POLICY: Information Technology - Information Technology (IT) Regulations POLICY URL: https://lsi-ac.uk/policy/f34d4c6a-5d98-4b9b-94b5-8b521196c0fe POLICY STATEMENT: The School is committed to the responsible use of IT resources, ensuring that our facilities are used safely, legally, and fairly. Our IT Regulations apply to all users, including students, staff, and affiliates, and cover hardware, software, data access, and network use. These guidelines promote ethical use, safeguard digital assets, and support our educational and operational goals. POLICY PRINCIPLES: ------------------ - Respect : Respecting the rights of all users and the integrity of the IT systems; - Accountability : Holding users accountable for their actions on the School's IT infrastructure; - Security : Ensuring the security of IT systems against unauthorised access and malicious threats; - Privacy : Protecting the privacy of personal and institutional data; - Fair Access: Providing equal and fair access to IT resources for all users; - Legality : Using IT facilities in compliance with relevant laws and regulations; - Responsibility : Encouraging users to be responsible and considerate in their use of IT services; - Ethics : Promoting ethical behaviour in the use of IT resources; - Efficiency : Using IT resources in an efficient and cost-effective manner; - Education : Providing information and education on safe and effective IT usage; - Sustainability : Encouraging sustainable use of IT resources; - Continuous Improvement : Regularly updating IT policies to keep pace with technological advancements and emerging risks. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law. R2. Quality Assurance Agency (QAA): Advice - Learning and Teaching - R3. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects R4. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. R5. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements. R6. JISC (Joint Information Systems Committee): Digital Infrastructure Guidelines - Guidelines for universities and colleges in the UK on how to manage their digital infrastructure. METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Hardware Failure Rate: Record the number of hardware failures per 100 devices annually and aim to reduce this rate by 5% each year. Assesses the reliability of hardware and helps improve maintenance and replacement strategies. M2. Incident Response Time: Track the average time taken to respond to IT security incidents from the moment they are reported. Target response time of 1 hour or less. Rapid response minimises potential damage and demonstrates effective incident management. M3. Percentage of IT Helpdesk Tickets Resolved: Measure the percentage of IT helpdesk tickets resolved within the defined service level agreement (SLA) timeframe. Target 90% resolution rate. Reflects the efficiency of IT support and impacts user satisfaction. M4. Software Update Compliance: Monitor the percentage of IT systems with up-to-date software and security patches. Target 100% compliance. Keeps systems secure from known vulnerabilities and ensures software integrity. M5. User Training Completion Rate: Monitor the percentage of users who complete mandatory IT security and compliance training annually. Target 100% completion rate. Ensures that all users are informed about IT policies and best practices, reducing the risk of non-compliance. SECTION 1: Usage Rules and Legal Requirements for IT Resources ------------------ 1.1. IT Facilities Usage and Compliance (by All Staff and Students): The School’s IT facilities include:; Hardware and software provided by the School (e.g., PCs, laptops, tablets, smartphones, printers, operating systems, web browsers, online services); Software or online services arranged by the School (e.g., special deals for students on commercial application packages); Data provided or accessed through the School (e.g., online journals, data sets, citation databases); Network access provided by the School (e.g., Wi-Fi, Ethernet, mobile); IT credentials issued by the School (e.g., School login or other tokens); All use of these facilities is subject to external and internal regulations, including data protection, copyright, and defamation laws, as well as School policies; Users must read, understand, and adhere to these regulations fully. Ignorance of the law does not excuse unlawful conduct. When accessing services from abroad, users must comply with both local and English laws, alongside School regulations. For third-party online services, users should follow the respective terms and conditions, whether accessed directly, through the School, or via agreements like those with Jisc. Violations of law or third-party regulations will be considered breaches of these IT regulations; This rule ensures that all users of the School’s IT facilities are aware of their obligations under various legal and institutional provisions. It aims to protect privacy, security, and integrity while minimising risks. Compliance with both local and international laws, as well as third-party terms, is essential for maintaining lawful and ethical use of IT resources. SECTION 2: Proper Utilisation of IT Resources ------------------ 2.1. Restrictions on IT Facilities Usage (by All Staff and Students): The School’s IT facilities are provided to support School work. Personal or third-party use of these facilities must be avoided. The School disclaims any liability for issues arising from such use; This rule ensures IT facilities are used strictly for School-related purposes, protecting the School from liability and ensuring compliance with legal and licensing requirements. It also clarifies that data sharing may occur under specific circumstances, reinforcing responsible usage and adherence to regulations. 2.2. IT Access and User Responsibilities (by All Staff and Students): Users of the School’s IT facilities are provided access through usernames, passwords, security keys, and tokens. These credentials are for individual use only and must not be shared unless explicitly authorised. Access to the School's Online Library and electronic resources is restricted to authorised users, who must not share their access credentials. Attempting to use IT facilities without proper authorisation may be a legal offence under the Computer Misuse Act. For any doubts about authorised use, contact servicedesk@lsi.ac.uk; This rule ensures that access to IT facilities is restricted to authorised individuals, protecting the School’s resources and complying with legal requirements. It emphasises the importance of not sharing credentials and provides guidance on where to seek clarification, thus promoting responsible use and security. 2.3. Responsible Use of IT Facilities (by All Staff and Students): The School’s IT facilities must be used reasonably, lawfully, and with proper etiquette. Abusive, inconsiderate, discriminatory, or similar behaviour will not be tolerated and may result in enforcement action; Specifically, do not:; Cause undue offence, concern, or annoyance to others; Create or transmit defamatory, fraudulent, obscene, or offensive material; Send spam or unsolicited bulk emails; Interfere with others' legitimate use of IT facilities; Occupy specialist facilities unnecessarily if others need them; Recklessly consume excessive IT resources, such as processing power, bandwidth, or paper; Create, download, store, or transmit unlawful, indecent, offensive, threatening, or discriminatory material; This rule ensures that IT facilities are used in a respectful and lawful manner, protecting the rights and needs of all users. It helps prevent misuse of resources and promotes a positive and secure IT environment. SECTION 3: Safeguarding IT Authentication Details ------------------ 3.1. Protection of IT Credentials (by All Staff and Students): To access IT facilities, users must protect their IT credentials, which may include usernames, passwords, email addresses, smart cards, or other identity hardware issued by the School; Follow these guidelines to safeguard your credentials:; Never write them down or store them in unprotected files; Do not disguise or hide your real identity when using IT facilities; Do not share your credentials with anyone. No one is authorised to ask for your password; Do not attempt to impersonate others, obtain or use someone else's credentials, or corrupt or destroy anyone else’s credentials; These measures are crucial for maintaining security and preventing unauthorised access to IT facilities. Protecting your credentials helps ensure that only authorised users can access resources and prevents identity fraud and misuse. SECTION 4: Securing Sensitive and Confidential Information ------------------ 4.1. Protection of Sensitive and Confidential Information (by All Staff and Students): Under the Data Protection Act, all users (staff, students, etc.) must protect sensitive or confidential information. This includes:; Records with personally identifiable information (PII) such as student records, personnel records, medical records, disciplinary records, and recruitment records; Commercially sensitive information or intellectual property of the School, such as exam papers, research documentation, etc; Sensitive information from third parties provided to the School for specific purposes; If your role involves handling such information, familiarise yourself with relevant legislation, data and cyber protection regulations, and School policies, such as the Research Ethics and Governance Code of Practice. Adhere to all provisions to ensure the confidentiality and protection of this information; Safeguarding sensitive and confidential information is essential to prevent financial, reputational, emotional, or other types of damage. Compliance with data protection laws and School policies helps maintain the integrity and security of protected information. 4.2. 1. Device Security and Management (by All Staff and Students): All devices used to access protected data must:; Have a password, PIN, biometric, or other secure access mechanism upon startup; Be set to sleep or hibernate within 15 minutes of inactivity and require re-authentication upon waking; Not have security codes revealed to others unless required by a legal investigation; Not be shared unless designated as a shared device by the School; Be secured against loss or theft; report any loss or theft immediately to your line manager and the IT Service Desk. The IT Service Desk will then remotely erase all School-related data if possible; Be returned to your line manager for a reset if the device is to be replaced or is no longer needed, to ensure all settings and data are deleted; These measures protect sensitive data by ensuring devices are secured and managed appropriately. Immediate reporting of lost or stolen devices and proper handling of device returns help mitigate risks associated with data breaches and unauthorised access. 4.3. 2. Secure Use of School Devices (by All Staff and Students): Do not connect School-owned devices to unsecured or unknown Wi-Fi networks. Ensure the network name is correct and not a misleading imitation (e.g., 'Eduroam' rather than '_!Eduroam'); Avoid working in public locations where your screen is visible and refrain from discussing confidential information in public; Always lock your computer or device when left unattended, even briefly; Do not access protected information on personal devices or any device not provided by the School, as these may not be free from malware and could retain sensitive data in their history; These practices protect sensitive information by ensuring devices are used securely and privately, reducing the risk of unauthorised access and data breaches. 4.4. 3. Encryption of Protected Information (by All Staff and Students): Always encrypt protected information before sending it electronically; Send the encryption key through a separate channel, such as SMS; Encrypting information ensures its security during transmission, while using a different channel for the encryption key prevents unauthorised access and enhances overall data protection. 4.5. 4. Storage and Handling of Protected Information (by All Staff and Students): Do not store protected information on removable or portable devices (e.g., laptops, tablets, smartphones, USB sticks) unless encrypted. Keep the encryption key secure and out of sight when not in use; Avoid storing protected information in personal cloud services (e.g., Dropbox, Google Drive) not provided by the School; Do not leave confidential paper documents on desks overnight. Lock them away when not in use; Collect printed documents immediately. Shred paper with protected information when no longer needed; These measures protect sensitive information from unauthorised access and loss, ensuring compliance with data protection regulations and maintaining the confidentiality and security of School data. 4.6. Compliance with Data Protection Policy (by All Staff and Students): Please consult the School's Data Protection Policy for comprehensive information on the legal and regulatory requirements that must be followed. Adhere to all stipulations set out in the policy to ensure compliance with data protection laws and other relevant regulations; The Data Protection Policy outlines the necessary legal and regulatory standards, ensuring that all practices conform to the law and protect sensitive information appropriately. SECTION 5: Cyber Security ------------------ 5.1. Cyber Security Best Practices (by All Staff and Students): All users must adhere to cyber security best practices at all times. When creating passwords, use strong password guidelines. If available, register for and utilise 2-factor authentication. Change your password immediately if you suspect it has been compromised. Avoid using the same password or pattern across multiple sites. Never leave logged-in computers unattended, and ensure you log out properly when finished. If using a password manager, do not log in on School IT equipment. Report any suspected security incidents or compromises involving your credentials, device, data, or IT facilities to dataprotection@lsi.ac.uk immediately; Following these practices helps protect against unauthorised access and potential security breaches. Strong passwords and 2-factor authentication enhance security, while immediate reporting of potential compromises ensures timely responses to security incidents. SECTION 6: Copyright, Resources, and Publishing Information ------------------ 6.1. Publishing Information Regulations (by All Staff and Students): To publish information, all users must adhere to the School’s regulations and policies, including these IT regulations. If you have any questions, consult the authority mentioned in these IT regulations; Specifically:; Do not make statements that purport to represent the School without written approval from the Marketing Team; Do not publish information on behalf of third parties using the School's IT facilities without approval from the Director of Technology; These guidelines ensure that any representation of the School is authorised and accurate, while also regulating the use of IT facilities for publishing third-party content. This maintains the integrity and proper use of the School's digital resources. 6.2. Copyright and Licensing Compliance (by All Staff and Students): Infringement of copyright or violation of software licences is strictly prohibited. Users must comply with copyright and licensing regulations when using the School's electronic resources. It is essential to familiarise yourself with the specific regulations from the respective providers; Almost all published works are protected by copyright. Just because material (such as images, text, music, or software) is accessible online does not mean you can use it freely. You are responsible for ensuring that you have the right to use copyrighted material; For any doubts or questions regarding copyright or licensing, consult the authority mentioned in these IT regulations; This rule ensures that users respect intellectual property rights and adhere to legal requirements, thus avoiding legal issues and promoting ethical use of resources. 6.3. Access to and Handling of Information (by All Staff and Students): Users must not access, delete, modify, or disclose information belonging to others without their consent or written permission from the School’s Data Protection Officer. For any questions, contact the authority mentioned in these regulations; Certain exemptions apply:; Access by IT or Compliance Staff : Authorised IT or compliance staff may access private information under specific circumstances defined by institutional or legal processes; Information Retrieval : If a School employee who created or manages information is unavailable, the Director may request the retrieval of the information. Care must be taken to avoid accessing private data or compromising account security; This rule safeguards personal and sensitive information, ensuring it is accessed and handled appropriately while allowing for necessary exceptions under strict conditions. 6.4. Use of Library and Licensed Resources (by All Staff and Students): Users must adhere to the licensing and usage conditions for the School's library and other resources. Specifically:; Do not share licensed materials with anyone other than authorised users; Do not upload content from licensed materials to social media sites; Do not alter or create new versions of licensed materials without permission; Do not tamper with copyright notices in licensed materials; Do not use licensed materials for commercial purposes; Do not extensively or systematically download, reproduce, or distribute licensed materials; The School may update its terms of use without prior notice. Continued use of the library and resources after changes signifies acceptance of the new terms. The School is not liable for misuse of its resources. If you violate copyright or licensing regulations and the School faces a claim, you must indemnify the School. Breaching these terms may result in suspension or exclusion from using the library and other resources; These rules ensure proper use of the School’s licensed resources, protect against misuse, and establish clear responsibilities for users. They also safeguard the School from legal claims related to copyright and licensing violations. SECTION 7: Maintaining IT System Integrity ------------------ 7.1. Maintaining IT Infrastructure Integrity (by All Staff and Students): Users must not compromise the IT infrastructure's integrity. Specifically, you must not:; Damage, reconfigure, or move equipment; Risk damaging the infrastructure by being careless with food or drink near computers; Load software onto School equipment unless authorised; Reconfigure or connect equipment to the network, such as adding Wi-Fi access points or repeaters; Set up servers or services on the network, including game servers, file-sharing services, or websites; Deliberately or recklessly introduce malware; Attempt to disrupt or bypass IT security measures; Additionally, users must:; Take all reasonable precautions to avoid introducing malware; Keep anti-virus software up to date and active, and perform regular scans of your computer; These rules are in place to protect the IT infrastructure from damage and security breaches. Adhering to these guidelines ensures that the School’s IT systems remain secure and operational. SECTION 8: Guidelines for Social Media Content Publication ------------------ 8.1. Social Media Use and School Reputation (by All Staff and Students): While the School supports freedom of speech and expression, users should consider the following before posting on social media:; Think carefully before publishing: Social media is public and content may be permanently visible. Once posted, it cannot be removed; Follow standard rules: All posted content must adhere to the same rules and laws as other published materials, including confidentiality, intellectual property, and defamation laws; Avoid damaging the School's reputation: Association with the School is easily visible online. Ensure that any opinions or comments are clearly personal and avoid posting anything offensive, derogatory, inappropriate, abusive, discriminatory, or harassing; These guidelines help maintain the School's reputation and ensure that social media use aligns with legal and ethical standards. SECTION 9: Oversight and Recording of IT Facility Utilisation ------------------ 9.1. Monitoring and Logging of IT Facility Use (by All Staff and Students): The School monitors and logs IT facility usage for the following reasons:; Ensuring the effective operation of IT facilities; Managing School activities during employee absences; Addressing data subject requests; Detecting, investigating, or preventing misuse or breaches of School regulations; Investigating alleged misconduct; Complying with legal and audit requirements, including PCI-DSS and Prevent Duty; Meeting lawful requests from law enforcement or government agencies for crime detection, investigation, or national security; For further details, contact the authority mentioned in these regulations; Monitoring and logging are conducted to maintain the integrity of IT operations, ensure compliance with laws and regulations, and support the School's operational and security needs. 9.2. Monitoring of IT Facilities (by All Staff and Students): Users must not monitor IT facility usage without explicit authorisation from the Director of Technology. This prohibition includes:; Monitoring network traffic; Discovering network devices; Capturing WiFi traffic; Installing key-logging or screen-grabbing software that affects other users; Accessing system logs, servers, or network equipment; Unauthorised monitoring can compromise system security and user privacy. Only those with proper authority may perform such actions to ensure compliance and protect the integrity of the IT facilities. SECTION 10: Protocols for Reporting IT Security Issues ------------------ 10.1. Security Incidents and Weaknesses (by All Staff and Students): A security incident is any event that breaches these regulations or information protection procedures. A security weakness could lead to an incident if not addressed; Prompt reporting is essential to address and resolve security issues, prevent potential breaches, and maintain the integrity of the IT systems. 10.2. Reporting Security Incidents and Weaknesses (by All Staff and Students): Report any security incident or weakness immediately to management upon becoming aware or suspicious of it. This includes any concerns about breaches or vulnerabilities; Immediate reporting is crucial to address and mitigate risks associated with security breaches or weaknesses, preventing potential harm and ensuring the safety of IT systems. 10.3. What to Report (by All Staff and Students): Such incidents and weaknesses include not only obvious thefts but also the following examples:; ; Breaches of Confidentiality :; Accessing information you should not (e.g. payroll details); Finding personal information in an unsecured email attachment; Losing or having a laptop, phone, or access badge stolen; Discovering confidential papers on an unattended desk or printer in a public area; Finding an open window or unset alarm upon arriving at the office; ; Breaches of Integrity :; Noting incorrect records in a database; Discovering that a file on the shared drive will not open; Finding that paper records are missing from their expected location; ; Breaches of Availability :; Encountering an unavailable system or application; Being unable to find important information, such as a contract; This list is not exhaustive; Reporting all types of security incidents and weaknesses, including those not immediately obvious, helps protect the School’s information and systems from potential harm and ensures a timely response to mitigate any risks. 10.4. Where to Report (by All Staff and Students): Report any suspected breach immediately to dataprotection@lsi.ac.uk. Provide as much detail as possible about what you have observed; Prompt reporting of suspected breaches allows for a quick response to address and mitigate potential risks, protecting the School’s data and systems. SECTION 11: Violations of IT Policy and Regulations ------------------ 11.1. Actions for Breaches and Violations (by Director of Technology ): The School will take all lawful measures to protect and restore the security of its IT facilities, including data, hardware, and software. Any breach of IT regulations or related provisions will be addressed through the School’s processes, which may include disciplinary action. The School may access IT facilities for investigation as permitted by law. Penalties for breaches may include withdrawal of services, disciplinary action, legal enforcement, or termination of contracts for third parties. Offensive materials will be removed, and any suspected unlawful activity will be reported to the police or relevant enforcement agencies. The School will also report breaches of third-party regulations to the relevant organisation and recover any costs incurred due to infringements; These measures ensure the security and integrity of the School's IT resources and compliance with regulations. They also provide a framework for addressing breaches effectively and recovering any associated costs, thereby maintaining a secure and lawful IT environment. 11.2. Limitation of Liability (by All Staff and Students): Subject to any liability the School cannot exclude or limit by law, the School is not liable for any loss or damage arising from the use or withdrawal of its IT facilities, including data and equipment; This rule specifies that, except where the law requires otherwise, the School is not responsible for any losses or damages resulting from the use or removal of its IT facilities. SECTION 12: Oversight and Accountability for IT Compliance ------------------ 12.1. Responsibility for IT Regulations (by Director of Technology ): The Director of Technology is responsible for these regulations and may delegate this authority to others; This rule clarifies that the Director of Technology oversees compliance with these regulations but can assign this responsibility to other individuals if necessary.