POLICY: Information Technology - Information Technology (IT) Infrastructure Management Policy
POLICY URL: https://lsi-ac.uk/policy/5bec7ce1-7ad5-42cb-b69b-aec11e5b4378

POLICY STATEMENT:
The School is committed to maintaining excellence in education and research through robust IT infrastructure management. This policy ensures the protection and continuous operation of IT systems, safeguarding assets and upholding data integrity, availability, and confidentiality. Our comprehensive risk management and IT Incident Response Plan align with industry best practices to effectively address and mitigate security incidents, protecting our academic community.


POLICY PRINCIPLES:
------------------
- Governance : Effective IT governance ensures accountability, aligns with institutional objectives, and supports strategic decision-making processes;
- Risk Management : Proactive identification, assessment, and mitigation of IT risks to prevent potential disruptions and data breaches;
- Compliance : Adherence to legal, regulatory, and policy requirements is non-negotiable to uphold data protection and privacy standards;
- Security : Implementation of comprehensive security measures to protect our digital assets from unauthorised access and cyber threats;
- Resilience : Ensuring the School's IT systems are robust and can recover quickly from any incident to minimise impact on operations;
- Training : Regular training programs enhance the staff and students' awareness and capabilities in identifying and responding to IT threats;
- Response : Rapid and effective action in the event of an IT incident to limit damage, restore services, and protect student interests with minimal delay;
- Communication : Clear and timely communication protocols for internal and external stakeholders during and after IT incidents;
- Review : Continuous improvement through regular review of the IT infrastructure and response plans, incorporating lessons learned from incidents;
- Collaboration : Fostering partnerships with external experts and industry leaders to stay at the forefront of IT infrastructure management and security best practices.


REGULATORY CONTEXT:
------------------
This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:

R1. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects
R2. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.
R3. JISC (Joint Information Systems Committee): Digital Infrastructure Guidelines - Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.
R4. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law.
R5. Quality Assurance Agency (QAA): Advice - Learning and Teaching -
R6. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.


METRICS AND KPIS:
------------------
The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations:

M1. Disaster Recovery Plan Testing: Test the disaster recovery plan biannually, ensuring that recovery objectives are met in at least 95% of tests. Regular testing ensures that the disaster recovery plan is effective and that recovery procedures are well-understood.
M2. Incident Response Time: Track the average time from incident detection to initial response, targeting under 30 minutes. Rapid response to incidents minimises potential disruption and mitigates impact on the academic community.
M3. Security Vulnerability Resolution Time: Measure the average time taken to address and resolve security vulnerabilities, aiming for resolution within 48 hours. Timely resolution of vulnerabilities reduces the risk of exploitation and maintains system security.
M4. System Uptime: Measure the percentage of time IT systems are operational and available to users each month, aiming for 99.9% uptime. High system uptime ensures continuous operation of IT services, essential for maintaining academic and administrative functions.


SECTION 1: Digital Infrastructure at the School
------------------
1.1. Technology Usage: The School uses technology, including its Automated Governance System (AGS), to support its services in the following ways:;  Students can view their personal timetables;  They can access their Virtual Learning Environment (VLE), which contains programme and module content for flipped learning;  Online books, journals, and other resources are available through the AGS;  PAT and supervision logs are stored on the AGS;  Surveys and feedback opportunities are managed through the AGS;  Room and event bookings are handled by the system;  School regulations and policies are accessible via the AGS; The School recognises the critical role of its digital infrastructure in delivering services. By integrating IT management into its operations, including a comprehensive Response Plan, the School ensures effective and preventative IT infrastructure management.


SECTION 2: A. Oversight and Risk Mitigation
------------------
2.1. Digital Infrastructure Oversight (by CTO): The Chief Technology Officer (CTO) is responsible for overseeing the School's digital architecture. This includes:;  Preventing security breaches;  Protecting digital assets;  Maintaining system functionality;  Ensuring operational continuity; The CTO's oversight is crucial for safeguarding the School's digital infrastructure, ensuring it remains secure, functional, and resilient to disruptions. This comprehensive approach supports the effective and uninterrupted delivery of educational and administrative services.
2.2. IT Team Responsibilities and Reporting (by CTO): The dedicated IT Team, operating under the Chief Technology Officer (CTO), is responsible for:;  Providing 24/7 support;  Routinely evaluating and checking the School’s systems for vulnerabilities;  Using automated monitoring systems to receive alerts for any incidents;  Diversifying systems and regularly backing up data to various cloud storage services;  Managing system patches to ensure security and stability;  Implementing security practices such as firewalls, detection systems, and conducting penetration tests;  Training all staff and students in the use of School technology during their induction; The IT Team reports to the CTO, who then reports to the Executive Committee and submits a formal IT infrastructure management report to the Audit Committee; The IT Team's comprehensive responsibilities ensure the School’s digital systems are secure, stable, and continuously monitored. Regular reporting to the CTO, Executive Committee, and Audit Committee maintains transparency and accountability in IT infrastructure management.
2.3. IT Infrastructure Risk Management (by CTO): IT infrastructure management is integrated into the School’s risk management system. The Chief Technology Officer (CTO) is responsible for monitoring the risk register, which includes:;  Assessing potential disruptions or malfunctions within the Academic Governance System (AGS), crucial for programme design, approval processes, and educational operations;  Addressing risks from software glitches, security breaches, data corruption, or high traffic volumes that could impair educational services and institutional management; The Risk Management Policy specifies that:;  Departmental directors, in collaboration with the Quality and Audit Committee, must regularly monitor and apply the risk register as part of their routine operations;  Directors are required to report risks and mitigation strategies to the Executive Committee and the Quality and Audit Committee; The CTO must consider these risks, implement appropriate actions, and report to the relevant bodies. This process also supports capacity planning, with all reports ultimately going to the Board of Governors; This rule ensures that IT infrastructure risks are systematically monitored and managed, reducing the likelihood of disruptions to the School’s operations. Regular reporting to the Executive Committee and Quality and Audit Committee ensures that risk management is integrated into overall governance and capacity planning.
2.4. IT Regulations and Compliance (by All staff and students): The School maintains comprehensive IT Regulations, accessible on the School’s website. All staff and students receive induction on these regulations upon joining. The IT Regulations state:;  Users must not compromise the integrity of the IT infrastructure by, for instance, deliberately or recklessly introducing malware or attempting to disrupt or bypass IT security measures; Additionally, the Academic Governance System (AGS) Policy outlines appropriate use of the AGS. The CTO oversees these policies, ensures their implementation, and reports on their effectiveness; These regulations and policies ensure the secure and proper use of the School's IT infrastructure. By clearly defining acceptable behaviour and assigning responsibility to the CTO, the School aims to prevent security breaches and maintain the integrity of its IT systems.


SECTION 3: B. IT Incident Response Plan 
------------------
3.1. IT Incident Response and Service Continuity: The School’s IT Incident Response Plan is designed to address IT incidents effectively. The primary goal of the plan is to minimise disruptions to students' learning and ensure the continued delivery of the School's services; This plan is crucial for swiftly managing IT incidents to minimise impact on educational activities and maintain operational continuity. By focusing on reducing disruptions, the School ensures that its services remain uninterrupted and students' learning experiences are protected.
3.2. Oversight and Activation of the IT Incident Response Plan (by CTO): The Chief Technology Officer (CTO) oversees the IT Incident Response Plan and initiates it by notifying the Board of Governors, the Quality and Audit Committee, and the Executive Committee about the incident. The President must then evaluate the severity of the incident and decide whether to proceed with the plan. Upon receiving authorisation from the President, the CTO will convene a Response Committee and enlist the assistance of relevant Executive Committee officers; This process ensures that the IT Incident Response Plan is managed effectively with clear communication and decision-making. The President’s involvement in authorising the response ensures that appropriate actions are taken based on the incident's severity, while the CTO's role in convening the Response Committee ensures that expertise is mobilised efficiently.
3.3. Response Committee Collaboration and Communication (by CTO): The Chief Technology Officer (CTO), as the chair, must collaborate with designated School teams to form the Response Committee. The committee will meet daily until the CTO reports to the Board of Governors, Audit Committee, and Executive Committee that the incident is resolved. The President will then formally declare the incident closed; This rule ensures that the Response Committee, led by the CTO, maintains consistent communication and oversight during an incident. Daily meetings allow for timely updates and coordinated efforts, while formal notifications to the governing bodies ensure all stakeholders are informed of the resolution and closure of the incident.
3.4. Roles and Responsibilities of Response Committee, including Continuity of Learning and Education Services (by CTO):  ; CTO : The Chief Technology Officer (CTO) chairs the Response Committee;  ; IT Team : Upon incident occurrence, the IT Team must assign at least one member to handle the incident exclusively. This member will investigate, contain the incident, oversee resolution, and report to the CTO. They will also act as the secretary, maintaining minutes and tracking actions;  ; Marketing Team : The Marketing Team must designate at least one member to manage communications while the system is down. They will use backup systems to email and text stakeholders and students. Immediate updates on the incident's status and expected resolution time must be communicated via the website and social media. At least one update per day is required. The Marketing Team will provide contact details for students to direct all queries through them and maintain a record of all communications;  ; Director of Education (DoE) : The DoE ensures minimal disruption to learning and teaching. The School maintains regular backups of the AGS, VLE, and course content on diverse servers, including cloud platforms. If a server fails, the School can switch to alternative servers. In cases of software or platform issues, physical and electronic copies of materials are kept updated for continuity. The School will use Google Classroom, Microsoft Teams, physical classrooms, video conferencing, its website, email, and post for ongoing education. Assessment Regulations may be adjusted during emergencies to maintain flexibility. The DoE will create and provide protocols to the CTO covering communication, timetables, staffing, content, delivery, assessments, and collaboration with external examiners and regulatory bodies. Daily updates will be provided to students through marketing messages and the DoE will coordinate with lecturers to ensure consistent information;  ; Wellbeing Team : The Wellbeing Team must assign at least one member to support student wellbeing during system outages. Contact information for the team will be provided to students. The team will implement a plan to maintain student support throughout the incident and is an essential part of the Response Committee; This rule outlines clear responsibilities for each team involved in incident management, ensuring effective and coordinated responses. By defining roles, communication channels, and protocols, the School aims to minimise disruption, maintain continuity in learning, and ensure comprehensive support for students during IT incidents.
3.5. Review and Maintenance of the Response Plan Rule: (by CTO): The CTO is required to meet with the Heads of IT, Marketing, Wellbeing, and the Director of Education (DoE) at least twice each academic year to review and update the Response Plan. During these meetings, specific actions needed to keep the plan current will be assigned, and progress must be reported to the CTO. Regular testing of the plan will also be conducted. The CTO holds ultimate responsibility for the plan's effectiveness and must report its status to the Executive Committee and the Quality and Audit Committee. It is also the responsibility of all committee members to ensure their teams are trained on the plan; This approach ensures that the Response Plan remains up-to-date and effective through regular reviews, assigned actions, and testing. Regular reporting to senior committees guarantees oversight and accountability, while team training prepares staff to effectively execute the plan when needed.
3.6. Post-Incident Analysis and Reporting (by CTO): Following each incident, the CTO must conduct a root cause analysis to determine why the risk management and prevention systems failed. A detailed report outlining these findings must be prepared and submitted to the Executive Committee, Quality and Audit Committee, and the Board of Governors. This report will inform updates to the Response Plan, ensuring it remains a dynamic and effective document; This procedure ensures that each incident is thoroughly reviewed to identify system weaknesses and failures. The resulting report provides valuable insights for refining the Response Plan, promoting continuous improvement and strengthening the School’s resilience against future incidents.


SECTION 4: Incidents Short of the IT Incident Response Plan
------------------
4.1. Partial Activation of the Response Plan (by President): In instances where incidents do not necessitate full activation of the Response Plan, the President, as Chair of the Executive Committee, may authorise the CTO to undertake necessary actions under the Plan. This includes collaborating with School teams to maintain service continuity. The CTO must report directly to the President in these cases; This rule allows for a flexible response to incidents that do not require a full-scale activation, ensuring efficient use of resources and prompt action to maintain service continuity. Direct reporting to the President ensures clear communication and oversight during such situations.