Trinity InfoSec Policy

1 Policy Statement

1.1 Information is a critical asset of Trinity College Dublin hereafter referred to as ‘Trinity’. Accurate, timely, relevant, and properly protected information is essential to the success of Trinity’s academic and administrative activities. Trinity is committed to ensuring all accesses to, uses of, and processing of Trinity information is performed in a secure manner.

1.2 Trinity College Dublin is committed to adopting a security model in line with ISO27001 international best practice standards.

1.3 Technological Information Systems hereafter referred to as ‘Information Systems’ play a major role in supporting the day-to-day activities of Trinity. These Information Systems include but are not limited to all Infrastructure, networks, hardware, and software, which are used to manipulate, process, transport or store Information owned by Trinity

1.4 The object of this Information Security Policy and its supporting technical requirements policy is to define the security controls necessary to safeguard Trinity Information Systems and ensure the security confidentiality and integrity of the information held therein.

1.5 The Policy provides a framework in which security threats to College Information Systems can be identified and managed on a risk basis and establishes terms of reference, which are to ensure uniform implementation of Information security controls throughout Trinity

1.6 Trinity recognises that failure to implement adequate Information security controls could potentially lead to:

• Financial loss
• Irretrievable loss of Important Trinity Data
• Damage to the reputation of the Trinity
• Legal consequences
  

Therefore, measures must be in place, which will minimise the risk to Trinity from unauthorised modification, destruction or disclosure of data, whether accidental or deliberate. This can only be achieved if all staff and students observe the highest standards of ethical, personal and professional conduct. Effective security is achieved by working with a proper discipline, in compliance with legislation and College policies, and by adherence to approved Codes of Practice

1.7 The Information Security Policy and supporting policies apply to all staff and students of Trinity and all other users authorised by Trinity.

1.8 The Information Security Policy and supporting policies do not form part of a formal contract of employment with the College, but it is a condition of employment that employees will abide by the regulations and policies made by Trinity from time to time. Likewise, the policies are an integral part of the Regulations for Students.

1.9 The Information Systems Security Policy and supporting policies relate to use of:

• All Trinity networks connected to the Trinity Backbone
• All Trinity-owned/leased/rented and on-loan facilities.
• To all private systems, owned/leased/rented/on-loan, when connected to the Trinity network directly, or indirectly.
• To all Trinity-owned/licensed data/programs, on Trinity and on private systems.
• To all data/programs provided to the Trinity by sponsors or external agencies.

1.10 The objectives of the Information Systems Security Policy and supporting policies are to:

• Ensure that information is created used and maintained in a secure environment.
• Ensure that all of Trinity’s computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse.
• Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures.
• Ensure that all users are aware of and fully comply with the relevant Irish and European Community legislation.
• Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security.
• Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle.
• Ensure all College owned assets have an identified owner /administrator

1.11 The Trinity Board has approved the Information Security Policy and supporting technical policy. The Board has delegated the implementation of the Information Security Policy, to the heads of academic and administrative areas. The Director of Information Systems Services and his/her delegated agents will enforce the Information Security Policy and associated supporting policy.

Minute reference: C1

Date: 9 July 2003

2 IT Security Governance

2.1 Governance outline
Security of Trinity’s IT and data assets cannot be achieved without a coherent governance model that ensures that all IT systems in College are operated in accordance with approved policy and best practice.
The Trinity Governance model seeks to clearly define who is authorised to operate key IT systems and services and how individuals and groups wishing to operate new systems or services are approved and subsequently governed.

2.2 Trinity College Data network
This is the main Trinity network serving the entire staff and student population. This network is operated by IT Services and provides central services and support to all users.
The services of the main Trinity network are available to all users including users who are also members of other autonomously managed networks.

2.3 Autonomously Managed Networks
The autonomously managed networks (AMN’s) are separate logical and physical networks created to address specific needs of a localised user population. They are operated under agreement with IT Services and managed by dedicated full time and suitably qualified staff. Each AMN appoints a named individual as the AMN manager this person is responsible for authorising requests locally and liaising with IT Services.

2.4 Authorised IT Support Area Representatives
These individuals are employed by their academic or administrative area to spend a proportion of their time dealing with IT matters. These individuals may support specific applications and associated equipment.

2.5 Services to the Trinity Community
Only IT Services and the defined autonomous networks may operate central key central services including but not limited to Email, Internet Proxy, DNS, DHCP, Firewall, General Purpose Servers, Web Servers, Domain Services.
IT Support Representatives may operate specific applications and supporting servers which they should register with their AMN managers.
End users or individuals - who are not employed by AMN’s or as IT Support representatives - who wish to run complex IT systems such as servers should first seek approval from IT Services.

2.6 The Network Perimeter
IT Services acts as single point of contact between College and the National Research and Education Network HEAnet.
Access through the network perimeter firewall is managed and operated by IT Services.
Individuals located in the main Trinity network may make direct application for access through the firewall.
Individuals located in other AMN’s should make application first to the authorised managers of their AMN who will approve the request and pass it on to Information Systems Services.

2.7 Communications
Good quality and frequent communications between all parties defined in this model are vital:
Communications between Autonomous Networks and IT Support Representatives is facilitated by a mailing list and periodic meetings hosted by Information Systems Services.

3 IT Management Roles and Responsibilities

3.1 The Trinity Board
The Trinity Board is responsible for approving the Information Security Policy, and for supporting the Director of IT Services in the enforcement of the policies where necessary.

3.2 The Library and Information Policy Committee
LIPC is responsible for review and approval of significant changes to the policy.

3.3 Heads of Academic and Administrative Areas
Heads of academic and administrative areas are required to familiarise themselves with the policies. Where a policy breach is highlighted heads of academic and administrative areas must co-operate in ensuring that appropriate action is taken. Heads of academic and administrative areas are obliged to ensure that all IT systems under their remit are formally administered either by an administrator appointed by the head of an academic and administrative areas or centrally by IT Services. The duties of the administrator are set out in the associated supporting policy.

3.4 Autonomous Networks
Where an area operates an autonomous network with a connection to Trinity Backbone, then the respective Autonomous Network Manager is required to ensure that their operations comply with the Information Security Policy.

3.5 The Information Security Officer
The Information Security Officer is responsible for:

• Advising the Board, the College officers, Administrators and other appropriate persons on compliance with this policy and its associated supporting policies and procedures.
• Reviewing and updating the Security policy and supporting policies and procedures.
• The promotion of the policy throughout College.
• Periodical assessments of security controls as outlined in the Security Policy and supporting policies and procedures.
• Investigating Security Incidents as they arise.
• Maintaining Records of Security Incidents. These records will be encrypted and stored securely for six months after which time information pertaining to individuals will be removed. The records will then be held in this anonymous format for a further two years for statistical purposes.
• Reporting to the Board, the College officers, Administrators and other appropriate persons on the status of security controls within the College.

3.6 The Director of IT Services
The Director of IT Services or his/her deputy is responsible for the management of Trinity Network and for the provision of support and advice to all nominated individuals with responsibility for discharging these policies.

3.7 Information Systems Users
It is the responsibility of each individual Information Systems user to ensure his/her understanding of and compliance with this Policy and the associated Codes of Practice.
All individuals are responsible for the security of College Information Systems assigned to them. This includes but is not limited to infrastructure, networks, hardware and software. Users must ensure that any access to these assets, which they grant to others, is for College use only, is not excessive and is maintained in an appropriate manner.

3.8 Purchasing, Commissioning, Developing an Information System
All individuals who purchase, commission or develop an Information System for Trinity are obliged to ensure that this system conforms to necessary security standards as defined in this Information Security Policy and supporting policies.
Individuals intending to collect, store or distribute data via an Information System must ensure that they conform to Trinity defined policies and all relevant legislation.

3.9 Third Parties
Before any third-party users are permitted access to Trinity Information Systems, a written Third party agreement is required. Prior to being allowed to work with Trinity Information systems, satisfactory references from reliable sources should be obtained and verified for all third parties which includes but is not limited to; administrative staff, software support companies, engineers, cleaners, contract and temporary appointments. Data processing, service and maintenance contracts should contain an indemnity clause that offers cover in case of fraud or damage. Independent third-party review of the adequacy of and compliance with information system controls must be periodically obtained.

3.10 Reporting of Security Incidents
All suspected information security incidents must be reported as quickly as possible through the appropriate channels. All College staff and students have a duty to report information security violations and problems to the Information Security Officer on a timely basis so that prompt remedial action may be taken. The Information Security Officer will be responsible for setting up an Incident Management Team to deal with all incidents. Records describing all reported information security problems and violations will be created. These records will be encrypted and stored securely for six months after which time all information pertaining to individuals will be removed. The records will be held in this anonymous format for a further two years for statistical purposes.

3.11 Security Controls
All Trinity Information Systems are subject to the information security standards as outlined in this and related policy documents. No exceptions are permitted unless it can be demonstrated that the costs of using a standard exceed the benefits, or that use of a standard will clearly impede Trinity activities.

3.12 Compliance with Legislation
Trinity has an obligation to abide by all Irish legislation and relevant legislation of the European Community. The relevant acts, which apply in Irish law to Information Systems Security, include but are not limited to:

• The General Data Protection Regulation (GDPR)
• European Communities Data Protection Regulations, (2001)
• European Communities (Data Protection and Privacy in Telecommunications) Regulations (2002)
• Data Protection EU Directive 95/46/EC
• Criminal Damages Act (1991)
• Child Trafficking and Pornography Act (1998)
• Intellectual Property Miscellaneous Provisions Act (1998)
• Copyright and Related Rights Act (2000)
• Health and Safety Act (1989)
• Non-Fatal Offences Against the Person Act (1997)
• Electronic Commerce Act (2000)
• ECommerce Directive (2000/31/EC)
• Regulations entitled European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003)

The requirement for compliance devolves to all users as defined in (1.7) above, who may be held personally responsible for any breach of the legislation. Summaries of the legislation most relevant to Trinity’s IT policies may be found in the Guidelines accompanying the Policies. Full texts of the most relevant legislation are available from the College Library, IT Services and associated website and the College Information Security Officer.

4 Breaches of Security

4.1 Monitoring
IT Services will monitor network activity, reports from the Computer Emergency Response Team (CERT) and other security agencies and take action/make recommendations consistent with maintaining the security of Trinity information system

4.2 Incident Reporting
Any individual suspecting that there has been, or is likely to be, a breach of information systems security should inform the Information Security Officer or the Director of IT Services immediately who will advise Trinity on what action should be taken.

4.3 Enforcement
The Director of IT Services or his/her delegated agent has the authority to invoke the appropriate College disciplinary procedures to protect Trinity against breaches of security.
In the event of a suspected or actual breach of security, the Director of IT Services, his/her delegated agent or the Information Security Officer may, after consultation with the relevant Administrator make inaccessible/remove any unsafe user accounts, data and/or programs on the system from the network.

4.4 Legal Implications
Any breach of security of an Information System could lead to loss of security of personal information. This would be an infringement of the General Data Protection Regulation (GDPR) and could lead to civil or criminal proceedings and/or regulator fines. All staff and students are advised to familiarise themselves with and comply with this policy and with the Trinity Data Protection Policy.

4.5 Disciplinary Procedures
Failure of an individual student or member of staff to comply with this policy may lead to the instigation of the relevant disciplinary procedures and, in certain circumstances, legal action may be taken.
Failure of a contractor to comply could lead to the cancellation of a contract.

5 Policy Awareness and Distribution

5.1 New Staff and Students
This Policy Statement will be available from IT Services on request. It will also be published on the IT web site. New staff and students will be notified of the relevant policy documents on commencement of employment or student registration.

5.2 Existing Staff
Existing staff and students of Trinity, authorised third parties and contractors given access to the College network will be advised of the existence of this policy statement. They will also be advised of the availability of the associated policies and procedures which are published on the IT Services website.

5.3 Logon Banner
Users logging onto the Trinity network will be reminded of their obligations regarding compliance with the Information Security Policy via a Logon banner.

5.4 Updates
Updates to Policies and procedures will be made periodically and will be posted to the IT Services web site.

5.5 Training
Training will be available from IT Services. Further information can be accessed on the IT Services website.

6 Risk Assessment and Compliance

6.1 Risk Assessment
Risk assessments must be carried out periodically on the business value of the information users are handling and the information systems security controls currently in place. This is to take into account changes to operating systems, business requirements, and College priorities, as well as relevant legislation and to revise their security arrangements accordingly.

6.2 Heads of Academic and Administrative areas
Heads of academic and administrative areas must establish effective contingency plans appropriate to the outcome of any risk assessment.

6.3 Information Security Officer
The Information Security Officer will carry out risk assessments, review all risk assessments completed by other parties and highlight any measures needed to reduce risk in Information Security areas.

6.4 Internal Audit
The College Internal Auditor will facilitate the assessment of risk management and compliance with the Information Security Policy periodically.

6.5 Third Party Audit
Third Party Audits will be carried out at intervals, as deemed necessary by the Internal Auditor an/or the Director of IT Services.

7 Supporting Policies, Review Documentation and Guidance Notes

Supporting Policies amplifying this Policy Statement and Codes of Practice associated with these policies are published in an accompanying document and are available on the IT Services Web site or on request from IT Services.
Staff, students and any third parties authorised to access the Trinity Network to use the systems and facilities as identified in paragraph 1.9 of this policy, are required to familiarise themselves with the policies and to work in accordance with them.

• Network Security Policy
• Internet Use Policy
• Email Use Policy
• Password Policy
• Virus and Spam Policy
• Software Security Policy
• Data Backup Policy
• Disaster Recovery Policy
• Remote Access Policy
• Third Party Access Policy
• Incident Response
• Misuse of IT Facilities Policy
• Legal Compliance Guidelines