6 Sutton Park Road, Sutton, SM1 2GD
Information Technology (IT) Regulations
Policy Statement
The School is committed to the responsible use of IT resources, ensuring that our facilities are used safely, legally, and fairly. Our IT Regulations apply to all users, including students, staff, and affiliates, and cover hardware, software, data access, and network use. These guidelines promote ethical use, safeguard digital assets, and support our educational and operational goals.
Principles
- Respect: Respecting the rights of all users and the integrity of the IT systems.
- Accountability: Holding users accountable for their actions on the School's IT infrastructure.
- Security: Ensuring the security of IT systems against unauthorised access and malicious threats.
- Privacy: Protecting the privacy of personal and institutional data.
- Fair Access: Providing equal and fair access to IT resources for all users.
- Legality: Using IT facilities in compliance with relevant laws and regulations.
- Responsibility: Encouraging users to be responsible and considerate in their use of IT services.
- Ethics: Promoting ethical behaviour in the use of IT resources.
- Efficiency: Using IT resources in an efficient and cost-effective manner.
- Education: Providing information and education on safe and effective IT usage.
- Sustainability: Encouraging sustainable use of IT resources.
- Continuous Improvement: Regularly updating IT policies to keep pace with technological advancements and emerging risks.
Regulatory Context
This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:
Usage Rules and Legal Requirements for IT Resources
Title |
---|
Rule
IT Facilities Usage and Compliance The School’s IT facilities include:
All use of these facilities is subject to external and internal regulations, including data protection, copyright, and defamation laws, as well as School policies. Users must read, understand, and adhere to these regulations fully. Ignorance of the law does not excuse unlawful conduct. When accessing services from abroad, users must comply with both local and English laws, alongside School regulations. For third-party online services, users should follow the respective terms and conditions, whether accessed directly, through the School, or via agreements like those with Jisc. Violations of law or third-party regulations will be considered breaches of these IT regulations. This rule ensures that all users of the School’s IT facilities are aware of their obligations under various legal and institutional provisions. It aims to protect privacy, security, and integrity while minimising risks. Compliance with both local and international laws, as well as third-party terms, is essential for maintaining lawful and ethical use of IT resources. |
Proper Utilisation of IT Resources
Title |
---|
Rule
Restrictions on IT Facilities Usage The School’s IT facilities are provided to support School work. Personal or third-party use of these facilities must be avoided. The School disclaims any liability for issues arising from such use. This rule ensures IT facilities are used strictly for School-related purposes, protecting the School from liability and ensuring compliance with legal and licensing requirements. It also clarifies that data sharing may occur under specific circumstances, reinforcing responsible usage and adherence to regulations. |
Rule
IT Access and User Responsibilities Users of the School’s IT facilities are provided access through usernames, passwords, security keys, and tokens. These credentials are for individual use only and must not be shared unless explicitly authorised. Access to the School's Online Library and electronic resources is restricted to authorised users, who must not share their access credentials. Attempting to use IT facilities without proper authorisation may be a legal offence under the Computer Misuse Act. For any doubts about authorised use, contact servicedesk@lsi.ac.uk. This rule ensures that access to IT facilities is restricted to authorised individuals, protecting the School’s resources and complying with legal requirements. It emphasises the importance of not sharing credentials and provides guidance on where to seek clarification, thus promoting responsible use and security. |
Rule
Responsible Use of IT Facilities The School’s IT facilities must be used reasonably, lawfully, and with proper etiquette. Abusive, inconsiderate, discriminatory, or similar behaviour will not be tolerated and may result in enforcement action. Specifically, do not:
This rule ensures that IT facilities are used in a respectful and lawful manner, protecting the rights and needs of all users. It helps prevent misuse of resources and promotes a positive and secure IT environment. |
Safeguarding IT Authentication Details
Title |
---|
Rule
Protection of IT Credentials To access IT facilities, users must protect their IT credentials, which may include usernames, passwords, email addresses, smart cards, or other identity hardware issued by the School. Follow these guidelines to safeguard your credentials:
Do not attempt to impersonate others, obtain or use someone else's credentials, or corrupt or destroy anyone else’s credentials. These measures are crucial for maintaining security and preventing unauthorised access to IT facilities. Protecting your credentials helps ensure that only authorised users can access resources and prevents identity fraud and misuse. |
Securing Sensitive and Confidential Information
Title |
---|
Rule
Protection of Sensitive and Confidential Information Under the Data Protection Act, all users (staff, students, etc.) must protect sensitive or confidential information. This includes:
If your role involves handling such information, familiarise yourself with relevant legislation, data and cyber protection regulations, and School policies, such as the Research Ethics and Governance Code of Practice. Adhere to all provisions to ensure the confidentiality and protection of this information. Safeguarding sensitive and confidential information is essential to prevent financial, reputational, emotional, or other types of damage. Compliance with data protection laws and School policies helps maintain the integrity and security of protected information. |
Rule
1. Device Security and Management All devices used to access protected data must:
These measures protect sensitive data by ensuring devices are secured and managed appropriately. Immediate reporting of lost or stolen devices and proper handling of device returns help mitigate risks associated with data breaches and unauthorised access. |
Rule
2. Secure Use of School Devices
These practices protect sensitive information by ensuring devices are used securely and privately, reducing the risk of unauthorised access and data breaches. |
Rule
3. Encryption of Protected Information
Encrypting information ensures its security during transmission, while using a different channel for the encryption key prevents unauthorised access and enhances overall data protection. |
Rule
4. Storage and Handling of Protected Information
These measures protect sensitive information from unauthorised access and loss, ensuring compliance with data protection regulations and maintaining the confidentiality and security of School data. |
Rule
Compliance with Data Protection Policy Please consult the School's Data Protection Policy for comprehensive information on the legal and regulatory requirements that must be followed. Adhere to all stipulations set out in the policy to ensure compliance with data protection laws and other relevant regulations. The Data Protection Policy outlines the necessary legal and regulatory standards, ensuring that all practices conform to the law and protect sensitive information appropriately. |
Cyber Security
Title |
---|
Rule
Cyber Security Best Practices All users must adhere to cyber security best practices at all times. When creating passwords, use strong password guidelines. If available, register for and utilise 2-factor authentication. Change your password immediately if you suspect it has been compromised. Avoid using the same password or pattern across multiple sites. Never leave logged-in computers unattended, and ensure you log out properly when finished. If using a password manager, do not log in on School IT equipment. Report any suspected security incidents or compromises involving your credentials, device, data, or IT facilities to dataprotection@lsi.ac.uk immediately. Following these practices helps protect against unauthorised access and potential security breaches. Strong passwords and 2-factor authentication enhance security, while immediate reporting of potential compromises ensures timely responses to security incidents. |
Copyright, Resources, and Publishing Information
Title |
---|
Rule
Publishing Information Regulations To publish information, all users must adhere to the School’s regulations and policies, including these IT regulations. If you have any questions, consult the authority mentioned in these IT regulations. Specifically:
These guidelines ensure that any representation of the School is authorised and accurate, while also regulating the use of IT facilities for publishing third-party content. This maintains the integrity and proper use of the School's digital resources. |
Rule
Copyright and Licensing Compliance Infringement of copyright or violation of software licences is strictly prohibited. Users must comply with copyright and licensing regulations when using the School's electronic resources. It is essential to familiarise yourself with the specific regulations from the respective providers. Almost all published works are protected by copyright. Just because material (such as images, text, music, or software) is accessible online does not mean you can use it freely. You are responsible for ensuring that you have the right to use copyrighted material. For any doubts or questions regarding copyright or licensing, consult the authority mentioned in these IT regulations. This rule ensures that users respect intellectual property rights and adhere to legal requirements, thus avoiding legal issues and promoting ethical use of resources. |
Rule
Access to and Handling of Information Users must not access, delete, modify, or disclose information belonging to others without their consent or written permission from the School’s Data Protection Officer. For any questions, contact the authority mentioned in these regulations. Certain exemptions apply:
This rule safeguards personal and sensitive information, ensuring it is accessed and handled appropriately while allowing for necessary exceptions under strict conditions. |
Rule
Use of Library and Licensed Resources Users must adhere to the licensing and usage conditions for the School's library and other resources. Specifically:
The School may update its terms of use without prior notice. Continued use of the library and resources after changes signifies acceptance of the new terms. The School is not liable for misuse of its resources. If you violate copyright or licensing regulations and the School faces a claim, you must indemnify the School. Breaching these terms may result in suspension or exclusion from using the library and other resources. These rules ensure proper use of the School’s licensed resources, protect against misuse, and establish clear responsibilities for users. They also safeguard the School from legal claims related to copyright and licensing violations. |
Maintaining IT System Integrity
Title |
---|
Rule
Maintaining IT Infrastructure Integrity Users must not compromise the IT infrastructure's integrity. Specifically, you must not:
Additionally, users must:
These rules are in place to protect the IT infrastructure from damage and security breaches. Adhering to these guidelines ensures that the School’s IT systems remain secure and operational. |
Guidelines for Social Media Content Publication
Title |
---|
Rule
Social Media Use and School Reputation While the School supports freedom of speech and expression, users should consider the following before posting on social media:
These guidelines help maintain the School's reputation and ensure that social media use aligns with legal and ethical standards. |
Oversight and Recording of IT Facility Utilisation
Title |
---|
Rule
Monitoring and Logging of IT Facility Use The School monitors and logs IT facility usage for the following reasons:
For further details, contact the authority mentioned in these regulations. Monitoring and logging are conducted to maintain the integrity of IT operations, ensure compliance with laws and regulations, and support the School's operational and security needs. |
Rule
Monitoring of IT Facilities Users must not monitor IT facility usage without explicit authorisation from the Director of Technology. This prohibition includes:
Unauthorised monitoring can compromise system security and user privacy. Only those with proper authority may perform such actions to ensure compliance and protect the integrity of the IT facilities. |
Protocols for Reporting IT Security Issues
Title |
---|
Rule
Security Incidents and Weaknesses A security incident is any event that breaches these regulations or information protection procedures. A security weakness could lead to an incident if not addressed. Prompt reporting is essential to address and resolve security issues, prevent potential breaches, and maintain the integrity of the IT systems. |
Rule
Reporting Security Incidents and Weaknesses Report any security incident or weakness immediately to management upon becoming aware or suspicious of it. This includes any concerns about breaches or vulnerabilities. Immediate reporting is crucial to address and mitigate risks associated with security breaches or weaknesses, preventing potential harm and ensuring the safety of IT systems. |
Rule
What to Report Such incidents and weaknesses include not only obvious thefts but also the following examples:
This list is not exhaustive. Reporting all types of security incidents and weaknesses, including those not immediately obvious, helps protect the School’s information and systems from potential harm and ensures a timely response to mitigate any risks. |
Rule
Where to Report Report any suspected breach immediately to dataprotection@lsi.ac.uk. Provide as much detail as possible about what you have observed. Prompt reporting of suspected breaches allows for a quick response to address and mitigate potential risks, protecting the School’s data and systems. |
Violations of IT Policy and Regulations
Title |
---|
Rule
Actions for Breaches and Violations The School will take all lawful measures to protect and restore the security of its IT facilities, including data, hardware, and software. Any breach of IT regulations or related provisions will be addressed through the School’s processes, which may include disciplinary action. The School may access IT facilities for investigation as permitted by law. Penalties for breaches may include withdrawal of services, disciplinary action, legal enforcement, or termination of contracts for third parties. Offensive materials will be removed, and any suspected unlawful activity will be reported to the police or relevant enforcement agencies. The School will also report breaches of third-party regulations to the relevant organisation and recover any costs incurred due to infringements. These measures ensure the security and integrity of the School's IT resources and compliance with regulations. They also provide a framework for addressing breaches effectively and recovering any associated costs, thereby maintaining a secure and lawful IT environment. |
Rule
Limitation of Liability Subject to any liability the School cannot exclude or limit by law, the School is not liable for any loss or damage arising from the use or withdrawal of its IT facilities, including data and equipment. This rule specifies that, except where the law requires otherwise, the School is not responsible for any losses or damages resulting from the use or removal of its IT facilities. |
Oversight and Accountability for IT Compliance
Title |
---|
Rule
Responsibility for IT Regulations The Director of Technology is responsible for these regulations and may delegate this authority to others. This rule clarifies that the Director of Technology oversees compliance with these regulations but can assign this responsibility to other individuals if necessary. |
Metrics and KPIs
The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.
Title |
---|
Hardware Failure Rate
Record the number of hardware failures per 100 devices annually and aim to reduce this rate by 5% each year. Assesses the reliability of hardware and helps improve maintenance and replacement strategies. |
Incident Response Time
Track the average time taken to respond to IT security incidents from the moment they are reported. Target response time of 1 hour or less. Rapid response minimises potential damage and demonstrates effective incident management. |
Percentage of IT Helpdesk Tickets Resolved
Measure the percentage of IT helpdesk tickets resolved within the defined service level agreement (SLA) timeframe. Target 90% resolution rate. Reflects the efficiency of IT support and impacts user satisfaction. |
Software Update Compliance
Monitor the percentage of IT systems with up-to-date software and security patches. Target 100% compliance. Keeps systems secure from known vulnerabilities and ensures software integrity. |
User Training Completion Rate
Monitor the percentage of users who complete mandatory IT security and compliance training annually. Target 100% completion rate. Ensures that all users are informed about IT policies and best practices, reducing the risk of non-compliance. |