6 Sutton Park Road, Sutton, SM1 2GD
Information Technology (IT) Infrastructure Management Policy
Policy Statement
The School is committed to maintaining excellence in education and research through robust IT infrastructure management. This policy ensures the protection and continuous operation of IT systems, safeguarding assets and upholding data integrity, availability, and confidentiality. Our comprehensive risk management and IT Incident Response Plan align with industry best practices to effectively address and mitigate security incidents, protecting our academic community.
Principles
- Governance: Effective IT governance ensures accountability, aligns with institutional objectives, and supports strategic decision-making processes.
- Risk Management: Proactive identification, assessment, and mitigation of IT risks to prevent potential disruptions and data breaches.
- Compliance: Adherence to legal, regulatory, and policy requirements is non-negotiable to uphold data protection and privacy standards.
- Security: Implementation of comprehensive security measures to protect our digital assets from unauthorised access and cyber threats.
- Resilience: Ensuring the School's IT systems are robust and can recover quickly from any incident to minimise impact on operations.
- Training: Regular training programs enhance the staff and students' awareness and capabilities in identifying and responding to IT threats.
- Response: Rapid and effective action in the event of an IT incident to limit damage, restore services, and protect student interests with minimal delay.
- Communication: Clear and timely communication protocols for internal and external stakeholders during and after IT incidents.
- Review: Continuous improvement through regular review of the IT infrastructure and response plans, incorporating lessons learned from incidents.
- Collaboration: Fostering partnerships with external experts and industry leaders to stay at the forefront of IT infrastructure management and security best practices.
Regulatory Context
This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:
Digital Infrastructure at the School
Title |
---|
Advice
Technology Usage The School uses technology, including its Automated Governance System (AGS), to support its services in the following ways:
The School recognises the critical role of its digital infrastructure in delivering services. By integrating IT management into its operations, including a comprehensive Response Plan, the School ensures effective and preventative IT infrastructure management. |
A. Oversight and Risk Mitigation
Title |
---|
Rule
Digital Infrastructure Oversight The Director of Technology is responsible for overseeing the School's digital architecture. This includes:
The CTO's oversight is crucial for safeguarding the School's digital infrastructure, ensuring it remains secure, functional, and resilient to disruptions. This comprehensive approach supports the effective and uninterrupted delivery of educational and administrative services. |
Rule
IT and AGS Team Responsibilities and Reporting The dedicated IT and AGS Team, operating under the Director of Technology, is responsible for:
The IT and AGS Team reports to the Director of Technology, who then reports to the Executive Committee and submits a formal IT infrastructure management report to the Quality, Compliance, and Audit Committee. The IT and AGS Team's comprehensive responsibilities ensure the School’s digital systems are secure, stable, and continuously monitored. Regular reporting to the CTO, Executive Committee, and Quality, Compliance, and Audit Committee maintains transparency and accountability in IT infrastructure management. |
Rule
IT Infrastructure Risk Management IT infrastructure management is integrated into the School’s risk management system. The Director of Technology is responsible for monitoring the risk register, which includes:
The Risk Management Policy specifies that:
The Director of Technology must consider these risks, implement appropriate actions, and report to the relevant bodies. This process also supports capacity planning, with all reports ultimately going to the Board of Governors. This rule ensures that IT infrastructure risks are systematically monitored and managed, reducing the likelihood of disruptions to the School’s operations. Regular reporting to the Executive Committee and Quality, Compliance, and Audit Committee ensures that risk management is integrated into overall governance and capacity planning. |
Rule
IT Regulations and Compliance The School maintains comprehensive IT Regulations, accessible on the School’s website. All staff and students receive induction on these regulations upon joining. The IT Regulations state:
Additionally, the Academic Governance System (AGS) Policy outlines appropriate use of the AGS. The Director of Technology oversees these policies, ensures their implementation, and reports on their effectiveness. These regulations and policies ensure the secure and proper use of the School's IT infrastructure. By clearly defining acceptable behaviour and assigning responsibility to the CTO, the School aims to prevent security breaches and maintain the integrity of its IT systems. |
B. IT Incident Response Plan
Title |
---|
Definition
IT Incident Response and Service Continuity The School’s IT Incident Response Plan is designed to address IT incidents effectively. The primary goal of the plan is to minimise disruptions to students' learning and ensure the continued delivery of the School's services. This plan is crucial for swiftly managing IT incidents to minimise impact on educational activities and maintain operational continuity. By focusing on reducing disruptions, the School ensures that its services remain uninterrupted and students' learning experiences are protected. |
Rule
Oversight and Activation of the IT Incident Response Plan The Director of Technology oversees the IT Incident Response Plan and initiates it by notifying the Board of Governors, the Quality, Compliance, and Audit Committee, and the Executive Committee about the incident. The President must then evaluate the severity of the incident and decide whether to proceed with the plan. Upon receiving authorisation from the President, the Director of Technology will convene a Response Committee and enlist the assistance of relevant Executive Committee officers. This process ensures that the IT Incident Response Plan is managed effectively with clear communication and decision-making. The President’s involvement in authorising the response ensures that appropriate actions are taken based on the incident's severity, while the CTO's role in convening the Response Committee ensures that expertise is mobilised efficiently. |
Rule
Response Committee Collaboration and Communication The Director of Technology, as the chair, must collaborate with designated School teams to form the Response Committee. The committee will meet daily until the Director of Technology reports to the Board of Governors, Quality, Compliance, and Audit Committee, and Executive Committee that the incident is resolved. The President will then formally declare the incident closed. This rule ensures that the Response Committee, led by the CTO, maintains consistent communication and oversight during an incident. Daily meetings allow for timely updates and coordinated efforts, while formal notifications to the governing bodies ensure all stakeholders are informed of the resolution and closure of the incident. |
Rule
Roles and Responsibilities of Response Committee, including Continuity of Learning and Education Services
This rule outlines clear responsibilities for each team involved in incident management, ensuring effective and coordinated responses. By defining roles, communication channels, and protocols, the School aims to minimise disruption, maintain continuity in learning, and ensure comprehensive support for students during IT incidents. |
Rule
Review and Maintenance of the Response Plan Rule: The Director of Technology is required to meet with the Heads of IT, Marketing, Wellbeing, and the Director of Education (DoE) at least twice each academic year to review and update the Response Plan. During these meetings, specific actions needed to keep the plan current will be assigned, and progress must be reported to the CTO. Regular testing of the plan will also be conducted. The Director of Technology holds ultimate responsibility for the plan's effectiveness and must report its status to the Executive Committee and the Quality, Compliance, and Audit Committee. It is also the responsibility of all committee members to ensure their teams are trained on the plan. This approach ensures that the Response Plan remains up-to-date and effective through regular reviews, assigned actions, and testing. Regular reporting to senior committees guarantees oversight and accountability, while team training prepares staff to effectively execute the plan when needed. |
Rule
Post-Incident Analysis and Reporting Following each incident, the Director of Technology must conduct a root cause analysis to determine why the risk management and prevention systems failed. A detailed report outlining these findings must be prepared and submitted to the Executive Committee, Quality, Compliance, and Audit Committee, and the Board of Governors. This report will inform updates to the Response Plan, ensuring it remains a dynamic and effective document. This procedure ensures that each incident is thoroughly reviewed to identify system weaknesses and failures. The resulting report provides valuable insights for refining the Response Plan, promoting continuous improvement and strengthening the School’s resilience against future incidents. |
Incidents Short of the IT Incident Response Plan
Title |
---|
Rule
Partial Activation of the Response Plan In instances where incidents do not necessitate full activation of the Response Plan, the President, as Chair of the Executive Committee, may authorise the Director of Technology to undertake necessary actions under the Plan. This includes collaborating with School teams to maintain service continuity. The Director of Technology must report directly to the President in these cases. This rule allows for a flexible response to incidents that do not require a full-scale activation, ensuring efficient use of resources and prompt action to maintain service continuity. Direct reporting to the President ensures clear communication and oversight during such situations. |
Metrics and KPIs
The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.
Title |
---|
Disaster Recovery Plan Testing
Test the disaster recovery plan biannually, ensuring that recovery objectives are met in at least 95% of tests. Regular testing ensures that the disaster recovery plan is effective and that recovery procedures are well-understood. |
Incident Response Time
Track the average time from incident detection to initial response, targeting under 30 minutes. Rapid response to incidents minimises potential disruption and mitigates impact on the academic community. |
Security Vulnerability Resolution Time
Measure the average time taken to address and resolve security vulnerabilities, aiming for resolution within 48 hours. Timely resolution of vulnerabilities reduces the risk of exploitation and maintains system security. |
System Uptime
Measure the percentage of time IT systems are operational and available to users each month, aiming for 99.9% uptime. High system uptime ensures continuous operation of IT services, essential for maintaining academic and administrative functions. |