Company number: 12497951
6 Sutton Park Road, Sutton, SM1 2GD

Information Technology (IT) Regulations

Policy Statement

The School is committed to the responsible use of IT resources, ensuring that our facilities are used safely, legally, and fairly. Our IT Regulations apply to all users, including students, staff, and affiliates, and cover hardware, software, data access, and network use. These guidelines promote ethical use, safeguard digital assets, and support our educational and operational goals.

Principles

Respect: Respecting the rights of all users and the integrity of the IT systems.
Accountability: Holding users accountable for their actions on the School's IT infrastructure.
Security: Ensuring the security of IT systems against unauthorised access and malicious threats.
Privacy: Protecting the privacy of personal and institutional data.
Fair Access: Providing equal and fair access to IT resources for all users.
Legality: Using IT facilities in compliance with relevant laws and regulations.
Responsibility: Encouraging users to be responsible and considerate in their use of IT services.
Ethics: Promoting ethical behaviour in the use of IT resources.
Efficiency: Using IT resources in an efficient and cost-effective manner.
Education: Providing information and education on safe and effective IT usage.
Sustainability: Encouraging sustainable use of IT resources.
Continuous Improvement: Regularly updating IT policies to keep pace with technological advancements and emerging risks.

Regulatory Context

This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:

Authority	Name	Url
UK Government	Data Protection Act 2018 Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects
Office for Students (OfS)	Regulatory Notices and Advice Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.
Quality Assurance Agency (QAA)	The Quality Code This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.
Quality Assurance Agency (QAA)	Advice - Learning and Teaching
Information Commissioner's Office (ICO)	Guide for higher education institutions Provides guidance for higher education providers on their obligations under data protection law.
JISC (Joint Information Systems Committee)	Digital Infrastructure Guidelines Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.

Authority

Name

Url

UK Government

Data Protection Act 2018
Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects

Office for Students (OfS)

Regulatory Notices and Advice
Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.

Quality Assurance Agency (QAA)

The Quality Code
This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.

Quality Assurance Agency (QAA)

Advice - Learning and Teaching

Information Commissioner's Office (ICO)

Guide for higher education institutions
Provides guidance for higher education providers on their obligations under data protection law.

JISC (Joint Information Systems Committee)

Digital Infrastructure Guidelines
Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.

Violations of IT Policy and Regulations

Title
Rule Actions for Breaches and Violations The School will take all lawful measures to protect and restore the security of its IT facilities, including data, hardware, and software. Any breach of IT regulations or related provisions will be addressed through the School’s processes, which may include disciplinary action. The School may access IT facilities for investigation as permitted by law. Penalties for breaches may include withdrawal of services, disciplinary action, legal enforcement, or termination of contracts for third parties. Offensive materials will be removed, and any suspected unlawful activity will be reported to the police or relevant enforcement agencies. The School will also report breaches of third-party regulations to the relevant organisation and recover any costs incurred due to infringements. These measures ensure the security and integrity of the School's IT resources and compliance with regulations. They also provide a framework for addressing breaches effectively and recovering any associated costs, thereby maintaining a secure and lawful IT environment.
Rule Limitation of Liability Subject to any liability the School cannot exclude or limit by law, the School is not liable for any loss or damage arising from the use or withdrawal of its IT facilities, including data and equipment. This rule specifies that, except where the law requires otherwise, the School is not responsible for any losses or damages resulting from the use or removal of its IT facilities.

Title

Rule
Actions for Breaches and Violations

The School will take all lawful measures to protect and restore the security of its IT facilities, including data, hardware, and software. Any breach of IT regulations or related provisions will be addressed through the School’s processes, which may include disciplinary action. The School may access IT facilities for investigation as permitted by law. Penalties for breaches may include withdrawal of services, disciplinary action, legal enforcement, or termination of contracts for third parties. Offensive materials will be removed, and any suspected unlawful activity will be reported to the police or relevant enforcement agencies. The School will also report breaches of third-party regulations to the relevant organisation and recover any costs incurred due to infringements.

These measures ensure the security and integrity of the School's IT resources and compliance with regulations. They also provide a framework for addressing breaches effectively and recovering any associated costs, thereby maintaining a secure and lawful IT environment.

Rule
Limitation of Liability

Subject to any liability the School cannot exclude or limit by law, the School is not liable for any loss or damage arising from the use or withdrawal of its IT facilities, including data and equipment.

This rule specifies that, except where the law requires otherwise, the School is not responsible for any losses or damages resulting from the use or removal of its IT facilities.

Cyber Security

Title
Rule Cyber Security Best Practices All users must adhere to cyber security best practices at all times. When creating passwords, use strong password guidelines. If available, register for and utilise 2-factor authentication. Change your password immediately if you suspect it has been compromised. Avoid using the same password or pattern across multiple sites. Never leave logged-in computers unattended, and ensure you log out properly when finished. If using a password manager, do not log in on School IT equipment. Report any suspected security incidents or compromises involving your credentials, device, data, or IT facilities to dataprotection@lsi.ac.uk immediately. Following these practices helps protect against unauthorised access and potential security breaches. Strong passwords and 2-factor authentication enhance security, while immediate reporting of potential compromises ensures timely responses to security incidents.

Title

Rule
Cyber Security Best Practices

All users must adhere to cyber security best practices at all times. When creating passwords, use strong password guidelines. If available, register for and utilise 2-factor authentication. Change your password immediately if you suspect it has been compromised. Avoid using the same password or pattern across multiple sites. Never leave logged-in computers unattended, and ensure you log out properly when finished. If using a password manager, do not log in on School IT equipment. Report any suspected security incidents or compromises involving your credentials, device, data, or IT facilities to dataprotection@lsi.ac.uk immediately.

Following these practices helps protect against unauthorised access and potential security breaches. Strong passwords and 2-factor authentication enhance security, while immediate reporting of potential compromises ensures timely responses to security incidents.

Usage Rules and Legal Requirements for IT Resources

Title
Rule IT Facilities Usage and Compliance The School’s IT facilities include: Hardware and software provided by the School (e.g., PCs, laptops, tablets, smartphones, printers, operating systems, web browsers, online services). Software or online services arranged by the School (e.g., special deals for students on commercial application packages). Data provided or accessed through the School (e.g., online journals, data sets, citation databases). Network access provided by the School (e.g., Wi-Fi, Ethernet, mobile). IT credentials issued by the School (e.g., School login or other tokens). All use of these facilities is subject to external and internal regulations, including data protection, copyright, and defamation laws, as well as School policies. Users must read, understand, and adhere to these regulations fully. Ignorance of the law does not excuse unlawful conduct. When accessing services from abroad, users must comply with both local and English laws, alongside School regulations. For third-party online services, users should follow the respective terms and conditions, whether accessed directly, through the School, or via agreements like those with Jisc. Violations of law or third-party regulations will be considered breaches of these IT regulations. This rule ensures that all users of the School’s IT facilities are aware of their obligations under various legal and institutional provisions. It aims to protect privacy, security, and integrity while minimising risks. Compliance with both local and international laws, as well as third-party terms, is essential for maintaining lawful and ethical use of IT resources.

Title

Rule
IT Facilities Usage and Compliance

The School’s IT facilities include:

Hardware and software provided by the School (e.g., PCs, laptops, tablets, smartphones, printers, operating systems, web browsers, online services).
Software or online services arranged by the School (e.g., special deals for students on commercial application packages).
Data provided or accessed through the School (e.g., online journals, data sets, citation databases).
Network access provided by the School (e.g., Wi-Fi, Ethernet, mobile).
IT credentials issued by the School (e.g., School login or other tokens).

All use of these facilities is subject to external and internal regulations, including data protection, copyright, and defamation laws, as well as School policies.

Users must read, understand, and adhere to these regulations fully. Ignorance of the law does not excuse unlawful conduct. When accessing services from abroad, users must comply with both local and English laws, alongside School regulations. For third-party online services, users should follow the respective terms and conditions, whether accessed directly, through the School, or via agreements like those with Jisc. Violations of law or third-party regulations will be considered breaches of these IT regulations.

This rule ensures that all users of the School’s IT facilities are aware of their obligations under various legal and institutional provisions. It aims to protect privacy, security, and integrity while minimising risks. Compliance with both local and international laws, as well as third-party terms, is essential for maintaining lawful and ethical use of IT resources.

Maintaining IT System Integrity

Title
Rule Maintaining IT Infrastructure Integrity Users must not compromise the IT infrastructure's integrity. Specifically, you must not: Damage, reconfigure, or move equipment. Risk damaging the infrastructure by being careless with food or drink near computers. Load software onto School equipment unless authorised. Reconfigure or connect equipment to the network, such as adding Wi-Fi access points or repeaters. Set up servers or services on the network, including game servers, file-sharing services, or websites. Deliberately or recklessly introduce malware. Attempt to disrupt or bypass IT security measures. Additionally, users must: Take all reasonable precautions to avoid introducing malware. Keep anti-virus software up to date and active, and perform regular scans of your computer. These rules are in place to protect the IT infrastructure from damage and security breaches. Adhering to these guidelines ensures that the School’s IT systems remain secure and operational.

Title

Rule
Maintaining IT Infrastructure Integrity

Users must not compromise the IT infrastructure's integrity. Specifically, you must not:

Damage, reconfigure, or move equipment.
Risk damaging the infrastructure by being careless with food or drink near computers.
Load software onto School equipment unless authorised.
Reconfigure or connect equipment to the network, such as adding Wi-Fi access points or repeaters.
Set up servers or services on the network, including game servers, file-sharing services, or websites.
Deliberately or recklessly introduce malware.
Attempt to disrupt or bypass IT security measures.

Additionally, users must:

Take all reasonable precautions to avoid introducing malware.
Keep anti-virus software up to date and active, and perform regular scans of your computer.

These rules are in place to protect the IT infrastructure from damage and security breaches. Adhering to these guidelines ensures that the School’s IT systems remain secure and operational.

Oversight and Recording of IT Facility Utilisation

Title
Rule Monitoring and Logging of IT Facility Use The School monitors and logs IT facility usage for the following reasons: Ensuring the effective operation of IT facilities. Managing School activities during employee absences. Addressing data subject requests. Detecting, investigating, or preventing misuse or breaches of School regulations. Investigating alleged misconduct. Complying with legal and audit requirements, including PCI-DSS and Prevent Duty. Meeting lawful requests from law enforcement or government agencies for crime detection, investigation, or national security. For further details, contact the authority mentioned in these regulations. Monitoring and logging are conducted to maintain the integrity of IT operations, ensure compliance with laws and regulations, and support the School's operational and security needs.
Rule Monitoring of IT Facilities Users must not monitor IT facility usage without explicit authorisation from the Chief Technology Officer. This prohibition includes: Monitoring network traffic Discovering network devices Capturing WiFi traffic Installing key-logging or screen-grabbing software that affects other users Accessing system logs, servers, or network equipment Unauthorised monitoring can compromise system security and user privacy. Only those with proper authority may perform such actions to ensure compliance and protect the integrity of the IT facilities.

Title

Rule
Monitoring and Logging of IT Facility Use

The School monitors and logs IT facility usage for the following reasons:

Ensuring the effective operation of IT facilities.
Managing School activities during employee absences.
Addressing data subject requests.
Detecting, investigating, or preventing misuse or breaches of School regulations.
Investigating alleged misconduct.
Complying with legal and audit requirements, including PCI-DSS and Prevent Duty.
Meeting lawful requests from law enforcement or government agencies for crime detection, investigation, or national security.

For further details, contact the authority mentioned in these regulations.

Monitoring and logging are conducted to maintain the integrity of IT operations, ensure compliance with laws and regulations, and support the School's operational and security needs.

Rule
Monitoring of IT Facilities

Users must not monitor IT facility usage without explicit authorisation from the Chief Technology Officer. This prohibition includes:

Monitoring network traffic
Discovering network devices
Capturing WiFi traffic
Installing key-logging or screen-grabbing software that affects other users
Accessing system logs, servers, or network equipment

Unauthorised monitoring can compromise system security and user privacy. Only those with proper authority may perform such actions to ensure compliance and protect the integrity of the IT facilities.

Safeguarding IT Authentication Details

Title
Rule Protection of IT Credentials To access IT facilities, users must protect their IT credentials, which may include usernames, passwords, email addresses, smart cards, or other identity hardware issued by the School. Follow these guidelines to safeguard your credentials: Never write them down or store them in unprotected files. Do not disguise or hide your real identity when using IT facilities. Do not share your credentials with anyone. No one is authorised to ask for your password. Do not attempt to impersonate others, obtain or use someone else's credentials, or corrupt or destroy anyone else’s credentials. These measures are crucial for maintaining security and preventing unauthorised access to IT facilities. Protecting your credentials helps ensure that only authorised users can access resources and prevents identity fraud and misuse.

Title

Rule
Protection of IT Credentials

To access IT facilities, users must protect their IT credentials, which may include usernames, passwords, email addresses, smart cards, or other identity hardware issued by the School.

Follow these guidelines to safeguard your credentials:

Never write them down or store them in unprotected files.
Do not disguise or hide your real identity when using IT facilities.
Do not share your credentials with anyone. No one is authorised to ask for your password.

Do not attempt to impersonate others, obtain or use someone else's credentials, or corrupt or destroy anyone else’s credentials.

These measures are crucial for maintaining security and preventing unauthorised access to IT facilities. Protecting your credentials helps ensure that only authorised users can access resources and prevents identity fraud and misuse.

Securing Sensitive and Confidential Information

Title
Rule Protection of Sensitive and Confidential Information Under the Data Protection Act, all users (staff, students, etc.) must protect sensitive or confidential information. This includes: Records with personally identifiable information (PII) such as student records, personnel records, medical records, disciplinary records, and recruitment records. Commercially sensitive information or intellectual property of the School, such as exam papers, research documentation, etc. Sensitive information from third parties provided to the School for specific purposes. If your role involves handling such information, familiarise yourself with relevant legislation, data and cyber protection regulations, and School policies, such as the Research Ethics and Governance Code of Practice. Adhere to all provisions to ensure the confidentiality and protection of this information. Safeguarding sensitive and confidential information is essential to prevent financial, reputational, emotional, or other types of damage. Compliance with data protection laws and School policies helps maintain the integrity and security of protected information.
Rule 1. Device Security and Management All devices used to access protected data must: Have a password, PIN, biometric, or other secure access mechanism upon startup. Be set to sleep or hibernate within 15 minutes of inactivity and require re-authentication upon waking. Not have security codes revealed to others unless required by a legal investigation. Not be shared unless designated as a shared device by the School. Be secured against loss or theft; report any loss or theft immediately to your line manager and the IT Service Desk. The IT Service Desk will then remotely erase all School-related data if possible. Be returned to your line manager for a reset if the device is to be replaced or is no longer needed, to ensure all settings and data are deleted. These measures protect sensitive data by ensuring devices are secured and managed appropriately. Immediate reporting of lost or stolen devices and proper handling of device returns help mitigate risks associated with data breaches and unauthorised access.
Rule 2. Secure Use of School Devices Do not connect School-owned devices to unsecured or unknown Wi-Fi networks. Ensure the network name is correct and not a misleading imitation (e.g., 'Eduroam' rather than '_!Eduroam'). Avoid working in public locations where your screen is visible and refrain from discussing confidential information in public. Always lock your computer or device when left unattended, even briefly. Do not access protected information on personal devices or any device not provided by the School, as these may not be free from malware and could retain sensitive data in their history. These practices protect sensitive information by ensuring devices are used securely and privately, reducing the risk of unauthorised access and data breaches.
Rule 3. Encryption of Protected Information Always encrypt protected information before sending it electronically. Send the encryption key through a separate channel, such as SMS. Encrypting information ensures its security during transmission, while using a different channel for the encryption key prevents unauthorised access and enhances overall data protection.
Rule 4. Storage and Handling of Protected Information Do not store protected information on removable or portable devices (e.g., laptops, tablets, smartphones, USB sticks) unless encrypted. Keep the encryption key secure and out of sight when not in use. Avoid storing protected information in personal cloud services (e.g., Dropbox, Google Drive) not provided by the School. Do not leave confidential paper documents on desks overnight. Lock them away when not in use. Collect printed documents immediately. Shred paper with protected information when no longer needed. These measures protect sensitive information from unauthorised access and loss, ensuring compliance with data protection regulations and maintaining the confidentiality and security of School data.
Rule Compliance with Data Protection Policy Please consult the School's Data Protection Policy for comprehensive information on the legal and regulatory requirements that must be followed. Adhere to all stipulations set out in the policy to ensure compliance with data protection laws and other relevant regulations. The Data Protection Policy outlines the necessary legal and regulatory standards, ensuring that all practices conform to the law and protect sensitive information appropriately.

Title

Rule
Protection of Sensitive and Confidential Information

Under the Data Protection Act, all users (staff, students, etc.) must protect sensitive or confidential information. This includes:

Records with personally identifiable information (PII) such as student records, personnel records, medical records, disciplinary records, and recruitment records.
Commercially sensitive information or intellectual property of the School, such as exam papers, research documentation, etc.
Sensitive information from third parties provided to the School for specific purposes.

If your role involves handling such information, familiarise yourself with relevant legislation, data and cyber protection regulations, and School policies, such as the Research Ethics and Governance Code of Practice. Adhere to all provisions to ensure the confidentiality and protection of this information.

Safeguarding sensitive and confidential information is essential to prevent financial, reputational, emotional, or other types of damage. Compliance with data protection laws and School policies helps maintain the integrity and security of protected information.

Rule
1. Device Security and Management

All devices used to access protected data must:

Have a password, PIN, biometric, or other secure access mechanism upon startup.
Be set to sleep or hibernate within 15 minutes of inactivity and require re-authentication upon waking.
Not have security codes revealed to others unless required by a legal investigation.
Not be shared unless designated as a shared device by the School.
Be secured against loss or theft; report any loss or theft immediately to your line manager and the IT Service Desk. The IT Service Desk will then remotely erase all School-related data if possible.
Be returned to your line manager for a reset if the device is to be replaced or is no longer needed, to ensure all settings and data are deleted.

These measures protect sensitive data by ensuring devices are secured and managed appropriately. Immediate reporting of lost or stolen devices and proper handling of device returns help mitigate risks associated with data breaches and unauthorised access.

Rule
2. Secure Use of School Devices

Do not connect School-owned devices to unsecured or unknown Wi-Fi networks. Ensure the network name is correct and not a misleading imitation (e.g., 'Eduroam' rather than '_!Eduroam').
Avoid working in public locations where your screen is visible and refrain from discussing confidential information in public.
Always lock your computer or device when left unattended, even briefly.
Do not access protected information on personal devices or any device not provided by the School, as these may not be free from malware and could retain sensitive data in their history.

These practices protect sensitive information by ensuring devices are used securely and privately, reducing the risk of unauthorised access and data breaches.

Rule
3. Encryption of Protected Information

Always encrypt protected information before sending it electronically.
Send the encryption key through a separate channel, such as SMS.

Encrypting information ensures its security during transmission, while using a different channel for the encryption key prevents unauthorised access and enhances overall data protection.

Rule
4. Storage and Handling of Protected Information

Do not store protected information on removable or portable devices (e.g., laptops, tablets, smartphones, USB sticks) unless encrypted. Keep the encryption key secure and out of sight when not in use.
Avoid storing protected information in personal cloud services (e.g., Dropbox, Google Drive) not provided by the School.
Do not leave confidential paper documents on desks overnight. Lock them away when not in use.
Collect printed documents immediately. Shred paper with protected information when no longer needed.

These measures protect sensitive information from unauthorised access and loss, ensuring compliance with data protection regulations and maintaining the confidentiality and security of School data.

Rule
Compliance with Data Protection Policy

Please consult the School's Data Protection Policy for comprehensive information on the legal and regulatory requirements that must be followed. Adhere to all stipulations set out in the policy to ensure compliance with data protection laws and other relevant regulations.

The Data Protection Policy outlines the necessary legal and regulatory standards, ensuring that all practices conform to the law and protect sensitive information appropriately.

Copyright, Resources, and Publishing Information

Title
Rule Publishing Information Regulations To publish information, all users must adhere to the School’s regulations and policies, including these IT regulations. If you have any questions, consult the authority mentioned in these IT regulations. Specifically: Do not make statements that purport to represent the School without written approval from the Marketing Department. Do not publish information on behalf of third parties using the School's IT facilities without approval from the Director of Operations. These guidelines ensure that any representation of the School is authorised and accurate, while also regulating the use of IT facilities for publishing third-party content. This maintains the integrity and proper use of the School's digital resources.
Rule Copyright and Licensing Compliance Infringement of copyright or violation of software licences is strictly prohibited. Users must comply with copyright and licensing regulations when using the School's electronic resources. It is essential to familiarise yourself with the specific regulations from the respective providers. Almost all published works are protected by copyright. Just because material (such as images, text, music, or software) is accessible online does not mean you can use it freely. You are responsible for ensuring that you have the right to use copyrighted material. For any doubts or questions regarding copyright or licensing, consult the authority mentioned in these IT regulations. This rule ensures that users respect intellectual property rights and adhere to legal requirements, thus avoiding legal issues and promoting ethical use of resources.
Rule Access to and Handling of Information Users must not access, delete, modify, or disclose information belonging to others without their consent or written permission from the School’s Data Protection Officer. For any questions, contact the authority mentioned in these regulations. Certain exemptions apply: Access by IT or Compliance Staff: Authorised IT or compliance staff may access private information under specific circumstances defined by institutional or legal processes. Information Retrieval: If a School employee who created or manages information is unavailable, the department head may request the retrieval of the information. Care must be taken to avoid accessing private data or compromising account security. This rule safeguards personal and sensitive information, ensuring it is accessed and handled appropriately while allowing for necessary exceptions under strict conditions.
Rule Use of Library and Licensed Resources Users must adhere to the licensing and usage conditions for the School's library and other resources. Specifically: Do not share licensed materials with anyone other than authorised users. Do not upload content from licensed materials to social media sites. Do not alter or create new versions of licensed materials without permission. Do not tamper with copyright notices in licensed materials. Do not use licensed materials for commercial purposes. Do not extensively or systematically download, reproduce, or distribute licensed materials. The School may update its terms of use without prior notice. Continued use of the library and resources after changes signifies acceptance of the new terms. The School is not liable for misuse of its resources. If you violate copyright or licensing regulations and the School faces a claim, you must indemnify the School. Breaching these terms may result in suspension or exclusion from using the library and other resources. These rules ensure proper use of the School’s licensed resources, protect against misuse, and establish clear responsibilities for users. They also safeguard the School from legal claims related to copyright and licensing violations.

Title

Rule
Publishing Information Regulations

To publish information, all users must adhere to the School’s regulations and policies, including these IT regulations. If you have any questions, consult the authority mentioned in these IT regulations.

Specifically:

Do not make statements that purport to represent the School without written approval from the Marketing Department.
Do not publish information on behalf of third parties using the School's IT facilities without approval from the Director of Operations.

These guidelines ensure that any representation of the School is authorised and accurate, while also regulating the use of IT facilities for publishing third-party content. This maintains the integrity and proper use of the School's digital resources.

Rule
Copyright and Licensing Compliance

Infringement of copyright or violation of software licences is strictly prohibited. Users must comply with copyright and licensing regulations when using the School's electronic resources. It is essential to familiarise yourself with the specific regulations from the respective providers.

Almost all published works are protected by copyright. Just because material (such as images, text, music, or software) is accessible online does not mean you can use it freely. You are responsible for ensuring that you have the right to use copyrighted material.

For any doubts or questions regarding copyright or licensing, consult the authority mentioned in these IT regulations.

This rule ensures that users respect intellectual property rights and adhere to legal requirements, thus avoiding legal issues and promoting ethical use of resources.

Rule
Access to and Handling of Information

Users must not access, delete, modify, or disclose information belonging to others without their consent or written permission from the School’s Data Protection Officer. For any questions, contact the authority mentioned in these regulations.

Certain exemptions apply:

Access by IT or Compliance Staff: Authorised IT or compliance staff may access private information under specific circumstances defined by institutional or legal processes.
Information Retrieval: If a School employee who created or manages information is unavailable, the department head may request the retrieval of the information. Care must be taken to avoid accessing private data or compromising account security.

This rule safeguards personal and sensitive information, ensuring it is accessed and handled appropriately while allowing for necessary exceptions under strict conditions.

Rule
Use of Library and Licensed Resources

Users must adhere to the licensing and usage conditions for the School's library and other resources. Specifically:

Do not share licensed materials with anyone other than authorised users.
Do not upload content from licensed materials to social media sites.
Do not alter or create new versions of licensed materials without permission.
Do not tamper with copyright notices in licensed materials.
Do not use licensed materials for commercial purposes.
Do not extensively or systematically download, reproduce, or distribute licensed materials.

The School may update its terms of use without prior notice. Continued use of the library and resources after changes signifies acceptance of the new terms. The School is not liable for misuse of its resources. If you violate copyright or licensing regulations and the School faces a claim, you must indemnify the School. Breaching these terms may result in suspension or exclusion from using the library and other resources.

These rules ensure proper use of the School’s licensed resources, protect against misuse, and establish clear responsibilities for users. They also safeguard the School from legal claims related to copyright and licensing violations.

Oversight and Accountability for IT Compliance

Title
Rule Responsibility for IT Regulations The Chief Technology Officer is responsible for these regulations and may delegate this authority to others. This rule clarifies that the Chief Technology Officer oversees compliance with these regulations but can assign this responsibility to other individuals if necessary.

Title

Rule
Responsibility for IT Regulations

The Chief Technology Officer is responsible for these regulations and may delegate this authority to others.

This rule clarifies that the Chief Technology Officer oversees compliance with these regulations but can assign this responsibility to other individuals if necessary.

Proper Utilisation of IT Resources

Title
Rule Restrictions on IT Facilities Usage The School’s IT facilities are provided to support School work. Personal or third-party use of these facilities must be avoided. The School disclaims any liability for issues arising from such use. This rule ensures IT facilities are used strictly for School-related purposes, protecting the School from liability and ensuring compliance with legal and licensing requirements. It also clarifies that data sharing may occur under specific circumstances, reinforcing responsible usage and adherence to regulations.
Rule IT Access and User Responsibilities Users of the School’s IT facilities are provided access through usernames, passwords, security keys, and tokens. These credentials are for individual use only and must not be shared unless explicitly authorised. Access to the School's Online Library and electronic resources is restricted to authorised users, who must not share their access credentials. Attempting to use IT facilities without proper authorisation may be a legal offence under the Computer Misuse Act. For any doubts about authorised use, contact servicedesk@lsi.ac.uk. This rule ensures that access to IT facilities is restricted to authorised individuals, protecting the School’s resources and complying with legal requirements. It emphasises the importance of not sharing credentials and provides guidance on where to seek clarification, thus promoting responsible use and security.
Rule Responsible Use of IT Facilities The School’s IT facilities must be used reasonably, lawfully, and with proper etiquette. Abusive, inconsiderate, discriminatory, or similar behaviour will not be tolerated and may result in enforcement action. Specifically, do not: Cause undue offence, concern, or annoyance to others. Create or transmit defamatory, fraudulent, obscene, or offensive material. Send spam or unsolicited bulk emails. Interfere with others' legitimate use of IT facilities. Occupy specialist facilities unnecessarily if others need them. Recklessly consume excessive IT resources, such as processing power, bandwidth, or paper. Create, download, store, or transmit unlawful, indecent, offensive, threatening, or discriminatory material. This rule ensures that IT facilities are used in a respectful and lawful manner, protecting the rights and needs of all users. It helps prevent misuse of resources and promotes a positive and secure IT environment.

Title

Rule
Restrictions on IT Facilities Usage

The School’s IT facilities are provided to support School work. Personal or third-party use of these facilities must be avoided. The School disclaims any liability for issues arising from such use.

This rule ensures IT facilities are used strictly for School-related purposes, protecting the School from liability and ensuring compliance with legal and licensing requirements. It also clarifies that data sharing may occur under specific circumstances, reinforcing responsible usage and adherence to regulations.

Rule
IT Access and User Responsibilities

Users of the School’s IT facilities are provided access through usernames, passwords, security keys, and tokens. These credentials are for individual use only and must not be shared unless explicitly authorised. Access to the School's Online Library and electronic resources is restricted to authorised users, who must not share their access credentials. Attempting to use IT facilities without proper authorisation may be a legal offence under the Computer Misuse Act. For any doubts about authorised use, contact servicedesk@lsi.ac.uk.

This rule ensures that access to IT facilities is restricted to authorised individuals, protecting the School’s resources and complying with legal requirements. It emphasises the importance of not sharing credentials and provides guidance on where to seek clarification, thus promoting responsible use and security.

Rule
Responsible Use of IT Facilities

The School’s IT facilities must be used reasonably, lawfully, and with proper etiquette. Abusive, inconsiderate, discriminatory, or similar behaviour will not be tolerated and may result in enforcement action.

Specifically, do not:

Cause undue offence, concern, or annoyance to others.
Create or transmit defamatory, fraudulent, obscene, or offensive material.
Send spam or unsolicited bulk emails.
Interfere with others' legitimate use of IT facilities.
Occupy specialist facilities unnecessarily if others need them.
Recklessly consume excessive IT resources, such as processing power, bandwidth, or paper.
Create, download, store, or transmit unlawful, indecent, offensive, threatening, or discriminatory material.

This rule ensures that IT facilities are used in a respectful and lawful manner, protecting the rights and needs of all users. It helps prevent misuse of resources and promotes a positive and secure IT environment.

Protocols for Reporting IT Security Issues

Title
Rule Security Incidents and Weaknesses A security incident is any event that breaches these regulations or information protection procedures. A security weakness could lead to an incident if not addressed. Prompt reporting is essential to address and resolve security issues, prevent potential breaches, and maintain the integrity of the IT systems.
Rule Reporting Security Incidents and Weaknesses Report any security incident or weakness immediately to management upon becoming aware or suspicious of it. This includes any concerns about breaches or vulnerabilities. Immediate reporting is crucial to address and mitigate risks associated with security breaches or weaknesses, preventing potential harm and ensuring the safety of IT systems.
Rule What to Report Such incidents and weakenesses include not only obvious thefts but also the following examples: Breaches of Confidentiality: Accessing information you should not (e.g. payroll details). Finding personal information in an unsecured email attachment. Losing or having a laptop, phone, or access badge stolen. Discovering confidential papers on an unattended desk or printer in a public area. Finding an open window or unset alarm upon arriving at the office. Breaches of Integrity: Noting incorrect records in a database. Discovering that a file on the shared drive will not open. Finding that paper records are missing from their expected location. Breaches of Availability: Encountering an unavailable system or application. Being unable to find important information, such as a contract. This list is not exhaustive. Reporting all types of security incidents and weaknesses, including those not immediately obvious, helps protect the School’s information and systems from potential harm and ensures a timely response to mitigate any risks.
Rule Where to Report Report any suspected breach immediately to dataprotection@lsi.ac.uk. Provide as much detail as possible about what you have observed. Prompt reporting of suspected breaches allows for a quick response to address and mitigate potential risks, protecting the School’s data and systems.

Title

Rule
Security Incidents and Weaknesses

A security incident is any event that breaches these regulations or information protection procedures. A security weakness could lead to an incident if not addressed.

Prompt reporting is essential to address and resolve security issues, prevent potential breaches, and maintain the integrity of the IT systems.

Rule
Reporting Security Incidents and Weaknesses

Report any security incident or weakness immediately to management upon becoming aware or suspicious of it. This includes any concerns about breaches or vulnerabilities.

Immediate reporting is crucial to address and mitigate risks associated with security breaches or weaknesses, preventing potential harm and ensuring the safety of IT systems.

Rule
What to Report

Such incidents and weakenesses include not only obvious thefts but also the following examples:

Breaches of Confidentiality:
- Accessing information you should not (e.g. payroll details).
- Finding personal information in an unsecured email attachment.
- Losing or having a laptop, phone, or access badge stolen.
- Discovering confidential papers on an unattended desk or printer in a public area.
- Finding an open window or unset alarm upon arriving at the office.
Breaches of Integrity:
- Noting incorrect records in a database.
- Discovering that a file on the shared drive will not open.
- Finding that paper records are missing from their expected location.
Breaches of Availability:
- Encountering an unavailable system or application.
- Being unable to find important information, such as a contract.

This list is not exhaustive.

Reporting all types of security incidents and weaknesses, including those not immediately obvious, helps protect the School’s information and systems from potential harm and ensures a timely response to mitigate any risks.

Rule
Where to Report

Report any suspected breach immediately to dataprotection@lsi.ac.uk. Provide as much detail as possible about what you have observed.

Prompt reporting of suspected breaches allows for a quick response to address and mitigate potential risks, protecting the School’s data and systems.

Guidelines for Social Media Content Publication

Title
Rule Social Media Use and School Reputation While the School supports freedom of speech and expression, users should consider the following before posting on social media: Think carefully before publishing: Social media is public and content may be permanently visible. Once posted, it cannot be removed. Follow standard rules: All posted content must adhere to the same rules and laws as other published materials, including confidentiality, intellectual property, and defamation laws. Avoid damaging the School's reputation: Association with the School is easily visible online. Ensure that any opinions or comments are clearly personal and avoid posting anything offensive, derogatory, inappropriate, abusive, discriminatory, or harassing. These guidelines help maintain the School's reputation and ensure that social media use aligns with legal and ethical standards.

Title

Rule
Social Media Use and School Reputation

While the School supports freedom of speech and expression, users should consider the following before posting on social media:

Think carefully before publishing: Social media is public and content may be permanently visible. Once posted, it cannot be removed.
Follow standard rules: All posted content must adhere to the same rules and laws as other published materials, including confidentiality, intellectual property, and defamation laws.
Avoid damaging the School's reputation: Association with the School is easily visible online. Ensure that any opinions or comments are clearly personal and avoid posting anything offensive, derogatory, inappropriate, abusive, discriminatory, or harassing.

These guidelines help maintain the School's reputation and ensure that social media use aligns with legal and ethical standards.

Metrics and KPIs

The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.

Title
Hardware Failure Rate Record the number of hardware failures per 100 devices annually and aim to reduce this rate by 5% each year. Assesses the reliability of hardware and helps improve maintenance and replacement strategies.
Incident Response Time Track the average time taken to respond to IT security incidents from the moment they are reported. Target response time of 1 hour or less. Rapid response minimises potential damage and demonstrates effective incident management.
Percentage of IT Helpdesk Tickets Resolved Measure the percentage of IT helpdesk tickets resolved within the defined service level agreement (SLA) timeframe. Target 90% resolution rate. Reflects the efficiency of IT support and impacts user satisfaction.
Software Update Compliance Monitor the percentage of IT systems with up-to-date software and security patches. Target 100% compliance. Keeps systems secure from known vulnerabilities and ensures software integrity.
User Training Completion Rate Monitor the percentage of users who complete mandatory IT security and compliance training annually. Target 100% completion rate. Ensures that all users are informed about IT policies and best practices, reducing the risk of non-compliance.

Title

Hardware Failure Rate
Record the number of hardware failures per 100 devices annually and aim to reduce this rate by 5% each year.
Assesses the reliability of hardware and helps improve maintenance and replacement strategies.

Incident Response Time
Track the average time taken to respond to IT security incidents from the moment they are reported. Target response time of 1 hour or less.
Rapid response minimises potential damage and demonstrates effective incident management.

Percentage of IT Helpdesk Tickets Resolved
Measure the percentage of IT helpdesk tickets resolved within the defined service level agreement (SLA) timeframe. Target 90% resolution rate.
Reflects the efficiency of IT support and impacts user satisfaction.

Software Update Compliance
Monitor the percentage of IT systems with up-to-date software and security patches. Target 100% compliance.
Keeps systems secure from known vulnerabilities and ensures software integrity.

User Training Completion Rate
Monitor the percentage of users who complete mandatory IT security and compliance training annually. Target 100% completion rate.
Ensures that all users are informed about IT policies and best practices, reducing the risk of non-compliance.