Use and Security of Information Systems

Section
Corporate
Approval Date
1 June 2020
Approved By
Executive Leadership Team
Next Review
30 November 2022
Responsibility
Deputy Chief Executive: Information Systems and Support
Baldrige Criteria
Workforce focus
Purpose

Otago Polytechnic Limited supports and encourages open access to digital resources; however, this policy defines the security practices to be followed when using the Otago Polytechnic Limited IT systems and services .

IT services are those that support Otago Polytechnic Limited's digital activities. This policy explains the security practices in place to protect IT systems and to maintain the confidentiality, integrity, and availability of IT services. This policy also explains user responsibilities and what is acceptable and unacceptable use of IT services.

This policy aims to:

  • ensure that all Polytechnic staff are aware of the Polytechnic computer security policy and practice for maintaining a secure operating environment
  • provide a clear statement on IT security and information management
  • define what is acceptable and unacceptable practice for staff using Polytechnic IT systems and services.
  • define for Polytechnic staff the responsibilities they have for maintaining security when using and accessing the Polytechnic 's IT services.
  • meet the general objectives of AS/NZS ISO/IEC 27001:2006 and 27002:2006 Code of Practice for Information Security Management and the IT best practice defined within the Information Technology Infrastructure Library (ITIL).
Compliance

Privacy Act 1993 and all subsequent amendments

Copyright (Infringing File Sharing) Amendment Act 2011

Official Information Act 1982 and all subsequent amendments

Public Records Act 2005 and all subsequent amendments

Policy

1.  This policy defines and enforces an appropriate level of IT protection within the Polytechnic . It serves to protect the Polytechnic's IT and information assets across the Polytechnic.

It aims to provide the following protection:

  • Confidentiality - the prevention of unauthorised disclosure of information
  • Integrity - the prevention of the unauthorised amendment, corruption, or deletion of information
  • Availability - the prevention of the unauthorised withholding of information or resources.

2.  Scope

The policy applies to all employees and learners of Otago Polytechnic Limited, and also to contractors, consultants, Council members and visitors engaged to work with, or who have access to, the Polytechnic technology infrastructure and its information.

3.  Responsibilities

3.1.  Users are responsible for:

3.1.1.    Operating within the bounds of the IT Security Policy.

3.1.2.    Ensuring that no breach of information security results from their actions.

3.1.3.    Reporting any breach or suspected breach in security, to the Information Systems and Support (ISS) Service Desk.

3.1.4.    The confidentiality of their user account and password information.

3.2.  ISS are authorised to:

3.2.1.    Protect information and computing resources through implementing and administering the IT Security Policy and associated Security Standards.

3.2.2.    lmplement new systems and process that are compliant with industry standards, or any governing body as applicable.

3.2.3.    Ensure that the Polytechnic complies with relevant legislation and regulations relating to IT.

3.2.4.    Take all reasonable steps to limiU remove risk to the Polytechnic's operational environment e.g. includes removing access, blocking files/ functionality etc.

3.2.5.    Se arch staff email and files if instructed to do so by the Chief Executive or Otago Polytechnic Limited Privacy Officer (Deputy Chief Executive Chief Operating Officer).

4.  Acceptable and Unacceptable Use

4.1.  Acceptable Practice

4.1.1.            Communicating and sharing information the individual is authorised to share with other Otago Polytechnic Limited employees or the public.

4.1.2.            Research on the internet to develop professional and educational skills related to the user's position at Otago Polytechnic Limited.

4.1.3.            Broadening knowledge of the education sector, clients, and applicable news within the context of an individual's assigned responsibilities.

4.1.4.            Acquiring or sharing information necessary or related to the performance of an individual's assigned responsibilities.

4.1.5.            Reasonable use of computing facilities for personal correspondence,  e.g. sending personal emails and using internet web sites so long as it does not interfere with staff productivity, bring Otago Polytechnic Limited into disrepute, pose a security risk, or consume sustained high-volume traffic.

4.2.    Unacceptable Practice

4.2.1.            Use of IT services for illegal or unlawful purposes. This includes, but is not limited to intentional copyright infringement , obscenity , fraud, defamation, discrediting the Polytechnic or third party, plagiarism, harassment, intimidation, forgery , impersonation, and computer tampering (e.g. spreading computer viruses).

4.2.2.            Intentionally using IT services to visit internet sites that contain sensitive obscene, pornographic, hateful, or other objectionable material.

4.2.3.            Where access to websites deemed sensitive is necessary for teaching or learning or research purposes, specific access may be authorised via the Head of College applying to the Chief Information Officer. This access is recorded on a register.

4.2.4.            Using IT services to reveal or publicise confidential or proprietary information which includes but is not limited to: financial information, new business and product ideas, marketing strategies and plans, databases and the information contained therein, customer details, personal details about an individual, technical product information , computer software and code, computer network and access details and business relationships.

4.2.5.            Intentionally saving any Polytechnic owned information deemed as records under the public records act to external systems not endorsed or operated by ISS. This includes but not limited to cloud service providers, google, amazon etc.

4.2.6.            Where use of IT service is deemed unacceptable  practice (as per, but not limited to, descriptions above) then disciplinary action may be taken in line with policy Resolving Performance Problems (staff) and Learner Discipline (learners).

5.  Access

5.1.         The Polytechnic provides both open and closed access to its IT services. Specific permissions are required to access closed aspects of the IT services and infrastructure to ensure confidentiality and maintain the integrity of the infrastructure.

5.2.         Only authorized users are permitted to access and use the Polytechnic's Closed IT services .

5.3.         Staff & Learner user accounts are created and managed by ISS under direction of Human Resources.

5.3.1     Creating and deleting of user accounts as directed by HR

5.3.2     Annual auditing of accounts to verify account status.

5.3.3.    Disablement of staff accounts two weeks post HR notified Termination date, unless requested sooner.

5.3.3.1          Or when staff accounts are to be retained as active, with approval from Chief Executive Office.

5.3.4.    Deletion of staff accounts 5 years post HR notified Termination date, with the exception of lifetime access for Council honours awards recipients as per CP0006 Council Honours Awards Policy.

5.3.5.    Deleting learner accounts that have not been accessed for at least 12 month from last time of access.

5.3.6.    Ensuring that no account user IDs are to be used again unless a returning staff member or learner.

5.4.         Contractor (non-staff) access created and managed by ISS.

5.4.1     Contractor accounts will all have account expiry set on creation; this forces review of account validity.

5.4.2     Only the Otago Polytechnic Limited staff member responsible for the contractor can request enablement of disabled and expired accounts.

5.5.         System access audit review

5.5.1     Systems will have an access review every 4 months. This includes the following systems:

  • Learner Management System
  • Learner Heath System
  • Organisational Finance System
  • Human Resources system
  • Payroll system
  • Physical access security (Cardax)

5.6.         IT accounts can be disabled at the request of a member of Executive Leadership Team or Chief Information Officer.

6.  Remote Access

6.1.     Remote access to the Polytechnic's IT services is provided for staff working offsite. Refer to policy Enabling Offsite Work.

7.  Password Management

7.1.         Passwords must be kept confidential and are the responsibility of the individual user. They are not to be shared or used by anyone else, even for a short period of time.

7.2.         Password construction must comply with the following minimum standard.

7.2.1.    All passwords are required to be a minimum length of 16 characters (Passphrase) and are not required to contain special or numerical characters.

7.2.2.    Access is denied after three unsuccessful login attempts and a security process required to reinstate.

7.2.3.    When passwords are first issued, users are required to change their password on first use.

7.3.         Privileged user accounts (i.e. system wide administrator accounts) are subject to additional password requirements.

7.3.1.    All administrative accounts are subject to passwords of not less than 8 characters, using special characters, forced change every 180 days with unique last 24.

7.3.2.    Long term contractors (generally external providers i.e. not staff) are subject to passwords of not less than 8 characters, using special characters, forced change every 90 days with unique last 5.

8.  IT Asset and Media

8.1.         Personal devices are welcome on the Otago Polytechnic Limited "OP -Guest" Wi­ Fi network. Personal devices are not authorised to connect to the internal Polytechnic cabled networks.

8.2.         ISS are authorised to install, remove, and configure software and make configuration changes to IT services. This includes returning Otago Polytechnic Limited IT equipment back to its original build status to rectify faults and remove unlicensed software.

8.3.         Computers and mobile devices issued by the Polytechnic to users remain the property of the Polytechnic, unless otherwise agreed with Formal Manager, and which are often so in cases of redundancy.

8.4.         Removable Media

8.4.1.   Information stored electronically on removable devices must be encrypted if it contains any information listed below. The service desk is available to assist in this activity in confidence.

a.  Personal Information about any customer of Otago Polytechnic Limited

b.  Confidential Financial data

c.  Passwords or secure user information

8.4.2.   information stored on removable devices not included under 8.4.1, is the responsibility of the device owner to ensure it is used by the intended recipient.

8.5.         All Polytechnic IT equipment is required to be identified with a unique asset number. This number is to remain accessible and only ISS staff are permitted to remove the asset identifier in coordination with Finance.

8.6.         All Polytechnic IT hardware or media are to be returned to ISS when no longer required or when users terminate their association with the Polytechnic.

8.7.         In the event of a Polytechnic  IT asset being lost, accidentally  damaged, or stolen, the incident is to be reported to the ISS Service Desk.  It is at the discretion of the Chief Information Officer whether a theft or damage is escalated to the New Zealand Police following the report to ISS Service Desk.

8.8.         Only ISS are authorised to dispose of Polytechnic IT equipment, including software.

Note: Polytechnic IT assets include but are not limited to equipment such as laptop/desktop computers, printers and peripheral devices that connect or have access to the Polytechnic network. This also includes handheld mobile devices, e.g. phones, tablets. IT assets also include all software, whether packaged, or custom built.  IT media includes but is not limited to USB keys and portable hard drives.

9.  Communications and Operations Management

9.1.          ISS Operations

The following security requirements apply for the operations of ISS services.

9.1.1.    No investigations are permitted without authority from either the Chief Executive, or Otago Polytechnic Limited Privacy Officer (Deputy Chief Executive Chief Operating Officer). The Chief Executive must be notified in all cases of an investigation being authorised.

9.1.2.    ISS staff who are authorised on a case by case basis by any of those identified in 9.1.1 are permitted to search, collect, and report on IT activity for the purposes of a specific security audit or investigation.

9.2          Physical and Environmental Security

9.2.1.    Access to IT infrastructure facilities is restricted to authorised individuals whose job responsibilities require access to IT facilities. This will be reviewed every 4 months.

9.2.2.    Visitors requiring access to IT infrastructure facilities are required to sign in through the campus Health and Safety sign in/ out process.

9.2.3.    IT facilities are to be protected against environmental changes in power, cooling and flooding as defined within the physical computer standards.

9.3          Operational readiness

9.3.1     Any new systems must be fully tested prior to implementation to ensure they are secure and will not have a negative effect on Polytechnic operations or expose the Polytechnic to risk.

9.3.2     Any learner developed systems must comply with the guidelines set out in the Product to Production specification (Use and Security of Information Systems - SOP).

9.3.3     ISS are responsible for ensuring that all systems are secure and patched to an appropriate level in accordance with vendor recommendations and this policy.

9.4          Disaster recovery & Incident Management

9.4.1     Disaster Recovery : The information systems disaster recovery is maintained and tested regularly to ensure the ability of the Otago Polytechnic Limited to continue operations as required by the business continuity plan.

9.4.2     lncident management

9.4.2.1.    All incidents will be recorded and managed in the service management system operated by Otago Polytechnic Limited Service desk.

9.4.2.2.    Incidents will be classified by severity and reported on.

9.5          Internet Access and Communications

9.5.1.    Employees can access the internet and browse sites that comply with the Acceptable Use as defined in Section 4

9.5.2.    Employees must not transmit sensitive Polytechnic information or information that is classified as highly confidential through the internet unless the information is encrypted to reduce the risk of data being compromised. The ISS Service Desk can advise of secure methods that can be used to transmit highly confidential information across the internet.

9.5.3.    The Chief Information Officer has the right to block internet sites that do not comply with the Acceptable Use policy in Section 4. Or that pose a risk to the Polytechnics ability to operate effectively.

9.6          Email Access and Communications

9.6.1.    Email messages sent from and received to the Polytechnic's email service are the property of the Polytechnic and may be accessed by the Polytechnic under order - see clause 9.1.

9.6.2.    Email messages subject to retention requirements noted in policy Records Retention and Disposal must be electronically saved in the manner and for the period specified in the policy.

9.6.3.    AII email originating from or destined for Otago Polytechnic Limited will be digitally recorded (in the 'cloud'), scanned and blocked where it is deemed a risk to organisational security.

9.6.4.    Email access will be terminated when the employee or third party terminates their association with the Polytechnic, unless an extension has been agreed by the formal leader or by policy CP0006 Council Honours Awards Policy.

9.6.5.    Email signature blocks must follow the agreed standard as defined within the Email Communications Guidelines, refer to Otago Polytechnic Limited Intranet site (/nsite I Service Areas I Marketing and Communications I Email Communications Guidelines).

9.6.6.    Email is not to be used for unsolicited mass mailings, political campaigning, dissemination of chain letters, and use by non-­ employees sending chain emails, malicious data (viruses) , solicitation emails or any offensive material. This is deemed unacceptable practice and subject to disciplinary action - refer clause 4.2.5

9.6.7.    Email accounts are provided for Polytechnic employees'  sole use. One account is created and exists independent of how many roles  are held, e.g. learner and staff member. It is not appropriate to send, reply or modify another employee's email without the authority of the person.

9.6.8.    Confidential or sensitive email messages, including confidential or sensitive information in attachments, are not to be sent outside the Polytechnic without authority of the originator or owner of the information contained within the email. This includes but is not limited to information about staff and learners, refer to policy Disclosing Personal Information about Learners and Staff. Also refer Appendix Two Business Email Etiquette Basics.

9.6.9.    Staff are encouraged to manage emails appropriately by deleting those emails which are not Polytechnic business as soon as possible.

9.7          Learner Email Accounts

9.7.1.    AII learners have an Otago Polytechnic Limited email account, which provides access to a number of ISS services. More information is available on the Otago Polytechnic Limited website.

9.8          Staff Security

9.8.1.    If an onsite computer or laptop is left idle for more than 5 minutes, it is programmed to automatically lock. To unlock the device, the user must enter their network password.

References

Appendix One - Product to Production requirements (attached below)

Appendix Two - Business Email Etiquette Basics (attached below)

Communications and Operations Standard - refer to Staff Intranet

 

Otago Polytechnic Limited polices as available on the website:

  • Learner Rights and Responsibilities
  • Learner Discipline
  • Computer Health and Safety
  • Contractor Health and Safety
  • Enabling Offsite Work Policy
  • Intellectual Property
  • Intellectual Property - Matauranga Maori
  • Disclosing Personal Information about Learners and Staff
  • Records Retention and Disposal
  • Council Honours Awards Policy
  • Resolving Performance Problems
Appendices Product to Production and Business *Email Etiquette Basics

APPENDIX One.  

Product to Production Requirements 

 

Otago Polytechnic Limited encourages the development of learner work into production environments here at Otago Polytechnic Limited. This document outlines the product and documentation requirements for the transition from development to production. 

All systems or services developed by learners and/or staff must have the following before it can be considered for Production. 

  1. An Otago Polytechnic Limited staff member must own the system or service, i.e. when the learner has left OP, a person must continue to hold the maintenance and update responsibility. 

 

  1. Product documentation must be delivered before the system is transitioned to production. The document must contain. 
  1. Full un-compiled code in the appropriate electronic format, with instructions on how to compile if bugs are found and need to be fixed post-handover. 
  1. Full uncompressed executable or other files where applicable. 
  1. Bug control history detailing past bugs and the resulting fix. 
  1. Full product functionality including any dependencies on other resources. 
  1. Full user installation and usage information. 

 

  1. If the product is to be supported by the learner into the future, a full update schedule with associated costs must be included with prices valid for 24 months. Break-fix time and materials costs must be included along with service support hours. 

 

  1. All productions systems or services must be operated by ISS if resources are required on campus. 

 

  1. All productions systems or services running from a cloud environment must be made known to ISS, including the monthly costs and budget holder approved to cover these costs. 

 

Contact information for ISS 

ISS Service Desk - servicedesk@op .ac.nz 

 

For advice on moving your product to Production, consult with your lecturer and contact the ISS Enterprise Solution Architect. Jono Aldridge jono.aldridge@op.ac.nz 

 

Document last updated June 2016 

 

 

APPENDIX Two. Business* Email Etiquette Basics 

Using your email, company email address and employer's technology is a serious issue. 

 

*NOTE: There is still room for colloquial and friendly language within internal peer groups - always think first who your audience is and is this going wider. 

 

Be professional: 

  • Do not send non-business-related emails, jokes, forwards, or chain letters on company time to friends or co-workers - this may reflect a lack of professionalism. 
  • Avoid questionable websites, or websites not necessary to your job responsibility. 
  • Never assume that these activities are not monitored. 

 

Respond promptly: 

  • You should do your best to respond to business communications as quickly as possible within business hours - this is all about customer service. 

 

Common courtesy, spell check, and avoiding formatting 

  • The staples of professional business communications apply - think business letterhead 
  • Include a salutation and a signoff that includes your name 
  • Proper capitalisation and punctuation are a must 
  • Type in full sentences with proper sentence structure 
  • Always spell check to avoid misinterpretation and to look professional 
  • Refrain from using formatting or embedded images, including email stationery e.g. coloured or embellished backgrounds - as current spam filters could block your emails 
  • Avoid uncommon fonts as the recipient may not have the designated font and the email will display completely different from the way it appears in your system 
  • If you wouldn't put it in bold or red in a formal letter do not do it in an email. 

 

Subject field: 

  • Be short and concise in the subject field to indicate clearly what email is about. This will also determine if your email will be opened. 

 

Attachments: 

  • Ask the recipient first if you intend to send a large file attachment - some systems will block oversized files or stop other incoming correspondence to a person inbox 
  • Do not send unrequested attachments. 

 

Reply All: 

  • Use with discretion! 
  • Consider carefully whether 'all' really need to be aware of your reply to conduct business 
  • Keep the volume of email traffic down. 

 

Forwarding other people’s emails: 

  • Always ask permission first - the email has been sent specifically to you for a reason and possibly in a language suitable for your reading, not the world. 

 

Edit/Refine/Reduce your replies: 

  • Do not just hit reply and start typing - always reread the original email and edit your reply before sending 
  • Make an effort to reply point by point to keep the conversation on track with fewer misunderstandings. 

For further reference see https://www.businessemailetiquette.com/business-e-mail-etique   tte-basics/