another user's account or computer without authorisation, or disclose to others my password, or facilitate unauthorised access by others.

7. I must not send unsolicited electronic communications to multiple recipients,

unless authorised by the College.

8. I

must

not

attempt

to

communication.

conceal

or

falsify

the

authorship

of

any

electronic

9. I agree, in accordance with the Copyright, Designs and Patents Act 1988, not to

undertake or facilitate the illegal copying or distribution of software, licenses or data.

10. I agree to abide by the Data Protection Act 1998, and agree that stored data about living individuals must be authorised by a Head of Department, and secured and used in accordance with the Act.

- 11 –

INFORMATION SECURITY POLICY.doc

11.

I am bound by all agreements and contracts made by the College concerning use

of software, data and hardware that I use. This includes full cooperation with the software, data and hardware audits. I agree to notify my department of any software or hardware purchase and agree to make available for inspection by authorised personnel any computing equipment used by me within the College.

12. The College may, if necessary monitor computer and network device usage, electronic files and communications, to prevent, test or investigate breaches of College regulations or UK legislation, in accordance with the Regulation of Investigatory Powers Act (RIP) 2000 and The Telecommunications Interception of Communications Regulations 2000.

13. The College cannot guarantee the security, confidentiality or integrity of data,

and therefore will not be liable for any inaccuracies, damages or losses arising from the use of College or external facilities.

14. My name, photograph, status and related information will be stored in computerised form for administrative purposes.

15. I agree that access to College facilities is restricted to holders of ID cards, issued

by Buildings & Estates. My ID card must be carried at all times while at the College,

and be used only by myself, and will be surrendered if requested by College staff. Replacement of ID cards is subject to a £5 charge.

16. These Conditions are subject to change at any time. Changes will be reported on

the Intranet at /computing/ under 'Computing Services Policies and Procedures'. For applicable laws and policies see: /computing/legislation/:

http://intranet.rca.ac.uk/computing/cou

http://intranet.rca.ac.uk/computing/legislation

Last updated: 11 June 2008

Computing Services computing@rca.ac.uk

- 12 –

INFORMATION SECURITY POLICY.doc