Computer Security Policy 2013
advertisement
Learning Academy Partnership (South West) Achieving Excellence for All Ilsham Church of England Academy Ellacombe Academy and Little Stars Childcare Centre Computer Security Policy Agreed by Senior Executive Team November 2013 Date for Review November 2016 Contents of the policy Document Change Control Page 3 Policy Statement Purpose of the Policy Page 4 Page 4 Scope of Policy E-mail - User Responsibility Page 6 Page 8 Internet – User Responsibility General Security – User Responsibility Page 13 Page 15 Monitoring Monitoring of E-mail Usage Page 18 Page 18 Monitoring of Internet Usage Monitoring of Access to and Data Stored on the Network Monitoring Against Virus and Hacking Page 19 Page 20 Appendix 1 – Glossary of Terms Appendix 2 – Examples of violations Page 21 Page 23 Appendix 3 – Legal Requirements & User Links Appendix 4 – Standard School Disclaimer Page 24 Page 26 Learning Academy Partnership (SW) November 2013 Page 20 2 This Policy will be subject to change as a result of innovations in technology, changes in legislation, business need, and any best practice advice. Any change will be communicated through normal channels i.e. email, staff news etc. Employees are responsible for maintaining their awareness of this Policy. This Policy will be published and held in the academy offices and maintained on Learning Academy Partnership (South West)] computer system. If employee’s print a copy of this or related policies, it is their responsibility to ensure that they are referring to the current version of the policy. Contact Information Policy Schools contact for ICT services is the IT Manager. Advice / Notification Issue Contact Contact Details Concerns regarding virus etc Concerns regarding monitoring, investigation and any queries regarding this policy Concerns regarding breach of policy by other employees IT Helpdesk hhelpdesk@ellacombe.torbay.sch.uk Audit & Efficiency Business Manager@ellacombe.torbay.sch.uk Whistleblowing Business Manager Policy Statement Learning Academy Partnership (SW) November 2013 3 Observance of this policy is mandatory and forms part of the terms and conditions of employment. Misuse of the facilities will be treated as a disciplinary matter and may lead to dismissal and/or criminal prosecution. The Learning Academy Partnership (LAP) accepts no liability for any loss you may suffer as a result of personal use of ICT equipment. In order to ensure compliance, this policy is available from the academy offices and electronically, it will be available as part of the appointment and induction process and via regular all staff emails. The Learning Academy Partnership SW is committed to the use and development of information technology as an important part of providing efficient services and effective communication to its staff, pupils and partners. Learning Academy Partnership SW provides you with access to various computing, telephony and postage facilities to allow you to undertake the responsibilities of your position and to improve internal and external communication. Purpose of the policy This policy and associated guidelines is intended to help you make the best use of the computer resources at your disposal. The objective of this policy is to protect users from inappropriate use of technology, to ensure the security of computer systems, the availability, confidentiality and security of information and to minimise the impact of computer and information security incidents. It is also intended to set out good practice for communicating, storing and retrieving information. The purpose of this policy is to ensure that users of the LAP’Learning Academy Partnership SW IT infrastructure utilise it in accordance with the Partnership’s business objectives and values. It sets out the user’s responsibilities and potential liability when using the facilities, the monitoring policies adopted by the LAP, and guidance on how to use the facilities. It should be noted that this policy is not a definitive statement of the purposes for which the LAP facilities must not be used; all staff must conduct themselves at all times in a trustworthy and appropriate manner so as not to discredit or harm the LAP, its staff or pupils. The policy has been created to ensure compliance with all applicable laws, protect the LAP and the users from the risk of financial loss and the loss of reputation or libel and to ensure that the facilities are not used so as to cause harm or damage to any person or organisation. When using the computer resources you should understand the following: Learning Academy Partnership (SW) November 2013 4 You must protect the data and information for which you are responsible. Security is everyone's responsibility – information is an asset. Use the resources at your disposal only for the benefit of Learning Academy Partnership (South West), it must not be used for personal gain. Understand that you are accountable for what you do on the system. Your activity may be monitored. Understand that your password is your responsibility. If you provide it to another party, then this is at your risk and you should change it immediately if you think it has been compromised. Passwords should also be changed as a matter of routine (monthly is a good guide). If you observe anything unusual, tell the Business Manager, the Academy Head. or Executive Headteacher If you discover a breach of this policy, it is your duty and responsibility to notify the Business Manager, the Academy Head. or Executive Headteacher to enable appropriate action. (Refer to Contact Information on page 3). When using the LAP’s computer systems you should comply with the user responsibility procedures detailed in this policy. However, these should be read in conjunction with all other policies, procedures, legislation and linked documents as detailed within this policy. Attached at Appendix 3 are examples of legislation that apply in the UK for your information. It is important that you read this document carefully and understand your responsibilities contained within it. If there is anything that you do not completely understand, it is your responsibility to obtain an explanation from your Manager. Note: All (internal and external) internet and email activity is monitored both electronically and by nominated individuals as necessary. The LAP reserves the absolute right to revoke or review email and internet access at its complete discretion and to withdraw equipment, email or internet facilities from any user to whom this policy applies. Learning Academy Partnership (SW) November 2013 5 Scope of the Policy This Policy applies to, and will be made accessible to, everyone using or having access to the LAP’s IT equipment or facilities. Granting of access is subject to agreement to comply with this policy, forms part of an employee’s rights and responsibilities and should be read before using any of the LAP’s IT equipment or facilities. Access to the IT facilities including internet and email will be provided by the LAP’s IT Services following the completion of fully completed and authorised documentation. This will grant the user an allocated user account and password. Using the allocated account and password is taken as a statement of understanding and willingness to comply with the policy and will be deemed as consent to the monitoring of email, internet and workstations (refer to the Monitoring section in this policy). Controlled use of the IT infrastructure relies on a combination of responsible behaviour by users and the implementation of security features by IT management and system operators. The following is not an exhaustive list but is an indication of those covered by the policy: All permanent and temporary employees, (including casual, seasonal and sessional workers) of the LAP will be required to comply with the provisions of this policy as a condition of their employment. Any breach of this policy will be dealt with through the Learning Academy Partnership (South West)’s Disciplinary Procedures. Additionally, the following groups will also be required to comply with the policy; however, it is the responsibility of the engaging officer or body to ensure that they are fully aware of the policy requirements: Agency employees Contractors Consultants Workers engaged on a self employed basis to work for or on behalf of the LAP LAP directors Volunteers Students on work placement Other individuals accessing or using LAP IT equipment and facilities Learning Academy Partnership (SW) November 2013 6 This policy applies to the use of all LAP equipment, including, but not limited to: Local, inter-office, national and international, private or public networks (including the internet and intranet) and all systems and services accessed through those networks Desktop, portable, mobile computers or any item with computer functionality, and applications (including items such as IPhones and IPads). Electronic mail and messaging services. Learning Academy Partnership (SW) November 2013 7 Email – User Responsibility This policy sets out the general rules for the use of the Learning Academy Partnership (South West) email system. Email and other electronic information systems will reduce the need for paper-based communication. The LAP makes available email systems for use by authorised users and encourages the appropriate use of email as an alternative to paper-based and verbal communication. Email Usage Your inbox needs to be checked regularly (at least once daily) Email should be replied to promptly or out of office used Always include a meaningful subject line in your message Always check the address line before sending an email message to ensure you are sending it to the right person Delete email messages from your inbox when they are no longer required Large attachments should be saved in a relevant folder before deleting the email message containing them. This reduces the storage requirements of the email system. Respect the legal protections to data and software provided by copyright and licenses i.e. when attaching to your message Internet email is not a secure medium of communication. It can be intercepted and read. Do not use it to say anything you would not wish to be made public. If you are sending confidential or sensitive information (i.e. personnel employment related information, personal / sensitive client information and commercially sensitive data) by email this should be sent using appropriate security i.e. password protection / encryption etc Take care not to express views which could be regarded as defamatory or libellous or could be considered to denigrate, insult, ridicule, intimidate, Learning Academy Partnership (SW) November 2013 8 bully or harass another person Be careful what you write. Never forget that email and written correspondence are not the same as conversation. They are a written record and can be duplicated at will Do remember that all email messages are subject to disclosure as necessary in respect of the Data Protection Act and Freedom of Information Act. You should therefore only keep messages for a valid reason and store them appropriately to ensure easy retrieval Do not forget that emails and other forms of correspondence should maintain the high standards expected by the LAP Consider font and format when writing an email message. Excessive capitalisation, large font and garish colours may appear to the reader as aggressive Be aware of cultural and social diversities – what may appear acceptable to one person may not be to another – know your audience Check your grammar and spelling as such errors may appear unprofessional Do not print electronic mail messages unless absolutely necessary i.e. if there is a requirement to retain a hard copy. But do keep a permanent record of an email containing information that may be needed for evidential purposes. Remember not printing helps save the environment Where possible, other people’s comments or observations should be communicated verbatim by using the ‘threading’ capability of email i.e. using Reply and Forward options so that message history is retained (do not quote comments or observations from other people as a quote may be taken out of context). Do not forward chain mail Where the originator has specifically stated that the email remains confidential or confidentiality is implicit through the email nature and content, do not forward the email to any other parties without the permission of the originator Learning Academy Partnership (SW) November 2013 9 Do not attempt to read, delete, copy or modify email without prior consent. Alteration of the source of electronic mail, message or posting is unethical and may have legal implications. You should be aware that a message forwarded to you could have been modified, therefore, where deemed necessary confirm content with the originator Before leaving Learning Academy Partnership (South West)’s employment / ceasing use of LAP equipment users should unsubscribe from any business email distribution listings that they have subscribed to and delete any personal emails in their account. (Please refer to the LAP’s leaving procedures) Limited personal use of email is permitted providing it does not conflict with business priorities and/or work routines), however, use for the purpose of trading or carrying out any business activity other than LAP business is strictly prohibited. Do not use your LAP email address for non-work related activities such as subscribing to flyers, alerts, gambling or making personal purchasing or any activity that could result in the inadvertent commitment of the Learning Academy Partnership (South West)to a contract or agreement The use of email for incidental and occasional personal purposes is permitted for convenience but should not be used for private confidential correspondence due to the inability of the monitoring software to distinguish between business and personal/private content and the inherent insecure nature of email Where personal emails are sent using the LAP email address, the email should make it apparent to the intended recipient that the message is sent by the user in their personal capacity not in their capacity as a representative of the LAP Be aware that due to the monitoring methods employed, any stored or retained emails will be subject to monitoring, thus this may include personal email sent / received through the LAP email account. Learning Academy Partnership (SW) November 2013 10 All electronic mail originating, arriving or in transit through any electronic mail system belonging to the LAP is the property of the LAP The conditions applying to business use, as defined as appropriate for teaching and learning, should be followed in respect of personal use Do not send unnecessary non-business related messages by electronic mail Do not participate in chain or pyramid messages or similar schemes i.e. ‘for profit’ messages, junk mail or mail to multiple groups Do not send excessively large electronic mail messages or attachments (where possible use another form of media i.e. removable storage or by sending links to a document if it’s internal and accessible to the recipient) The sending and receiving of non LAP related images e.g. jpeg, mpeg, gif etc. using your LAP email account is not permissible Do not represent yourself as another person or forge or attempt to forge electronic mail messages i.e. spoofing / phishing Do not use electronic mail to send or forward material that could be construed as confidential, commercially sensitive, of an illegal / terrorist nature, political, obscene, threatening, offensive, defamatory, libellous or damaging to the LAP’s reputation or may be considered by others to cause distress, sexual, racial or other harassment or discrimination LAP owned data that is not in the public domain must not be sent in either the body or as an attachment to an email without the express consent of your line manager. This includes personal contact details of pupils and staff Contact IT technician immediately of any unusual occurrence i.e. suspicion of a virus within a received mail If you receive any malicious or offensive email you should retain the item in your inbox and contact IT Technician/Business Manager If you receive any material or email which has been wrongly delivered, return the message to sender and Learning Academy Partnership (SW) November 2013 11 do not retain it All email messages generated should include the standard LAP’s disclaimer prominently so that it draws the recipient’s attention to the existence of the disclaimer All electronic mail activity may be monitored and logged. All electronic mail coming into or leaving the LAP is scanned electronically for viruses and all the content of electronic mail is scanned for inappropriate / unauthorised material, including SPAM. Further firewalls are in operation to support this control. If training is required on the use of the LAP’s email system then discuss your requirements with the Business manager and the IT Technician. It is your responsibility to ensure that you receive sufficient training to enable you to utilise the LAP’s email system securely and effectively. If you are in any doubt about an issue affecting the use of electronic mail you should consult the Business Manager or IT Technician. Any breach of the Learning Academy Partnership (South West) Computer Security Policy may lead to disciplinary action and/or criminal prosecution Learning Academy Partnership (SW) November 2013 12 Internet - User Responsibility The Internet is a rich information resource and is provided by the LAP to facilitate access to good practice resource and relevant information to support and improve the efficient and effective delivery of teaching and learning and services to our customers / clients. Access is given to users where there is a recognised teaching, business need and is also provided for limited personal use (see below). The LAP accepts no responsibility for protecting any personal information that has been entered on its equipment. In particular, employees must ensure that they log off from any shared workstations at the end of their session. The LAP reserves the right to terminate the facility without notice. Internet Usage All users must ensure that they are sufficiently trained in order to effectively and efficiently use the service provided Limited personal use of the internet is permitted providing it does not conflict with the working of the LAP, however, use for the purpose of trading or carrying out any business activity other than LAP business is strictly prohibited. Do not use your LAP email address for non-LAP related activities such as subscribing to flyers, alerts, gambling or making personal purchasing Use of chat sites / chat rooms / instant messaging is not an acceptable means for business communications. Access to known sites will be blocked, however this may be subject to review and filtering if found to be contrary to educational need The downloading of Software including MP3 Music files, Video images “Freeware” or “Shareware” or any evaluation Software is not permissible unless approved by the Business Manager/ IT. This is to ensure that any software downloaded is not incompatible with the existing software and so that neither you nor the LAP is in contravention of any UK copyright laws. i.e. you can only download such items where approved as appropriate by IT and as a requirement of your post and thus education related or implicitly allowed through this policy Exercise caution when downloading any material from the internet due to risk of virus infection. If you Learning Academy Partnership (SW) November 2013 13 are in any doubt about the site do not download the material but contact IT Technician first Do check that any information you access on the internet is accurate, complete, valid and current Respect the legal protections to data and software provided by copyright and licences i.e. when downloading information Users must not access any unsuitable material that is not filtered Do inform the Business Manager/ ITI immediately of any unusual occurrence i.e. intentional or unintentional access to an inappropriate site, any changes to your PC format / operation following access to the internet Do not view, download, store, post, transmit or host via a webpage (including weblogs – ‘Blogs’) text or images which are considered to be of a confidential nature or contain material of a pornographic, obscene, racist, sexist, discriminatory, or otherwise offensive, defamatory, libellous or damaging to the LAP’s reputation or of an extreme political nature, or which incites violence, hatred or any illegal or terrorist activity, or may constitute harassment or threat. Such use is strictly prohibited Do not download copyright protected software from the internet and install it upon the LAP’s computer equipment including any type of removable storage media. This should be restricted through administrator rights Do not use the LAP’s computers to make or attempt to make unauthorised entry into any other computer or network i.e. hacking Do not attempt to gain unauthorised access to the LAP’s network from remote systems Do not represent yourself as another person when using the internet or forge or attempt to forge electronic mail messages i.e. spoofing / phishing Note: All users’ internet activity may be monitored and logged and will be reported to line managers. All internet activity is scanned for viruses and content is scanned for inappropriate / unauthorised material. Learning Academy Partnership (SW) November 2013 14 If you are in any doubt about an issue affecting the use of the internet you should consult the I.T. Technician. Any breach of the LAP’s Computer Security Policy may lead to disciplinary action and/or criminal prosecution General Security – User Responsibility General Security Only authorised or LAP owned equipment may be plugged into the LAP’s network. Authorisation should be sought from Business Manager/ I.T Technician Do not take any unauthorised, deliberate action which damages or disrupts / crashes the network, hardware, software or alters its normal performance or causes it to malfunction. When leaving the office at the end of the day ensure you have logged off your workstation and where appropriate, shut down your PC When leaving the office temporarily, or if you are working on sensitive information either log off your system or use a password protected screensaver Remember that challenging people about their business in your academy if they look as though they do not belong there, is also going to help security of the network and academy Wherever possible, reasonable steps must be taken to ensure that all IT equipment i.e. hardware (including laptops, removable storage such as data sticks, disks, CD’s), software and data contained thereon are kept secure (e.g. password protection, encryption etc) Equipment, data or software should only be taken off site with appropriate authorisation. Appropriate measures must be taken to ensure the security of equipment, data or software during transportation. Never leave any equipment or data including pupil and other sensitive files, laptops, computer equipment, mobile phones, iPads, removable storage media etc unattended / insecurely stored. Especially ensure that all valuable and easily transportable electronic equipment, e.g. laptops, cd players, are locked away if not in use. Learning Academy Partnership (SW) November 2013 15 Do not allow any unauthorised person to use the LAP’s equipment and or software i.e. when using laptops etc at home Exercise caution when consuming food or drink near to computer equipment If your PC is attached to the network, store your files on the network drives to ensure they are automatically backed up If your PC is not on the network (i.e. stand-alone or laptop) you are responsible for taking regular backups. Advice is available from your IT support. Do ensure that all important data is backed up regularly Do make sure that on every occasion when bringing memory sticks, disks and other media in to the LAP that they are checked as much as possible for viruses and inappropriate software before use Do inform I.T. immediately if you think that your workstation may have a virus or you discover any mechanical, electronic or software defects / malfunctions. Repairs and servicing of equipment must only be carried out by authorised personnel Do choose a password that would be hard to guess i.e. alpha numeric, mixed case, use of symbols / characters etc Do not write down your password Do not share or disclose your password You are responsible for keeping it secure Users are solely responsible for all actions, including email and internet, taken while their user ID is in use Access to areas of the network are implicit through user profiles linked to your role and security permissions for folders and files; however, do not delete, examine, copy or modify files and or data belonging to other users without authorisation Where possible protect your screen from unauthorised view, particularly in public areas Do not use shareware (software downloaded from the Internet or on PC magazine covers) Upon the request of the LAP at any time, and for any reason you may immediately be requested to return Learning Academy Partnership (SW) November 2013 16 any equipment and all software to the LAP Do not duplicate or copy software or system files on any LAP equipment Software installed by the IT technician should only be removed (i.e. uninstalled) from LAP equipment, by them The copyright and intellectual property rights to all computer software developed by Learning Academy Partnership (South West) employees using the LAP’s software or hardware belong to the LAP Users should be aware that the LAP retains intellectual property rights to all material / information that is created by employees of the LAP as part of their work or stored on LAP owned equipment whilst using the LAP’s IT resources Do not install any software or hardware on your equipment or alter its configuration, this work may only be undertaken by I.T.technician and will be subject to appropriate licence, compatibility and virus checks. Permission may be set for staff to research and trial software, but the licensing agreement for such software must be regularly observed if installed for trial purposes All hardware for disposal must be returned to I.T Technician who will arrange to securely dispose of it Do not subvert, or attempt to subvert any system that controls or monitors access to a computer system including the internet and email service, remote control software, lockdown software, anti-virus software etc Limited personal use of the LAP’s workstations is permitted providing it does not conflict with business priorities and/or work routines) and any activities are in compliance with this policy, however, use for the purpose of trading or carrying out any business activity other than LAP business and the saving of any data to the Network is strictly prohibited Note: Logins to, and use of the LAP’s network are monitored. Learning Academy Partnership (SW) November 2013 17 Any breach of the LAP’s Computer Security Policy may lead to disciplinary action and/or criminal prosecution Monitoring Understand that you are accountable for what you do on the system. Your activity may be monitored. You are also the first and principle line of monitoring pupils’ use of ICT. Please watch carefully what they are doing, to ensure that their use of ICT is appropriate at all times. The objective of this section of the document is to provide protection for both the LAP and any users of the LAP’s IT equipment or facilities through stating clear guidance on how monitoring the use of internet and email will be undertaken. The LAP recognises the importance of an individual’s privacy but needs to balance this against the requirement to protect others and preserve the integrity and functionality of the facilities. The LAP may adopt at any time a number of methods to monitor use of the facilities. The primary responsibility for monitoring internet and email activity is the pupils. However, as a matter of routine network usage will be monitored on a regular basis by IT support staff. Where cause of concern is discussed, monitoring will be undertaken at the direction of the Executive Headteacher or their representative Internet and email activity is logged and stored. The LAP reserves the right to retrieve the contents of the messages / material for the purpose of investigating any potential miss-use or to comply with any legal / contractual obligation. You are advised not to store personal messages on the LAP’s network. Any personal messages stored on either the network or any LAP IT resource may be subject to any monitoring / investigative activity. The LAP will not (unless required by law), allow third parties to monitor the facilities or disclose information obtained by such monitoring of the facilities to third parties. The LAP may be prohibited by law from notifying users of a disclosure to third parties. Monitoring of Email Usage The email system is LAP property and the LAP reserves the right to monitor and to access any email messages for legitimate purposes, such as an investigation or complaints of misuse. Contents and audit logs for both sent and received email may be inspected (including personal email) at any time without notice by IT support staff. Learning Academy Partnership (SW) November 2013 18 Further levels of investigation may be authorised by the Executive Headteacher or their representative as appropriate. Appropriate authorisation must always be obtained when access to a user inbox is required in line with appropriate legislation. Primarily access to an inbox is only obtained where absolutely necessary such as a business need in the event of unforeseen staff absence or where an investigation warrants such access. All email, whether personal or business related may be monitored. Other organisations may have different policies on email. Some consider it is the property of the organisation, and thus subject to examination, copying or forwarding. Be aware of this possibility when sending emails. Automatic Monitoring – Executable files and images sent by email will be isolated automatically using specialist filtering software. Similarly, Spam will be isolated to reduce the unnecessary traffic on the LAP’s network. The recipient is automatically notified of the isolation to facilitate the release of the message as deemed appropriate. Isolating emails with .exe, image or Spam content using filtering systems and virus scanning can never be 100% effective so any unsolicited emails / attachments should always be treated with caution. Similarly an email may be incorrectly marked as infected or deemed to contain an inappropriate image and therefore some emails could be blocked unnecessarily. A system exists to enable users to track their email and request release of those items inappropriately blocked. Monitoring of Internet Usage The Internet facility is LAP property and the LAP reserves the right to monitor, access and view an individual’s use of the Internet for legitimate purposes, such as audit, security or investigations of complaints of misuse. All internet activity, whether personal or business related may be monitored. Internet activity is routinely logged through monitoring software via the South West Grid. When considering the Internet and Email monitoring procedures, account has been taken of the European convention on Human Rights (ECHR), The Human Rights Act 1998 (HRA), The Data Protection Act 1998 (DPA), the Freedom of Information Act 2000 (FOI), and the Regulation of Investigatory Powers Act 2000 (RIPA), Telecommunications (Lawful Business Practice) (Interception of Communications) Learning Academy Partnership (SW) November 2013 19 Regulations 2000 (LBP Regs). Guidance issued by the Office of the Information Commissioner in June 2003 has also been taken into account. Monitoring of Access to and Data Stored on the Network The LAP utilises comprehensive firewall protection products as part of its access controls to the network. The firewall can log and thus monitor external access to the LAP’s network i.e. both authorised (Citrix / VPN) and unauthorised attempts to gain access. Despite your use of a network ID and associated password, the LAP reserves the right to override your password and obtain access to any part of the facilities. This would only be undertaken in line with the relevant legislation. To maintain performance of the network in terms of capacity, I.T will monitor data files (types and sizes) and where appropriate and following consultation will take action to increase storage capacity through removal of any such files. Monitoring Against Virus and Hacking The LAP operates a number of anti-virus (AV) methods whereby the AV software is pushed out to the user’s PC through AVG whereby the user’s PC is ‘forced’ to accept an update to the AV software. This ensures that each PC / Server is operating the latest version. This software will therefore minimise the risk of a threat such as viruses, Trojan horses, worms etc from corrupting the network. Executable files carry a high risk of containing these types of threats and as such any email containing an executable file is automatically isolated using the Email filtering software (refer to monitoring of email usage on pages 18 to 19). In addition to the AV software the LAP also utilises firewalls which control access to the network through a rule base which defines the types of traffic that are permissible (i.e. that the firewall will allow through) and those that are not (i.e. that the firewall will drop), hence minimising the risk of successful external hacking attempts and such like. The LAP also utilises an HTTP and FTP anti virus product which scans browser based threats i.e. when using the internet. If a threat is identified the user is notified. Learning Academy Partnership (SW) November 2013 20 Appendix 1 Glossary of Terms General Must LAP Document Should Means that any failure to comply is a serious breach of the policy. Refers to Learning Academy Partnership (South West) Refers to either one or more electronic files used to record information in a loosely structured format. Means that compliance is strongly recommended but non compliance may be acceptable in exceptional circumstances. IT Specific Account Electronic Mail Internet Network Data Database Computer System PC ICT / IT / IS Executable files Virus Remote User ID Phishing Spoofing Downloading May refer either to your School email address i.e. admin@ilsham-primary.torbay.sch.uk or admin@ellacombe.torbay.sch.uk your School network log on ID. Covers all communications stored electronically including email, voicemail and items transmitted via facsimile. The Internet is defined as access to data provided on any computer external to the LAP’s networks by means of a browser tool, either via an internet service provider or via an e-mail Ilsham or Ellacombe network Any form of information Refers to either one or more electronic files used to record information in a highly structured format. Refers to any combination of computer hardware, computer software and data that can be considered a discrete system. Personal Computer All references to information technology services. Primarily relates to a ‘program’ requiring either physical installation or download Takes many forms, but essentially something that may corrupt the operation / data of the PC and/or network Refers to anything outside of the LAP’s IT Network Refers to your LAP network log on ID The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Forging an email to make it appear as if it came from somewhere or someone other than the actual source Installing executable files, images, media etc directly from the Learning Academy Partnership (SW) November 2013 21 internet or other downloadable source Criminal Prosecution Access Password User SPAM Workstation PDF Disciplinary Procedures Legal action through the criminal justice system Right of entry Secret code known only to the user, used in conjunction with ID’s Any person having access to the LAP’s IT facilities Click on link to Learning Academy Partnership (South West) Page http://intranet/index/structure/performance/audit/scam_spam_ad vice.htm Refers to any desktop, portable or palm top PC It’s a file format which cannot be edited (Portable Document Format) Refers to Learning Academy Partnership (South West)’s adopted Disciplinary policy Learning Academy Partnership (SW) November 2013 22 Appendix 2 Examples of violations Throughout this policy document, there are reminders to users that ‘Any breach of the LAP’s Computer Security Policy may lead to disciplinary action and/or criminal prosecution’; the list below provides examples of the activity which could lead to such action. However, please note that the list is not exhaustive and any known instances of inappropriate user activity will be investigated and considered in terms of this policy and the LAP’s Disciplinary Procedures. 1. Sharing passwords or acquiring another user’s password. Pupils should not have access to staff passwords or new areas, under any circumstances. 2. Unauthorised accessing, using, copying, modifying, or deleting of files, data, user ID’s, access rights, usage records or disk space allocation. 3. Accessing resources for the purposes other than those for which the access was originally issued, including inappropriate use of authority 4. Copying or capturing license software for use on a system by an individual for which the software is not authorised or licensed. 5. Causing a computer failure through an intentional attempt to ‘crash the system’ or through the intentional introduction of a programme that is intended to subvert a system, such as a worm, virus, Trojan horse etc 6. Intentional obscuring or forging of the date, time, physical source, logical source, or other header information of a message or transaction 7. Interception of transmitted information without prior written authorisation 8. Failure to protect one’s account from unauthorised use 9. Inappropriate internet or email usage Learning Academy Partnership (SW) November 2013 23 Appendix 3 Legal Requirements and Useful Links The contents of any e-mail sent either externally or internally or the content of any electronic information accessed or otherwise obtained from the internet must comply with the laws and regulations applicable in the United Kingdom. They are generally charged to protect both the individual user and the LAP. These include the following legislation. Copyright Designs & Patents Act 1988 The Law of Libel www.lawteacher.net/TortPages/Tort14.htm Libel Act 1843 Libel Act 1845 Law of Libel Amendment Act 1888 The Human Rights Act 1998 Data Protection Act 1998 http://www.informationcommissioner.gov.uk/ Freedom of Information Act 2000 http://intranet/policies/foi/index.htm, http://www.informationcommissioner.gov.uk/eventual.aspx?id=33 Computer Misuse Act 1990, http://www.homeoffice.gov.uk/crime/internetcrime/compmisuse.html#1 The Defamation Acts 1952 and 1996, Obscene Publications Act 1964, www.lawteacher.net/TortPages/Tort14.htm Sex Offences Act 2003, Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regs), Protection of Children Act 1978 and the Criminal Justice Act 1988, Race Relations Act 1976 and Race Relations (Amendment) Act 2000, The Disability Discrimination Act 1995, Learning Academy Partnership (SW) November 2013 24 Special Educational Needs and Disability Act 2001, The Consumer Protection (Distance Selling) Regulations 2000, Public Order Act 1986, Useful Links Federation Against Software Theft (FAST) http://www.fast.org.uk/ Reporting of offensive / illegal websites / emails to the Internet Watch Foundation www.iwf.org.uk The listing above does not remove any rights under existing or future legislation and is not exclusive with each user responsible for ensuring that they act responsibly and within the legal restraints of the United Kingdom. Other LAP policies such as the LAP’s, Document Retention Policy, Disciplinary procedures, the Prevention of Harassment and Bullying Policy, and Single Equality Policy should also be considered. Learning Academy Partnership (SW) November 2013 25 Appendix 4 Standard School Disclaimer For efficient use of outlook it is recommended that the auto signature option be utilised for both internal and external email and should include the following where applicable: Your Name Your contact details i.e. School email address, telephone number Your job title The School address A basic Disclaimer (for the purposes of internal mail). Proposed wording: Information in this message is confidential and may be legally privileged. If you are not the intended recipient, please notify the sender and please delete the message from your system immediately. All external emails will also include a more comprehensive standard School disclaimer (see note 2 below), however due to the size and complexity of the disclaimer our email management software inputs the disclaimer automatically at the end of your outgoing email message, and will also automatically add reference at the beginning of the email so as to notify the recipient(s) of the disclaimers existence (see note 1 below) Note 1 – Notification to recipients of School Disclaimer This will be added at the beginning of each email you send externally: Please read the School’s email disclaimer notification which is located at the end of the email message. Note 2 – Standard School Disclaimer (added automatically to all external outgoing emails): Please note... Information in this message is confidential and may be legally privileged. If you are not the intended recipient, please notify the sender and please delete the message from your system immediately. The views in this message are personal; they are not necessarily those of Learning Academy Partnership (South West) School. Learning Academy Partnership (SW) November 2013 26 Learning Academy Partnership (South West) School has taken reasonable precautions to ensure no viruses are present in this email. The School cannot accept responsibility for any loss or damage arising from the use of this email or any attachments. Unless otherwise explicitly stated above no employee or agent is authorised to conclude any binding agreement on behalf of Learning Academy Partnership (South West) School with any other party by email. Likewise, unless otherwise explicitly stated, nothing in this email should be taken as agreement to enter any binding contract for the supply of goods or services. Senders and recipients of email should be aware that under the UK Data Protection and Freedom of Information legislation these contents may have to be disclosed in response to a request. Under the Regulation of Investigatory Powers Act 2000, Lawful Business Practice Regulations, any E-mail sent to or from this address may be accessed by someone other than the recipient for system management and security purposes. The following details case law which supports the requirement to ensure that any such disclaimer is prominently displayed and draws the recipient’s attention to the existence of the disclaimer i.e. a message at the commencement of the email. Spaced vs. Netscape 306 F.3d the decision found that the licence agreement was not prominent enough on Netscape’s website – “Over the fold” i.e. the users had to scroll down to read it. Following this case it was declared that unless terms and conditions were prominent they would not apply as users did not have reasonable notice. The case is applied to hyper linked disclaimers and non prominent written disclaimers. Indeed it is often agreed as best practice to put the disclaimer at the front of the e-mail. Policy Feedback Should you have any comments regarding this policy, please address them to the Directors via the Business Administrator at kbarnett@ellacombe.torbay.sch.uk History of Policy Changes This policy was first agreed by directors of the Learning Academy Partnership (South West) on 17 January 2013 Date Page Details of Change Learning Academy Partnership (SW) November 2013 Agreed by: 27 Learning Academy Partnership (SW) November 2013 28
