Information Security Policy : Responsibilities of Staff

The AU Information Security Policy Statement defines the objectives of the University in its approach to information security. This in turn places responsibilities on all users of the computer service, including individual members of staff, Heads of Departments[1], and those providing departmental server services. This present document describes in more details the responsibilities for these groups.

Staff responsibilities

  1. Rules & Guidelines
    The University publishes Information Services Regulations together with a set of supporting Guidelines. The latest list can be found at:

    http://www.aber.ac.uk/en/is/about/regulations/

    When initially registering to use AU computing services all members of staff sign an undertaking that they will abide by these Regulations and Guidelines. It is their responsibility to take note of advertised changes to this information which are advertised in the weekly staff email and from time-to-time to re-acquaint themselves with the latest versions.

  2. Email

    The University has a full Email Policy which must be complied with when using email. The Policy can be found at:

    Policy on the use of e-mail

  3. Protection against malicious software

    a. Virus detection and repair software must be installed and regularly updated on all staff PCs as advised by Information Services.

    b. Users should ensure that they are running the latest versions of applications (for example Word or QLx) and of the computer’s operating system (usually Microsoft Windows) as advised by Information Services and that updates released to counteract vulnerabilities are installed as soon as possible.

    c. Users should install software to detect and repair malicious exploitation as advised by Information Services.

    d. Where possible software firewalls should be enabled (a firewall checks that no information arriving at the PC from the network is of a type likely to endanger the working of the PC or the data on it.)

    e. Email attachments and any files of uncertain origin (for example on a CD-ROM or copied across the network) should be checked for malicious software before use.

    For further information see:

    http://www.aber.ac.uk/en/is/regulations/security/

  4. User password management

    Users must ensure that passwords under their responsibility are kept confidential and not shared or recorded in a way that makes them accessible to unauthorised persons. Passwords should be changed annually or if there is a possibility that security has been compromised. Guidelines can be found at:

    http://www.aber.ac.uk/en/is/about/regulations/

  5. Clear screen policy

    Staff PCs should not be left unlocked when unattended. In particular, staff PCs should time-out after a period of inactivity with a facility afforded by password protected screen savers.

  6. Physical equipment security

    a. Offices and other areas containing computer equipment must be left in a secure state when unoccupied to guard against the risk of theft.

    b .University equipment containing sensitive data should not be taken off-site except under conditions agreed with Heads of Department, and must not be left unattended in public places.

    c. Home working should be subject to the same policy and controls on system access as working on site.

  7. Secure disposal or re-use of equipment

    The procedures laid out by the University for the secure disposal of PCs containing sensitive information must be followed. It is the responsibility of each member of staff to ensure that equipment under their responsibility has been checked to ensure that sensitive data and licensed software have been overwritten or physically destroyed prior to handing the system over for disposal or re-use.

    AU policy on disposal can be found at: Waste Management and Recycling

  8. Software

    Software licensing requirements must be complied with, and only software that has been legally obtained can be used. Where a licence limits the number of copies that can be made, the users entitled to use it, or stipulates the location or category of machine that it can be installed on, staff must abide by this. Proof of licence ownership (e.g. licences, master disks, manuals) should be retained whenever possible. On leaving University employment any software licensed only to employees must be deleted.

    The AU licensing framework can be viewed at:

    http://www.aber.ac.uk/en/is/regulations/

  9. Reporting suspicious incidents

    If a member of staff encounters information or activity during their use of the AU computer service that gives them cause for concern they should report this using the University Security Incident Response Procedure explained at:

    http://www.aber.ac.uk/en/is/about/sirp/

  10. Data integrity and availability

    Users must ensure that the integrity of University electronic data under their control is maintained (for example by safeguarding against unauthorised alteration and by regular backing up) and that such data are passed on as necessary on leaving.

  11. Data Protection Policy

    The University has a full Data Protection Policy which must be complied with when handling personal data. It can be found at:

    Data Protection Policy

Responsibilities of Heads of Department

  1. Staff adherence to policy

    It is the responsibility of the Head of Department to set up departmental procedures to monitor that staff remain within the AU Information Security Policy.

  2. Staff leaving

    When a member of staff leaves the department the Head of Department is responsible for ensuring that any computer equipment discarded does not contain any sensitive data and any equipment passed on to another member of staff contains such data only insofar as it is necessary for the continued benefit of the department. They should also make sure that any data required for future use by the department or University is identified and transferred to an appropriate person.

  3. Software

    In sanctioning the purchase of software for departmental use, the Head of Department must ensure that the provisions of the licence are abided by.

  4. Authorising Users

    Heads of Department may be required to validate requests for specific individuals to have access to use Information Services systems or to access specific restricted data resources. In validating such requests, the Head of Department should be certain that the user has a valid need to have such access for the purpose of their work or study. The period of access requested should be appropriate, and the Head of Department should ensure that Information Services is informed of any change of circumstances whereby such access should be terminated.

Departmental responsibilities when running servers[2]

  1. Setting up the server

    Before ordering a server, departments must contact Information Services so that the requirement can be reviewed, checks can be made that security features is being satisfactorily specified, and other advice can be given.

  2. Physically secure areas

    Areas in which departmental servers processing critical or sensitive information are housed should be physically secured to prevent unauthorised access, damage or interference, with overall control achieved by conventional security procedures. Access to such areas should be controlled and restricted to authorised personnel only.

  3. Housekeeping

    Back-up copies of essential information and software should be taken regularly according to an appropriate schedule. Back-up media and restoration processes should be regularly checked to ensure that they are effective. Copies of backup media should be kept in a secure location away from the server area.

    Log files recording access to services and network traffic should be kept for lengths of time and with inspection controlled as stipulated by the University.

  4. System Security

    Security issues must be identified and considered at an early stage when procuring or developing new information systems.

  5. Business Continuity Management

    Business continuity management aims to reduce disruption to the running of key information systems caused by, for example, natural disasters, accidents, equipment failures and deliberate actions. Plans, each with an identified owner, should be in place within a business continuity planning framework.

AU responsibilities

  1. Training

    The University will offer regular training in the main aspects of Information Security and the Regulations and Guidelines that support it to each of the groupings of staff identified in this document.

  2. Technical advice

    AU through Information Services will make qualified staff and online documentation available to support users in carrying out their responsibilities as outlined in this Policy.

  3. Changes to Regulations

    The University will contact staff by the most appropriate means to alert them to any changes to the Regulations or Guidelines. This will include use of the weekly email.

  4. Automated procedures

    Information Services on behalf of AU will identify areas in which automated procedures can be incorporated into its computing service to support staff responsibilities identified in this Policy (enforcing password changing is one example of this approach).

  5. Response to security incidents

    Information Services will operate the University Security Incident Response Procedure, including undertaking necessary actions to protect the integrity of the network and its availability to other users as described in:

    http://www.aber.ac.uk/en/is/about/sirp/

  6. Server support

    Information Services are able to provide advice on supporting departmental servers and alternatively to offer a service for housing and supporting servers.

Applicability and Enforcement

This Policy applies to all AU Information Users and those who use its facilities and information. Compliance with the Policy will be part of the contract of employment, a condition of Student Registration and part of the process granting others access to the facilities.

Failure to comply with the Information Security Policy could harm AU ’s ability to achieve its mission, security objectives and damage the professional reputation of the establishment. It will, in the ultimate sanction, be treated as a disciplinary matter. The chair of the MIC will have overall responsibility for all decisions regarding the enforcement of this policy, utilising the legal sanctions or existing staff or student disciplinary procedures as appropriate.

See Also

Information Security Policy

 

Approved by the Executive 19/1/16

----------------------------------------------------------------

[1] 'Head of Department' includes Directors of Services and Registry Sections

[2] A Server is a computer system that provides services for other systems; Information Services run servers to provide facilities such as Email and the AU Web Service, and a number of departments run servers either in support of departmental activities or for specific research.