The policies below support and expand on the published Trinity Information Security Policy as approved by the Trinity Board.
You can find a definition of some terms used in the policies in the definitions section of this page.
All staff and students of the and all other users authorised by the University are required to familiarise themselves with and comply with these policies.
The Trinity IT network consists of an interconnection of -networked devices. These include computers, printer’s network cables and other networking equipment. Trinity depends heavily upon its IT network for research, teaching and administrative activities. It is essential that the stability, integrity and security of the Trinity IT network be safeguarded.
This policy defines the Trinity regulations regarding access to the Trinity Network. All Network Users must comply with the following policy statements:
1.1 Network Administration Roles and Responsibilities
- IT Services are responsible for the administration of the Trinity backbone network and primary software domains.
- The administration of the Trinity network including, network connections, services, addressing and design is the responsibility of the IT Services Network Manager and delegated agents.
- Additional authorised autonomous managed networks exist which are connected to the Trinity Backbone at an authorised connection point.
- Multiple authorised software domains exist within the Trinity network. The administration of these domains including user accounts and other access controls is the responsibility of the appointed administrator.
1.2 Connection to the Trinity Network
- Connection to and use of Trinity network facilities is dependent on compliance with all published IT Services and Trinity Policies.
- All equipment connected to the Trinity network must conform to the appropriate standards as set periodically by IT Services and Autonomous Network Managers and run only across the backbone using protocols supported by Trinity.
- Only IT Services or authorised Autonomous Network Managers may connect devices to the Trinity Network.
- Side-entry connections to the Trinity network, for example via modem connection to the asynchronous port of a workstation, or via wireless devices are permitted only with the permission of IT Services, or the relevant Autonomous Network Manager.
1.3 Wireless Networking
The Director of IT Services or their designee is responsible for providing a secure and reliable campus network to support the mission of the University. Under this broad responsibility, the following campus-wide wireless policies apply:
- Only hardware and software consistent with wireless standards approved by the IT Services and the Wireless Community Committee shall be used for wireless access points.
- All wireless access points shall be registered with IT Services. In the event that a wireless device interferes with other equipment, the Director of IT Services or designee shall resolve the interference as determined by use priority.
- Deployment and management of wireless access points in common areas of the campus is the responsibility of Information Systems Service.
1.4 Server Connectivity
The connection and use of a computer running Server operating system software or otherwise functioning as a server must be authorised by IT Services or an appropriate Autonomous Network Manager.
All Servers must have a defined administrator who is responsible for:
- Server administration and maintenance
- Server security including but not limited to data backup, access control, operating system and application updates and security patches
Trinity reserves the right to bar access to Information Servers containing material considered illegal or likely to bring the Trinity into disrepute. The College also reserves the right to take disciplinary action in these circumstances.
Trinity will not be liable for any loss or damage suffered by the Information Owner as a result of barring access to or removal of material. Where the Information Owner considers that the College has acted disproportionately or inappropriately in barring access to and/or removing the material then s/he has the right of appeal through the normal Trinity grievance procedures.
In the event that a server is causing an unacceptable level of interference with the operation of the Trinity network out of normal hours and the owner/administrator cannot be contacted IT Services or the Autonomous Network Manager may take action to disconnect the Server from the network.
1.5 Network Access Controls
Access to Trinity network and facilities is restricted to fully authorised Trinity users. Users are required to login to an authorised domain using a secure login-name/password combination. Additional authentication mechanisms may be required if IT Services, or Autonomous Network Managers deem it necessary.
IT Services and Autonomous Network Managers must ensure that only authorised Trinity users have access to the network from their systems.
1.6 Connection of Privately Owned Equipment
Students may connect computing equipment to the Trinity network only with the permission of IT Services. Such systems are then subject to all the statutory and Trinity rules/regulations/policies currently in force and which are applicable to the fields of computer information systems.
Students may connect private equipment using the relevant service/procedure in the manner outlined by IT Services on the official website.
In general users may connect private equipment to the network by following the procedures outlined by IT Services. All private equipment must meet minimum hardware/software requirements and pass appropriate security checks as defined and updated by IT Services.
1.7 Network Administration
All network addresses; including IP addresses, must be allocated and administered by IT Services or authorised Autonomous Network Managers.
IT Services must be informed of any proposed physical re-organisation of the network. This includes requests for extra cabling or the insertion of wireless networking devices within an academic or administrative area. All requests for physical connections to the Trinity backbone must be directed to IT Services.
IT Services, and Autonomous network managers may, on behalf of Trinity, and subject to appropriate consultations, restrict excessive use of the backbone bandwidth.
In the event of unacceptable network events occurring on the network, IT Services, and Autonomous network managers have the right to gain access to and inspect the configuration of devices or equipment on that network and to request the immediate removal of any devices or equipment that it believes could be the source of the problem.
In the event of unacceptable events on a network causing problems on another part of the Trinity network or on an external network, IT Services has the right to disable any part of the network as necessary, to remove the source of the problem. While every effort will be made to contact the system owner, Head of academic or administrative are and/or other appropriate persons, this may not always be possible. All services will be reconnected at the first opportunity.
1.8 Use of Network Facilities
All Network Users must comply with the following conditions of use which apply to the Trinity network and all attached devices:
- Use of the Network facilities including but not limited to the network, workstations, printers and the facilities associated with it e.g. software, data, email, world wide web (www), bulletin boards, data is subject to Trinity’s Code of Conduct.
- All data/programs created/owned/stored by the user on or connected to Trinity Network facilities may subjected to inspection by the Director of IT Services or nominated agent in the instance of suspected wrongdoing. Should the data/programs be encrypted the User shall be required to provide the decryption key to facilitate decryption of the data/programs. Where evidence is found of misuse or of the illegal use of material it will be subject to removal/deletion.
- Users should not use or produce materials or resources to facilitate unauthorised corruption, changes, malfunction or access to any Trinity or Network facilities.
- Users should not display, store or transmit images or text which could be considered offensive e.g. material of a sexual, pornographic, paedophilic, sexist, racist, libellous, threatening, defamatory nature, of a terrorist nature or likely to bring Trinity into disrepute.
- Users must not forge email signatures and/or headers, initiate and/or forward ‘chain’ or ‘junk’ or ‘harassing’ mail.
- Users should comply with all relevant IT legislation as outlined in the Information Systems Security Policy.
- When holding data on computers about living individual’s users must register the data and its uses, according to Trinity procedures and in accordance with the General Data Protection Regulation.
- Other than any statutory obligation, the University will not be liable for any loss, damage or inconvenience arising directly or indirectly from the use of, or prevention of use of, any Network facility provided and/or managed by the University.
- Whilst the University takes appropriate security measures against unauthorised access to, alteration, disclosure, destruction or accidental loss of personal and other data it cannot and does not give any warranties or undertakings to the user about security, confidentiality or integrity of data, personal or other. The same applies to other IT material submitted to or processed on facilities provided or managed by the University or otherwise deposited at or left on its premises.
- A user’s name, address, photograph, status, e-mail name, login name, alias, Staff/Student number and other related information will be stored in electronic form for use for administrative and other operational purposes.
- Breaking these conditions may lead to Trinity disciplinary procedures being invoked, with penalties, which could include suspension from the use of all Trinity computing facilities for extended periods and or fines. Serious cases may lead to expulsion or dismissal from Trinity and may involve civil or criminal action being taken against the user.
The Internet is recognised as an important communication and research tool for Trinity College network users. This policy details standards for the secure use of Internet facilities for Trinity purposes, including teaching, research and administration.
2.1 Conditions Governing use of Trinity Internet Facilities
All users must adhere to the following when using College facilities to connect to the Internet:
- Access to the Internet is provided for Trinity College purposes and must not be abused for personal use.
- Commercial use, which is not connected to or approved by the College, is strictly prohibited and will result in disciplinary procedures,
- Internet access in Trinity is available only via the Trinity infrastructure. Users should not connect to the Internet via a dial-up ISP account on Trinity computers connected to the network.
- Users are expected to act ethically and responsibly in their use of the Internet and to comply with the relevant national legislation, the Trinity Information Security policy, regulations and codes of practice. Users must not post messages on forums or websites which are likely to be considered abusive, offensive or inflammatory by others.
- Users must not use the Trinity Internet connection to scan or attack other individuals/devices/organisations. The use of port scanners or other hacking tools unless used as part of an approved course of study is strictly prohibited.
- Users should be aware that the public nature of the Internet dictates that the confidentiality and integrity of information cannot normally be relied upon. Where a requirement exists to send or receive confidential or commercially sensitive data over the Internet, a security mechanism recommended by IT Services should be used.
- Passwords used for personal Internet services should not be the same or similar to passwords used for services accessed within Trinity. This is to prevent passwords that grant access to Trinity IT resources being sent out on the Internet in clear text where any Internet user can potentially see them. Similarly, any username used for the Internet services should not be the same or similar to a Trinity username.
- Software copyrights and licence conditions must be observed. Only licensed files or software may be downloaded from the Internet.
- The use of the Trinity Internet Connection to download or distribute copyright material using peer-to-peer applications is strictly prohibited. IT Services reserve the right to disconnect any machines involved in illegal file distribution from the Trinity network.
- All devices connected to the Internet must be equipped with the latest versions of anti-virus software, which has been both approved and supplied by Trinity.
- All forms of data received over the Internet should immediately be virus checked.
- All forms of data transmitted from Trinity over the Internet should be virus checked in advance.
- Data, which has been compressed or encrypted, should be decompressed or decrypted as required before virus checking.
- All security incidents involving Internet access must be reported to IT Services.
E-mail is recognised as an important communication tool for Trinity College network users. This document details standards for the secure use of Internet facilities for Trinity purposes, including teaching, research and administration
3.1 Conditions governing use of Trinity E-mail facilities
All users must adhere to the following when using Trinity E-mail facilities:
- Users are expected to act ethically and responsibly in their use of e-mails and to comply with the relevant national legislation, the Trinity Information Security policy, regulations and codes of practice.
- Discrimination, victimisation or harassment on the grounds of gender, marital status, family status, sexual orientation, religious belief, age, disability, race, colour, nationality, ethnic or national origin is against Trinity Policy. Users must not bully, hassle or harass other individuals via e-mail. Users must not send messages that are likely to be considered abusive, offensive or inflammatory by the recipient/s.
- All users should regard all e-mails sent from Trinity facilities as first, representing the Trinity and, secondly, representing the individual. Users should be civil and courteous. Users should not send e-mail, which portrays Trinity in an unprofessional light. Trinity is liable for the opinions and communications of its staff and students. Any e-mail involved in a legal dispute may have to be produced as evidence in court.
- All users should do their best to ensure that email content is accurate, factual and objective especially in relation to individuals. Users should avoid subjective opinions about individuals or other organisations.
- Users should be aware that e-mails can easily be forwarded to other parties. Users should assume that anyone mentioned in e-mail could see it or hear about it or he/she may, under data protection or other law, be entitled to see it.
- All users should be aware that. it is possible for the origin of an e-mail to be easily disguised and for it to appear to come from someone else.
- Users must not use a false identity in e-mails.
- Users must not create or forward advertisements, chain letters or unsolicited e-mails e.g. SPAM
- All users should protect data displayed on their monitor. E.G by locking their office door or by locking their workstation or using a screen saver in password-protected mode when leaving their desk. This is in order to prevent unauthorised individuals from using the workstation to send an e-mail, which will appear to originate from the user.
- All users should exercise caution when providing their e-mail address to others and be aware that their e-mail address may be recorded on the Internet.
- All users should be cautious when opening e-mails and attachments from unknown sources as they may be infected with viruses.
- All users must have up-to-date Trinity approved anti-virus software installed and operational on the computer that they access their email on.
- All emails or attachments that are encrypted or compressed should be decrypted or decompressed and scanned for viruses by the recipient.
- Users should be aware that e-mails may be subject to audit by IT Services to ensure that they meet the requirements of this policy. This applies to message content, attachments and addressees and to personal e-mails.
- As part of the Trinity’s standard computing and telecommunications practices, email systems and the systems involved in the transmission and storage of e-mail messages are normally "backed up" centrally on a routine basis for administrative purposes. The back-up process results in the copying of data, such as the content of an e-mail message, on to storage media that may be retained for periods of time and in locations unknown to the originator or recipient of an email. The frequency and retention of back-up copies vary from system to system. However, this back-up is for Trinity administrative purposes only and it is the user’s own responsibility to back-up any of their e-mails they wish to retain for future reference.
- All security incidents involving E-mail should be reported to IT Services.
3.2 E-mail and the General Data Protection Regulation (GDPR)
All Trinity users should be aware that e-mail containing information pertaining to living individuals fall under the scope of the General Data Protection Regulation (GDPR).
All users must ensure that the methods of collecting processing and storing information personal information via email comply with the Trinity policies the GDPR and any other relevant legislation.
3.3 E-mail and Privacy
Trinity users must assume that all e-mail or Internet communications are not secure unless encrypted and they should not send via e-mail any information, which is confidential. Users may not, under any circumstances, monitor, and intercept or browse other users' e-mail messages unless authorised to do so by the Director of IT Services. Network and computer operations personnel, or system administrators, may not monitor other users' e-mail messages other than to the extent that this may occur incidentally in the normal course of their work.
The College reserves the right to access and disclose the contents of a user's e-mail messages, in accordance with its legal and audit obligations, and for legitimate operational purposes. Trinity reserves the right to demand that encryption keys, where used, be made available so that it can fulfil its right of access to a user’s e-mail messages in such circumstances.
Username and passwords are utilised in Trinity to facilitate access to Trinity IT resources. They also protect Trinity data from access from unauthorised individuals both internally (other staff students) and externally (hackers).
This policy applies to all Trinity Staff, Students, or Third parties who are issued with usernames and passwords for any Trinity IT System or device.
This policy applies to all username and password pairs on all devices, systems and applications that are part of the Trinity network that provide access to Trinity owned information.
4.1 Issue of accounts and passwords
All system and application accounts and passwords must be issued by IT Services or an Autonomous Network Manager. Once a password has been issued full responsibility for that account and associated password passes to the user.
4.2 Password Sharing Prohibition
Passwords must not be written down and left in a place where unauthorised persons might discover them.
4.3 Writing Passwords Down and Leaving Where Others Could Discover
Passwords must not be written down and left in a place where unauthorised persons might discover them.
4.4 Password Changes
Password changes must only be made when requested in person by the appropriate individual or when requested by a trusted party as defined by IT Services. No exceptions to this policy are allowed.
4.5 Minimum Password Length
The length of passwords must always be checked automatically at the time that users construct or select them. All IT systems must require passwords of at least eight (8) characters.
4.6 Complex Passwords Required
All computer system users must choose passwords that cannot be easily guessed. For example, a car license plate number, a spouse's name, or an address must not be used. This also means that passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, and slang must not be used.
4.7 Cyclical Passwords Prohibited
Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users must not employ passwords like "JANUARY" in January, "FEBRUARY" in February, etc.
4.8 User-Chosen Passwords Must Not Be Reused
Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed.
4.9 Password Ageing
Passwords should be changed periodically. Network managers, system administrators or application administrators should select an appropriate time frame for changing passwords.
4.10 Limit on Consecutive Unsuccessful Attempts to Enter a Password
To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After a defined number of unsuccessful attempts to enter a password (usually between 3and 8 per hour), the involved user account must be either (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three (3) minutes, or (c) if dial-up or other external network connections are involved, disconnected.
4.11 Password History
A password history must be maintained for all domain level. This history file should be used to prevent users from reusing passwords. The history file should minimally contain the last 7 passwords for each username.
4.12 System Compromise
Whenever an unauthorised party has compromised a system, IT Services or the relevant Autonomous network manager or application administrator must immediately change every password on the involved system. Even suspicion of a compromise likewise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorised modifications.
4.13 Storage of Passwords in Readable Form
Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorised persons might discover them.
4.14 Changing Vendor Default Passwords
All vendor-supplied default passwords e.g. default passwords supplied with routers, switches or software such as operating systems and databases must be changed before any computer or communications system is used.
Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over communications system.
4.16 Misuse of Passwords
Any abuse of passwords must be reported to IT Services who will advise on what follow-up action to take. Passwords must always be changed if it is known or suspected that another person has become aware of the password. Where a third party is found in possession of a users password that account will be disabled. In this situation the valid user should report this to IT Services.
Computer malware can impact productivity, incur financial costs and can result in the compromise or loss of data and reputation.
Viruses can originate from a range of sources, spread rapidly, and require a comprehensive approach to ensure the risk they pose is effectively managed. This comprehensive approach requires the full co-operation of all Trinity College Staff and Students.
This Anti-Virus and Anti-Spam Policy and outlines the overall approach adopted by the Trinity as well as individual responsibilities.
All Trinity College network users have a responsibility to protect their systems from malware infection and follow the guidelines on spam email as outlined below:
5.1 Virus Prevention - Network Users Responsibilities
- All users have a responsibility to protect any device, which they use which connects to the Trinity network by ensuring that they have the installed the correct anti-virus product for their area and that it is up-to-date. This relates to Trinity owned machines and user’s private machines where the machines are used to access the Trinity network.
- Users must not try to install an unapproved anti-virus product or try to alter the configuration or disable the existing anti-virus product.
- Users must install when requested by IT Services or their Autonomous Network Manager any software, which is for the prevention of or monitoring of malware infections.
- Users must ensure that all relevant software security updates are applied to their computer. Users are advised to use the Windows update service for all Microsoft operating systems, and the equivalent update service for other types of operating system.
- Users must scan their hard drives regularly for malware.
- Users should not open suspicious emails or attachments whether solicited or unsolicited from unknown or unusual sources.
- Users should scan all software or other content that they download from the Internet for viruses.
- Users should exercise caution when downloading software from the Internet and only install software from reputable Internet sites.
5.2 Where malware is detected by a User
- All users must respond to any malware infection detection indicated by their anti-virus software.
- In the event that a user is unable to clean or remove an infected file they should disconnect their PC from the Trinity network by removing the network cable and inform their Autonomous Network Manager or the IT Services Helpdesk of the problem immediately.
- All users should be alert to the possibility of malware and report any suspicious behaviour to their Autonomous Network Manager or the IT Services Helpdesk immediately.
5.3 Unsolicited Email (Spam) User Responsibilities
- Users should exercise caution when divulging their Trinity Email account to third parties. Some organisations may provide your email address to parties involved in sending unsolicited emails (Spam), which may result in increased volumes of spam email being sent to your account.
- IT Services provide a Spam filtering service for users of the Trinity email system. All users should report any spam that they receive using the method advised by IT Services in order to improve the overall efficiency of the system.
5.4 Phishing - User Responsibilities
- Phishing is a form of online fraud. In a typical phishing incident, a user may receive an email or pop-up message that claims to be from IT Services or another business or organisation that they may have previously dealt with.
- Trinity staff and students must treat any email that asks for their Trinity username and password details with extreme caution.
- Any user who suspects that they have fallen for a phishing attack and compromised their Trinity username and password must immediately change their password and inform IT Services.
5.5 Virus and spam Prevention - Administrative responsibilities
IT Services, and Autonomous Network managers must:
- Select an effective desktop anti-virus product. This product must be licensed and made available to all users connecting to the Trinity network.
- Monitor systems regularly for devices that do not have anti-virus software installed or have incorrect anti-virus products or settings.
- Provide a central point of contact to Trinity users for malware matters.
- Keep abreast of potential malware that may affect Trinity.
- Promote awareness of malware issues amongst users.
- Monitor desktop systems for indications of malware infection using available tools (E.G the Epol administration console.)
- Follow up on and evaluate any malware reports from users and make recommendations which may include informing users of the problem by email alert, intranet, etc
- During a malware outbreak incident, provide whatever assistance is required to disinfect the device and prevent propagation.
- In the event of an incident the official source of updated information will be the IT Services website.
- IT Services and Autonomous Network managers running approved Trinity email systems must scan all incoming and outgoing email at the mail gateway for viruses using a reputable malware scanning product. This is to prevent mass propagation of viruses through email systems.
- IT Services and Autonomous Network managers running approved Trinity email systems must offer a high-quality spam filtering service to all users.
Software is widely used by Trinity College Dublin to process, manipulate and store data owned by Trinity. It is essential that all software meet minimum-security standards to ensure the integrity and security of Trinity data.
This policy applies to all Trinity staff, students or third parties who purchase or develop software that is used on the Trinity network or installed on any device connected to the Trinity network or used to collect, store or process Trinity data. This policy applies to all software purchased with private resources as well as Trinity funds.
Particular care should be taken when purchasing or developing a major system that is to be used to process or store Trinity data.
The responsibility for ensuring that software meets security requirements falls to the individual or group purchasing installing and configuring the product.
Where an individual does not have the required expertise to ensure that the product meets requirements advice should be sought from IT Services.
6.1 Approval by the Library and Information Policy Committee
All Trinity users should note that proposals for new or replacement information systems are subject to approval by the Information Policy Committee. Information on submission of project proposals and committee meeting dates is available from IT Services.
6.2 Software Security Standards
All software must comply with the following standards:
- All software must protect Trinity and personal information from unauthorised disclosure (confidentiality and privacy).
- All software must protect Trinity and personal information from unauthorised modification (integrity).
- All software must protect Trinity and personal information and processing services from disruption and destruction (availability).
- All software must contain controls that can ensure that individuals can be held responsible for their actions (accountability and non-repudiation).
6.3 Purchasing Software
Any Staff member, Student or Third party purchasing software to be used on the Trinity network or to process data owned by Trinity must ensure that:
- The software meets minimum standards as detailed in section 1.3
- The software is tested to ensure that the security criteria as defined in section 1.3 are met.
- The software is configured correctly and securely and that all relevant security features are enabled.
- The software meets licensing criteria as detailed in section 4 of this policy document.
- That provision is made for providing ongoing maintenance for the software either by the manufacturer or a dedicated system administrator.
- Physical or logical access should only be given to vendors for support purposes when necessary. Only approved secure methods of access should be used. (The IT Security officer can advise on suitable methods) The vendor must sign a third-party access form and the vendors activities should be monitored/logged.
6.4 Purchasing/Using Cloud software systems
- Cloud computing is a method of delivering Information and Communication Technology (ICT) services where the customer pays to use, rather than necessarily own, the resources. These services are typically provided by third parties using Internet technologies.
- The processes involved in procuring and evaluating cloud services can be complex and subject to legal, ethical and policy compliance requirements. These requirements must be evaluated and met prior to signing up to and using cloud services. This is essential to ensure that personal, sensitive and confidential business data and information owned, controlled, or processed by the College, its staff, students and its agents is adequately protected at all times. The service must be selected to ensure that the data and information is secure and that an adequate backup and recovery plan is in place to ensure that data and information can be retrieved to meet business needs. For more critical systems, the service should be built with high availability, again to meet business needs.
- All procurement of Cloud services are subject to the University Cloud Policy copies of which can be obtained from the Trinity website or from IT Services.
6.5 Software Development
Any Staff member, Student or Third party developing software to be used on the Trinity network or to process data owned by Trinity must ensure that:
- The software meets minimum standards as detailed in section 1.3
- The software is tested a professional manner to ensure that all security controls are effective. Documentation supporting this must be made available to IT Services, or Trinity Network Manager on request.
- Software development and testing is carried out in a separate environment from the live environment.
- Adequate controls are in place over any test data, which is used in the testing process.
- That provision is made for ongoing maintenance of the software
6.6 Trinity Data
Any Staff member, Student or Third party purchasing or developing software for gathering, processing or storing sensitive Trinity information such as financial data, sensitive teaching or research data or personal data relating to individuals must ensure:
- That the software meets the criteria as defined in section 1.3
- That they are able to provide documentation of security controls in place.
- That they are able to provide evidence of the effectiveness of those controls gained through proper testing exercises on request from IT Services or the relevant Network Manager or Systems administrator.
- Where sensitive data (E.G financial data, sensitive teaching or research data or personal data relating to individuals) is to be stored in electronic format that Trinity has insurance to cover any incident such as theft of the data, which may occur while the data is stored electronically.
- That they are not duplicating data already held in central Trinity databases (e.g. Student and Staff details) or creating systems which duplicate services already provided by existing systems.
6.7 E-Payment or Storage of Credit / Debit Card Numbers
Users intending to purchase or develop systems intended for e-payment or the collection and/or storing credit card numbers and associated information are alerted to the following special security considerations:
- Under most merchant agreements the issuing Bank will wish to approve any proposed system before it goes into operation.
- Trinity has no insurance cover for the theft of credit card numbers from the Trinity network. Thus in the case of a security breach Trinity would have a financial liability.
6.8 Username and Password Authentication
Packages, which use username and password authentication, must conform to ‘005 Passwords Standards Policy.doc’
6.9 Change Control
To minimise the corruption of information systems there should be strict control over the implementation of changes to software installations.
Where appropriate (which will generally be for larger systems) formal change control procedures should be enforced to ensure that security procedures are not compromised and that formal agreement and approval for any change is obtained. This should include:
- Authorisation of request for change.
- Risk assessment of change.
- User Acceptance Testing.
- Relevant management sign-off.
- Information Security sign-off.
- Rollback procedures in the event that the promotion failed.
- Documentation of the above
- If sensitive data (E.G financial data, sensitive teaching or research data or personal data relating to individuals) is to be transmitted over any external communication network, it must be sent in encrypted form.
- It may also be appropriate to use encryption where sensitive data is transmitted internally across the Trinity network. In this case a risk assessment should be carried out to determine whether a cryptographic control is appropriate.
- If sensitive data is to be transported in portable media e.g. USB devices etc it must be in encrypted form.
- If encryption is used, the information protected with encryption must be transmitted over a different communication channel than the keys used to govern the encryption process.
- The owner(s) of data protected via encryption must explicitly assign responsibility for the encryption key management to be used to protect this data.
6.11 Software Installation, Configuration and Updates
End users must ensure that they install and configure all software to a secure baseline standard. End users should ensure that they also install any updates or security patches that are available for the operating software application software or databases installed on devices connected to the Trinity network or which are used to process or store Trinity data.
IT Services, Network Managers, system administrators, database administrators and application administrators must ensure that they install and configure all software in a secure manner and that they install all updates or security patches on operating systems, applications, databases and any other software, which they purchase, develop or administer.
Specific technical details on secure installation and configuration of operating systems and other software are available from the IT Services.
IT Services, Network Managers, database administrators and individuals are responsible for maintaining records of software licences for all software that they acquire.
Software that is acquired on a trial basis must be used in accordance with the vendor’s copyright instructions.
Copyright stipulations governing vendor-supplied software must be observed at all times.
All software developed within Trinity is the property of the Trinity and should not be copied or distributed without prior written authorisation.
6.13 Breach of Policy
Where software is found to be in breach of this policy and there is reason to believe that Trinity information is at risk as a result, the Director of IT Services, or Network Manager may have the software system/application withdrawn from live operation.
Back-up procedures, ensuring that both data and software are regularly and securely backed-up, are essential to protect against the loss of that data and software and to facilitate a rapid recovery from any IT failure. This policy outlines guidelines for Trinity College staff and students on backing up Trinity Data.
The data backup element of this policy applies to all Staff, students and third parties who use IT devices connected to the Trinity College network or who process, or store information owned by Trinity College Dublin.
All users are responsible for arranging adequate data backup procedures for the data held on IT systems assigned to them
7.1 Best Practice Backup Procedures
All backups must conform to the following best practice procedures:
- All data, operating systems and utility files must be adequately and systematically backed up (Ensure this includes all patches, fixes and updates)
- Records of what is backed up and to where must be maintained
- Records of software licensing should be backed up.
- Back-up media, together with the back-up record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site.
- Regular tests of restoring data/software from the backup copies should be undertaken, to ensure that they can be relied upon for use in an emergency
7.2 Responsibility for Data backup
Only critical systems are routinely backed up by IT Services and Autonomous Network Managers in the current model. The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the College falls entirely to the User.
If you are responsible for a collection of data held either remotely on a server or on the hard disk of a computer, you should consult your Autonomous Network Manager or IT Services about local back-up procedures. If you do not use the facilities provided by IT Services or those of your own academic or administrative area you should put in place your own procedures.
7.3 Legal Requirements
Users when formulating a backup strategy should take the following legal implications into consideration:
- Where data held is personal data within the meaning of the General Data Protection Regulation (GDPR), there is a legal requirement to ensure that such back-ups are adequate for the purpose of protecting that data
- Depending on legal or other requirements, e.g. Financial Regulations, it may be necessary to retain essential business data for a number of years and for some archive copies to be permanently retained
- Depending on legal or other requirements, e.g. General Data Protection Regulation (GDPR), Software Licensing, it may be necessary to destroy all backup copies of data after a certain period or at the end of a contract.
7.4 Desktop Backups
The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the College falls entirely to the User.
All network users using personal workstations/laptops should ensure that their data is backed up using one or a combination of the following methods:
- Backing-up to a local device e.g. floppy disk, Zip Drive, CD-Rom.
- Copying critical data on a regular basis to a remote server that is properly backed up by the College.
- Backups should be scheduled regularly.
- All users should backup their data before updating or upgrading software on their computer.
The disaster recovery procedures in this policy apply to IT Services, Autonomous Networks and all Trinity Users who are responsible for systems or for a collection of data held either remotely on a server or on the hard disk of a computer.
8.1 Published Disaster Recovery Plan/Procedures
- Trinity must maintain a published and tested Disaster recovery plan as defined in section 9.3.
- IT Services and Autonomous Network managers must contribute details of data/systems owned by them and the plans procedures for disaster recovery annually.
- IT Services and Autonomous Network managers must regularly schedule regular testing of the Disaster recovery plan or parts there of.
8.2 User Responsibilities
All Trinity users should make preparation for a disaster event in which IT equipment or data is destroyed. Users should:
- Ensure that they have backup up all important data stored on equipment owned by or assigned to them. IT Services or an Autonomous Network manager can provide detailed advice on how best to achieve this.
- Note the procedures for procuring replacement hardware. This can be done by purchasing it from a suitable hardware vendor or by using spare capacity on a colleague's computer in other building/site.
- Maintain backup documentation regarding any licence keys that they may hold.
8.3 Best Practice Disaster Recovery Procedures
A disaster recovery plan can be defined as the on-going process of planning developing and implementing disaster recovery management procedures and processes to ensure the efficient and effective resumption of vital Trinity functions in the event of an unscheduled interruption.
All disaster recovery plans must contain the following key elements:
- Critical Application Assessment
- Backup Procedures
- Recovery Procedures
- Implementation Procedures
- Test Procedures
- Plan Maintenance
The purpose of this policy is to define standards for connecting to the Trinity College Network from a Computer or other device located outside of the Trinity network. This policy is designed to minimise the potential exposure to Trinity from risks associated with remote access connections by ensuring only secure methods are used to connect to the Trinity network.
This policy applies to all Trinity Staff, students or Third parties with either a Trinity owned or personally owned computer used to connect to the Trinity network.
9.1 Permitted remote access connections
Remote access connections to the Trinity network may be made for Trinity administrative or academic purposes only. These include but are not limited to:
- Approved use of network resources service by registered Staff and Students.
- Teleworking by registered Trinity Staff.
- Network administration purposes by registered System Administration Staff.
- Administration of Trinity Applications or Systems by approved Third parties.
9.2 Methods of Remote connection
IT Services and Autonomous network managers only may approve appropriate remote access technologies for use to access the Trinity network.
Trinity Users should apply to IT Services or the Autonomous network managers for a list of currently approved methods.
Current preferred remote access technologies include but are not limited to:
- Approved College Virtual private network (VPN)
- Direct IP to IP PC Anywhere connection
- Direct SSH access
9.3 Non-standard remote access connections
Organisations or individuals wishing to implement non-standard Remote Access must obtain prior approval from IT Services.
9.4 Protecting Remote Access Credentials
All individuals are responsible for safeguarding the remote access credentials granted to them and making sure that unauthorised individuals do not use them. These credentials may consist of username and password combinations, digital certificates or other software or hardware.
9.5 Username/Password Authentication
Where Username/Password authentication is used the following apply:
- Where remote access authentication is facilitated using a username and password a strong password must be used as defined in section 5 of this policy document.
- At no time should any Trinity staff member or student provide his or her username or password to any unauthorised third party.
9.6 Remote Access Hosts
All hosts that are used for remote access to the Trinity networks must:
- Use the most up-to-date anti-virus software.
- Be protected by a Trinity or private Firewall.
- Not be made available for use to unauthorised third parties.
- Be available for inspection by IT Services or the Autonomous Network Manager/Administrator if requested.
9.7 All Individuals/groups granted remote access connection privileges
It is the responsibility of all individuals/groups with remote access privileges to the Trinity network to ensure that:
- Their remote access connection meets security standards as approved by the College.
- The connection is only used for approved purposes.
- The remote access credentials granted to them are held safely and not disclosed to unauthorised third parties.
9.8 Trinity Staff or Students providing remote access to Third parties
Trinity staff or students may only provide remote access to the Trinity network to third parties with the express permission of IT Services or the Network manager or Autonomous Network Manager.
Trinity Staff providing remote access to third parties for any purpose must ensure that the method of remote access meets security standards as approved by the College.
The Third party must be made aware of their responsibilities and provided with a copy of this policy document.
Details of the Third-Party connection must be documented and submitted to the Autonomous Network Manager/Administrator or IT Services.
9.9 Third Parties
It is the responsibility of all contractors, vendors and agents with remote access privileges to the Trinity network to ensure that the remote access connection adheres to the Security Standards as defined in this policy.
All Third parties must comply with the security measures as outlined in this policy document.
The purpose of this policy is to define standards for all Third Parties seeking to access the Trinity Network or any devices attached to the Trinity Network. This policy is designed to minimise the potential exposure to the Trinity from risks associated with Third Party Access.
This policy applies to all Trinity Staff, students seeking to provide access to the Trinity network or devices attached to the network to Third parties.
10.2 Permitted Third Party Access
Third party access to the College network may be made for College administrative or academic purposes only.
10.3 Access Requests
Requests to allow access to the Trinity network or attached devices must meet the following criteria:
- Requests for third party access must be formally authorised in writing by the Information Systems Services or the relevant Autonomous Network Manager for the area prior to access being granted.
- The requester must agree to act as the sponsor for the Third Party and take responsibility for the actions of the Third Party when accessing the College network or attached devices.
- Where there is an approved need for third party access, security controls will be agreed and defined in a contract with the third party as detailed in section 10.4
- Access to Trinity College network facilities by third parties will not be provided until the appropriate measures have been implemented and a contract signed defining the terms for the connection.
- Third party access must be permitted only to the facilities, services and data, which are required to perform the specified tasks, as outlined to the IT appropriate Network Manager/Administrator in the original request for access.
10.4 Security Conditions in Third Party contracts
Third party access to Trinity IT facilities must be based on a formal contract, which must address the following issues:
- A description of each facility, IT service or type of data to be made available must be included.
- Compliance with the published Trinity Information Security Policy.
- Permitted access methods and the control and use of unique identifiers (User Ids) and passwords.
- A requirement to maintain a list of individuals authorised to use the service.
- A commitment such that all Third Party’s granted access will inform the College in writing of staff changes that affect the integrity of security. This includes the rotation and resignation of employees so that the College can disable userids and remove / change passwords in order to secure its resources.
- Procedures regarding protection of Trinity assets, including information.
- Responsibilities with respect to legislation including but not limited to the General Data Protection Regulation (GDPR)
- The right of Trinity to monitor user activity and revoke access.
- Responsibilities regarding hardware and software installation and maintenance.
- The right to audit contractual responsibilities.
- Restrictions on copying and disclosing information.
- Measures to ensure the return or destruction of information at the end of the contract.
- Any required physical protection measures.
- Measures to ensure protection against the spread of computer viruses.
- An acknowledgement that access to Trinity systems and information will been granted for approved purposes only. The use of this access for personal use or gain is strictly prohibited.
- Arrangements for reporting and investigating security incidents.
10.5 Unique Authentication
To ensure individual accountability on Trinity Network devices and applications, all third parties granted access must be given a unique userid and password.
The third party will always be held responsible for any activities which occur on Trinity networks and applications using this unique userid.
The Third Party is solely responsible for ensuring that any username and password that they are granted remains confidential and is not used by unauthorised individuals
10.7 Host Security
When a Third Party is logged into the Trinity network they should not leave the host they are logged onto unattended.
Workstations/laptops that are used to display Trinity data should be located in such a way that confidential information is not displayed to unauthorised persons or the general public.
Up-to-date Virus checking software must be installed on any relevant devices that are being used to access the Trinity Network or attached devices.
10.8 Remote Access by Third Parties
Where the type of access to be granted to the Network is from a remote device the third party must comply with the security measures as defined in this policy.
In the event of a security incident occurring, it is important that all Trinity employees and students are aware of their responsibilities and the procedure by which incidents can be most effectively and efficiently brought to a satisfactory conclusion. The procedures as defined below are best practice within Trinity College.
Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedures will be implemented as defined in this policy.
11.1 Incident Reporting
The types of incidents that must be reported include, but are not limited to:
- Incidents reported from Systems and Networks (system failures, unusual activity)
- Anomalous events (unusual or suspicious behaviour noted in logs or activity reports)
- Reports from External sources (threats, customer queries, complaints, press reports)
- Incidents observed by network users (on local PC’s or servers)
- Any unauthorised access to Trinity Data or systems.
11.2 Reporting an incident
All observed or suspected security incidents; weaknesses or threats to should be reported to an Autonomous Network Manager, and IT Services.
In no instance should any user attempt to prove a suspected weakness as this could lead to a potential misuse of the system. Where users note that any software does not appear to be working correctly, i.e. according to specification, they should report the matter to IT Services.
Where a user suspects that the malfunction is due to a malicious piece of software e.g. a computer virus, they should stop using the computer, disconnect it from the Trinity network and report the matter to IT Services.
11.3 Disabling Accounts/Network Connections
IT Services and Autonomous Network Managers may disable user accounts and/or network connections:
- Pending investigation of a security incident or where investigation of an incident
- To contain a confirmed security breach and prevent other Trinity network devices from becoming affected by the incident..
11.4 Records of Security Incidents
IT Services will collate and analyse records of security incidents and will report to the Trinity Board any trends which emerge and recommend any additional action which should be taken University wide to try to prevent their occurrence in the future.
11.5 Misuse of facilities
Where Trinity Staff members or Third parties are found to have misused Trinity IT facilities the Director of information Services, Network Manager or his nominated agent will inform the appropriate Trinity authorities who will determine what further action should be taken.
Where students are found to have misused Trinity IT facilities, IT Services must inform the Junior Dean who will determine what further action should be taken.
The University has an obligation to abide by all Irish legislation and relevant legislation of the European Community.
All users of the Trinity Information Systems must ensure that they are fully aware of and understand any of the relevant legislation, which applies to IT systems or data, assigned to them.
This Guideline is not a full statement of the law but is an indication of the issues to be complied with when processing information and disseminating it through the Trinity Information Systems.
13.1 Relevant legislation
Full copies of the legislation outlined below are available from the Trinity library and IT Services
- Irish Data Protection Bill
- General Data Protection Regulation GDPR
- Health and Safety Act, 1989
- Criminal Damages Act, 1991
- Freedom Of Information Act 1997
- Non-Fatal Offences Against the Person Act, 1997
- Child Trafficking and Pornography Act, 1998
- Intellectual Property (Miscellaneous Provisions) Act 1998
- Data Protection Act, 1988
- Electronic Commerce Act, 2000
- Copyright and Related Rights Act, 2000
- eCommerce Directive (2000/31/EC)
- European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002
- Data Protection (Amendment) Act 2003
- Regulations entitled European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003)
- HEAnet Acceptable Use Policy
- Network Users Network users are defined as all Trinity staff, students or third parties with either a Trinity owned, or personally owned computer or other device used to connect to the Trinity network or a username and password or other type of authentication allowing access to the network.
- Autonomous Managed Networks (AMN’s) The autonomously managed networks (AMN’s) are separate logical and physical networks created to address specific needs of a localised user population. They are operated in agreement with IT Services and managed by dedicated full time and suitably qualified staff.
- Autonomous Network Managers Each AMN as defined above appoints a named individual as the AMN manager this person is responsible for authorising requests locally and liaising with IT Services.
- Third Parties Third parties are defined as any individual, group contractor, vendor or agent not registered as a Trinity staff member or student.
- Third Party Access Third party Access is defined as all local or remote access to the Trinity Network or devices attached to the Trinity Network for any purpose.
- Software Software is defined as any operating system, application, database or other IT system that is used to collect process or store data in an electronic format.
- Trinity staff Defined as all current registered employees (full time and part time) of Trinity College Dublin.
- Students Defined as all currently registered students of Trinity College Dublin.
- Third Parties Defined as any individual, group contractor, vendor or agent not registered as a Trinity staff member or student who is granted access to the Trinity network or to Trinity systems or Trinity data.
- Software Software in this policy is defined as any operating system, application, database or other IT system that is used to collect process or store data in an electronic format.
- Trinity Information Defined as any data pertaining to Trinity staff, students, or activities. Additionally, any data collected by Trinity or other bodies on behalf of the University.
- Personal Information Defined as data pertaining to any living individual which is subject to the General Data Protection Regulation.
- Sensitive data Is defined as financial data, sensitive teaching or research data or personal data.