| 1 |
Policy Statement |
| |
|
| 1.1 |
Information is a critical asset of Trinity College Dublin hereafter referred to as ‘the College'. Accurate, timely, relevant, and properly protected information is essential to the success of the College's academic and administrative activities. The College is committed to ensuring all accesses to, uses of, and processing of College information is performed in a secure manner. |
| |
|
| 1.2 |
Trinity College Dublin is committed to adopting a security model in line with BS7799/ISO27001 international best practice standards. |
| |
|
| 1.3 |
Technological Information Systems hereafter referred to as ‘Information Systems' play a major role in supporting the day-to-day activities of the College. These Information Systems include but are not limited to all Infrastructure, networks, hardware, and software, which are used to manipulate, process, transport or store Information owned by the College. |
| |
|
| 1.4 |
The object of this Information Systems Security Policy and its supporting technical requirements policy is to define the security controls necessary to safeguard College Information Systems and ensure the security confidentiality and integrity of the information held therein. |
| |
|
| 1.5 |
The Policy provides a framework in which security threats to College Information Systems can be identified and managed on a risk basis and establishes terms of reference, which are to ensure uniform implementation of Information security controls throughout the College
|
| |
|
| 1.6 |
The College recognises that failure to implement adequate Information security controls could potentially lead to:
• Financial loss
• Irretrievable loss of Important College Data
• Damage to the reputation of the College
• Legal consequences
Therefore measures must be in place, which will minimise the risk to the College from unauthorised modification, destruction or disclosure of data, whether accidental or deliberate. This can only be achieved if all staff and students observe the highest standards of ethical, personal and professional conduct. Effective security is achieved by working with a proper discipline, in compliance with legislation and College policies, and by adherence to approved College Codes of Practice |
| |
|
| 1.7 |
The Information Systems Security Policy and supporting policies apply to all staff and students of the College and all other users authorised by the College. |
| |
|
| 1.8 |
The Information Systems Security Policy and supporting policies do not form part of a formal contract of employment with the College, but it is a condition of employment that employees will abide by the regulations and policies made by the College from time to time. Likewise, the policies are an integral part of the Regulations for Students |
| |
|
| 1.9 |
The Information Systems Security Policy and supporting policies relate to use of:
• All College networks connected to the College Backbone
• All College-owned/leased/rented and on-loan facilities.
• To all private systems, owned/leased/rented/on-loan, when connected to the College network directly, or indirectly.
• To all College-owned/licensed data/programs, on College and on private systems.
• To all data/programs provided to the College by sponsors or external agencies.
|
| |
|
| 1.10 |
The objectives of the Information Systems Security Policy and supporting policies are to:
• Ensure that information is created used and maintained in a secure environment.
• Ensure that all of the College's computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse.
• Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures.
• Ensure that all users are aware of and fully comply with the relevant Irish and European Community legislation.
• Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security.
• Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle.
Ensure all College owned assets have an identified owner /administrator |
1.11 |
The College Board has approved the Information Systems Security Policy and supporting technical policy. The Board has delegated the implementation of the Information Systems Security Policy, to the heads of academic and administrative areas. The Director of Information Systems Services and his/her delegated agents will enforce the Information Systems Security Policy and associated supporting policy.
|
| |
Minute reference: C1
Date: 9 July 2003 |
| |
|
| |
|
| |
|
| 2 |
IT Security Governance |
| |
|
| 2.1 |
Security of the College’s IT and data assets cannot be achieved without a coherent governance model that ensures that all IT systems in College are operated in accordance with approved policy and best practice.
The College Governance model seeks to clearly define who is authorised to operate key IT systems and services and how individuals and groups wishing to operate new systems or services are approved and subsequently governed.
|
| |
|
| 2.2 |
The Governance Model
|
| |
|
| |
|
| 2.3 |
IPC Committee |
| |
The IPC committee is the governing body, responsible for the creation and annual renewal/review of the licences as well as the arbitration of disputes between the licensed bodies and the enforcement of all College policies. |
| |
|
| 2.4 |
Trinity College Data network |
| |
This is the main College network serving the entire staff and student population. This network is operated by Information Systems Services and provides central services and support to all users. The services of the main College network are available to all users including users who are also members of other autonomously managed networks. |
| |
|
| 2.5 |
Autonomously Managed Networks |
| |
The autonomously managed networks (AMN’s) are separate logical and physical networks created to address specific needs of a localised user population. They are operated under licence by the IPC and managed by dedicated full time and suitably qualified staff. Each AMN appoints a named individual as the AMN manager this person is responsible for authorising requests locally and liaising with Information Systems Services. |
| |
|
| 2.6 |
Authorised IT Support Area Representatives |
| |
These individuals are employed by their academic or administrative area to spend a proportion of their time dealing with IT matters. These individuals may support specific applications and associated equipment. |
| |
|
| 2.7 |
Services to the College Community |
| |
Only Information Systems Services and the defined autonomous networks may operate central key central services including but not limited to Email, Internet Proxy, DNS, DHCP, Firewall, General Purpose Servers, Web Servers, Domain Services.
IT Support Representatives may operate specific applications and supporting servers which they should register with their AMN managers.
End users or individuals - who are not employed by AMN’s or as IT Support representatives - who wish to run complex IT systems such as servers should first seek approval from their AMN management or apply to the IPC for AMN status if necessary. |
| |
|
| 2.8 |
The Network Perimeter |
| |
Information Systems Services acts as single point of contact between College and the National Research and Education Network HEAnet. Access through the network perimeter firewall is managed and operated by Information Systems Services. Individuals located in the main College network may make direct application for access through the firewall.
Individuals located in other AMN’s should make application first to the authorised managers of their AMN who will approve the request and pass it on to Information Systems Services. |
| |
|
| 2.9 |
Communications |
| |
Good quality and frequent communications between all parties defined in this model are vital:The IPC reviews licences annually and communicates responses to all parties.Communications between Autonomous Networks is facilitated by a mailing list and quarterly meetings hosted by Information Systems Services.
Communications between IT Support Representatives and Information Systems Services are facilitated by Mailing list and bi-monthly meetings hosted by Information Systems Services. |
| |
|
| |
|
| |
|
| 3 |
IT Management Roles and Responsibilities |
| |
|
| 3.1 |
The College Board |
| |
The College Board is responsible for approving the IT Security Policy, distributing the policy to all heads of departments/units/centres and for supporting the Director of Information Systems Services in the enforcement of the policies where necessary. |
| |
|
| 3.2 |
The IPC |
| |
The IPC is responsible for annual review and approval of changes to the policy. |
| |
|
| 3.3 |
Heads of Academic and Administrative Areas |
| |
Heads of academic and administrative areas are required to familiarise themselves with the policies. Where a policy breach is highlighted heads of academic and administrative areas must co-operate in ensuring that appropriate action is taken.
Heads of academic and administrative areas are obliged to ensure that all IT systems under their remit are formally administered either by an administrator appointed by the head of an academic and administrative areas or centrally by Information Systems Services. The duties of the administrator are set out in the associated supporting policy.
Security Policy. |
| |
|
| 3.4 |
Autonomous Networks |
| |
Where an area operates an autonomous network with a connection to the College Backbone, then the respective Autonomous Network Manager is required to ensure that their operations comply with the IT Security Policy.. |
| |
|
| 3.5 |
The IT Security Officer |
| |
The IT Security Officer is responsible for:
|
| |
|
| 3.6 |
The Director of Information Systems Services |
| |
his/her deputy is responsible for the management of the College Network and for the provision of support and advice to all nominated individuals with responsibility for discharging these policies . |
| |
|
| 3.7 |
Information Systems Users |
| |
It is the responsibility of each individual Information Systems user to ensure his/her understanding of and compliance with this Policy and the associated Codes of Practice.
All individuals are responsible for the security of College Information Systems assigned to them. This includes but is not limited to infrastructure, networks, hardware and software. Users must ensure that any access to these assets, which they grant to others, is for College use only, is not excessive and is maintained in an appropriate manner. |
| |
|
| 3.8 |
Purchasing, Commissioning, Developing an Information System |
| |
All individuals who purchase, commission or develop an Information System for the College are obliged to ensure that this system conforms to necessary security standards as defined in this Information Security Policy and supporting policies.
Individuals intending to collect, store or distribute data via an Information System must ensure that they conform to College defined policies and all relevant legislation. |
| |
|
| 3.9 |
Third Parties |
| |
Before any third party users are permitted access to College Information Systems, specific written approval from the IT security Officer is required. Prior to being allowed to work with College Information systems, satisfactory references from reliable sources should be obtained and verified for all third parties which includes but is not limited to; administrative staff, software support companies, engineers, cleaners, contract and temporary appointments. Data processing, service and maintenance contracts should contain an indemnity clause that offers cover in case of fraud or damage. Independent third-party review of the adequacy of and compliance with information system controls must be periodically obtained. |
| |
|
| 3.10 |
Reporting of Security Incidents |
| |
All suspected information security incidents must be reported as quickly as possible through the appropriate channels. All College staff and students have a duty to report information security violations and problems to the IT Security Officer on a timely basis so that prompt remedial action may be taken. The IT security Officer will be responsible for setting up an Incident Management Team to deal with all incidents. Records describing all reported information security problems and violations will be created. These records will be encrypted and stored securely for six months after which time all information pertaining to individuals will be removed. The records will be held in this anonymous format for a further two years for statistical purposes. |
| |
|
| 3.11 |
Security Controls |
| |
All College Information Systems are subject to the information security standards as outlined in this and related policy documents. No exceptions are permitted unless it can be demonstrated that the costs of using a standard exceed the benefits, or that use of a standard will clearly impede College activities. |
| |
|
| 3.12 |
Compliance with Legislation |
| |
The College has an obligation to abide by all Irish legislation and relevant legislation of the European Community. The relevant acts, which apply in Irish law to Information Systems Security, include but are not limited to:
- The Data Protection Act (1988/2002)
- European Communities Data Protection Regulations, (2001)
- European Communities (Data Protection and Privacy in Telecommunications) Regulations (2002)
- Data Protection EU Directive 95/46/EC
- Criminal Damages Act (1991)
- Child Trafficking and Pornography Act (1998)
- Intellectual Property Miscellaneous Provisions Act (1998)
- Copyright and Related Rights Act (2000)
- Health and Safety Act (1989)
- Non-Fatal Offences Against the Person Act (1997)
- Electronic Commerce Act (2000)
- ECommerce Directive (2000/31/EC)
- Regulations entitled European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003)
The requirement for compliance devolves to all users as defined in (1.6) above, who may be held personally responsible for any breach of the legislation. Summaries of the legislation most relevant to the College's IS policies may be found in the Guidelines accompanying the Policies. Full texts of the most relevant legislation are available from the College Library, the Information Systems Services department and associated website and the College IT Security Officer.
Further information is available in the associated supporting policy document ' 014 Statement of Legal compliance.' |
| |
|
| |
|
| |
|
| 4 |
Breaches of Security |
| |
|
| 4.1 |
Monitoring |
| |
The Information Systems Services department will monitor network activity, reports from the Computer Emergency Response Team (CERT) and other security agencies and take action/make recommendations consistent with maintaining the security of College information systems. |
| |
|
| 4.2 |
Incident Reporting |
| |
Any individual suspecting that there has been, or is likely to be,
a breach of information systems security should inform the IT
Security Officer or the Director of Information Systems Services
immediately who will advise the College on what action should be taken. |
| |
|
| 4.3 |
Enforcement |
| |
The Director of Information Systems Services or his/her delegated agent has the authority to invoke the appropriate College disciplinary procedures to protect the College against breaches of security.
In the event of a suspected or actual breach of security, the Director of Information Systems, his/her delegated agent or the IT Security Officer may, after consultation with the relevant Administrator make inaccessible/remove any unsafe user accounts, data and/or programs on the system from the network.
Further information is available in the supporting Policy '017 Misuse of Facilities' available on the IT security website. |
| |
|
| 4.4 |
Legal Implications |
| |
Any breach of security of an Information System could lead to loss of security of personal information. This would be an infringement of the Data Protection Act 1987 and could lead to civil or criminal proceedings. It is vital, therefore, that users of the Colleges Information. Systems must comply, not only with this policy, but also with the College's Data Protection policy.
Further information is available in the supporting policy ' 015 Data Protection Statement of Practice ' available from the IT security website |
| |
|
| 4.5 |
Disciplinary Procedures |
| |
Failure of an individual student or member of staff to comply with this policy may lead to the instigation of the relevant disciplinary procedures and, in certain circumstances, legal action may be taken.
Failure of a contractor to comply could lead to the cancellation of a contract. |
| |
|
| |
|
|
|
| 5 |
Policy Awareness and Distribution |
| |
|
| 5.1 |
New Staff and Students |
| |
This Policy Statement will be available from Information Systems Services on request. It will also be published on the IT Security web site. New staff and students will be notified of the relevant policy documents when they initially request access to the College network. |
| |
|
| 5.2 |
Existing Staff |
| |
Existing staff and students of the College, authorised third parties and contractors given access to the College network will be advised of the existence of this policy statement. They will also be advised of the availability of the associated policies and procedures which are published on the College website. |
| |
|
| 5.3 |
Logon Banner |
| |
Users logging onto the College Domain will be reminded of their obligations regarding compliance with the IT Security Policy via a Logon banner |
| |
|
| 5.4 |
Updates |
| |
Updates to Policies and procedures will be made periodically and will be posted to the IT Security web site. |
| |
|
| 5.5 |
Training |
| |
Training will be available from Information Systems Services in Information Security fundamentals. Further information can be accessed on the Information Security website or from the Training and Publications department of Information Systems Services. |
| |
|
| |
|
|
|
| 6 |
Risk Assessment and Compliance |
| |
|
| 6.1 |
Risk Assessment |
| |
Risk assessments must be carried out periodically on the business value of the information users are handling and the information systems security controls currently in place. This is in order to take into account changes to operating systems, business requirements, and College priorities, as well as relevant legislation and to revise their security arrangements accordingly. |
| |
|
| 6.2 |
Heads of Departments/Centres/Units |
| |
Heads of Departments/Centres/Units must establish effective contingency plans appropriate to the outcome of any risk assessment. |
| |
|
| 6.3 |
The IT Security Officer |
| |
The IT security Officer will carry out risk assessments, review all risk assessments completed by other parties and highlight any measures needed to reduce risk in Information Security areas. |
| |
|
| 6.4 |
Internal Audit |
| |
The College Internal Auditor will facilitate the assessment of risk management and compliance with the Information Security Policy periodically. |
| |
|
| 6.5 |
Third Party Audit |
| |
Third Party Audits will be carried out at intervals, as deemed necessary by the Internal Auditor. |
| |
|
| |
|
| |
|
| 7 |
Supporting Policies, Review Documentation and Guidence Notes |
| |
|
| |
Supporting Policies amplifying this Policy Statement and Codes of Practice associated with these policies are published in an accompanying document and are available on the College Web site or on request from IT Security.
Staff, students and any third parties authorised to access the College Network to use the systems and facilities as identified in paragraph 1.9 of this policy, are required to familiarise themselves with the policies and to work in accordance with them.
The supporting policies cover the general areas as listed below:
• Network Security Policy
• Internet Use Policy
• Email Use Policy
• Password Policy
• Virus and Spam Policy
• Software Security Policy
• Data Backup Policy
• Disaster Recovery Policy
• Remote Access Policy
• Third Party Access Policy
• Incident Response and Misuse of IT Facilities Policy
• Legal Compliance Guidelines
|
| |
|
| |
|
