General
"You", "Your", "Yours", "User", "Users" refers to You the User or employee of Blue Ring Digital Services Ltd.
"We", "Us", "Our", "Development Team", "Blue Ring Digital Services Ltd" refers to Blue Ring Digital Services Ltd.
"Our Network" refers to Our network of connected Devices which may or may not have global access and/or internet connectivity.
"Data", "Information" refers to all Data elements that are owned or licenced by Us or any Information processed by the Us on behalf of a third party.
"Information Systems" refers all Information Systems owned, held, utilised or present on Our network and anyone making use of them.
"Device", "Devices" referes to any computer equipment used to access Our network or informations systems. This includes but is not limited to laptops, desktop PC's, tables, mobile telephones, printers, scanners, external storage and servers.
The continued confidentiality, integrity and availability of Information Systems underpin the operations of the Blue Ring Digital Services Ltd. A failure to secure Information Systems would jeopardise Our ability to run Our business and will have a greater long-term impact through the consequential risk of financial or reputational loss.
This IT Security Policy provides the guiding principles and responsibilities of all Users required to safeguard Our information systems.
The headings in this IT Security Policy are for convenience only and shall not affect their interpretation.
The masculine shall include the feminine and the neuter and the singular the plural and vice versa.
If any provision or part of any provision of this IT Security Policy is found by a court or other competent authority to be void or unenforceable, such provision or part of a provision shall be deleted from this IT Security Policy and the remaining provisions or parts of the provision shall continue to be in full force and effect.
Responsibilities
The Development Team are responsible for monitoring the use of Our Information systems to ensure this IT Security Policy is not breached. The Development Team are responsible for enforcing effective operation of this IT Security Policy to ensure that Information Systems and other devices are adequately protected.
All Users are required to demonstrate compliance to this IT Security Policy in order to protect the confidentiality, integrity, and availability of Our Information Systems. This IT Security Policy also extends to contractors, consultants and/ or 3rd parties providing services to Us.
Confidentiality
Safe guarding the confidentiality of Information through the protection of information from unauthorised disclosure with access only by entitlement.
Data Classification and Management
- Blue Ring Digital Services Ltd and Users are obligated to respect the rights of individuals and to protect confidential Data;
- All of Our digital records should be classified according to the Data Management Policy;
- When Data is classified as confidential Data, appropriate access and security controls are applied in transmission and storage. Confidential Data is not to be transmitted without adequate precautions being taken to ensure that only the intended recipient can access the Data;
- All of Our Data is to be treated as confidential if not otherwise indicated;
- Where Data and Information systems on the Our Network are accessed by 3rd parties (such as suppliers, contractors and consultants) for support and maintenance provided to Us, a Third Party Access request form with the accompanying Data Protection agreements must be built into the service agreement with the 3rd party.
Network Security
- The Development Team maintain a perimeter firewall. All externally facing services must be registered, this register is used to configure the firewall based on the services they offer. This eliminates low level vulnerability probing attacks from the internet while allowing access to registered services;
- In addition to the perimeter firewall, some network ranges are protected by access-lists or additional firewalls;
- Perimeter traffic is logged and appropriately monitored for security purposes;
- Devices that connect to Our Network should have:
- Anti-virus installed and up-to-date;
- An Operating System patched with latest security updates;
- Personal Firewall active;
- User authentication.
User Authentication and Audit Logging
- Authentication is required for each connection to Our Network;
- Where possible two factor authentication should be considered for access to Information Systems that process sensitive Data;
- Users must follow best practices to prevent misuse, loss or unauthorised access to systems:
- Keep passwords confidential;
- Change passwords regularly;
- Never write down passwords;
- Never send passwords via email, fax or post;
- Change temporary passwords at first logon;
- Do not leave Your device unattended without locking Your device or logging off.
- Audit logs containing the following User events of staff, students and any 3rd parties accessing Our Network are captured and monitored:
- User IDs;
- Dates and times for logon and logoff;
- Computer identity and location where possible;
- Records of successful and rejected system access attempts;
- Records of successful and rejected system access attempts;
- Monitoring of privileged User accounts.
Encryption
- All Devices owned by Us must have their storage space encrypted;
- All of Our devices must be protected by encryption and layered authentication where appropriate;
- Where personal Data is being stored by Users on a portable Device, then this Data must be encrypted;
- Where sensitive Information is transmitted through a public network to an external third party the data must be encrypted first and sent via secure channels (SFTP, SSH, HTTPS or VPN);
- WIFI networks must be encrypted using WPA2 or better.
Integrity
Safeguarding the integrity of Data such as the accuracy and completeness of Information, by protecting against unauthorised modification.
User Access and Audit Logging
- Access to data is granted on a needs only basis, Users are granted specific access to allow them to carry out their job functions;
- Access to amend data and/ or access to Information Systems which process and record this Data is restricted to authorised personnel;
- All Users have a unique User ID for their personal and sole use so that activities can be traced to the responsible person;
- Access to device administration settings, software code, services and commands is restricted to only those individuals who require access as part of their day-to-day job responsibilities;
- All access to Information systems is to be logged and appropriately monitored to identify potential misuse of Information Systems or Data. Logs must be retained and access granted according to the appropriate legislation;
- Security event logs, operational audit logs, error logs, transaction and processing logs are monitored on information systems and retained to record events for trouble shooting, provide forensics during security incidents and to identify potential misuse of Information Systems and Data;
- An appropriate audit trail including database logs of the creation, amendment and deletion of Our data is to be maintained.
Vulnerability Management
Users connecting a Device to Our Network is responsible for ensuring that the device is configured correctly, that the operating system and software applications are up-to-date and that the device has adequate protection against viruses and other malware. If there is any suspicion that the device may be infected or compromised it must not be connected.
- Devices be hardened appropriately before joining Our network and should be locked down before being used in a production environment;
- Information Systems and Devices must follow a regular update schedule to ensure they remain protected from security vulnerabilities and remain within mainstream support;
- Antivirus is a compulsory pre-requisite for any Device joining the Our Network and must be kept current and up-to-date;
- We have the authority to remove from Our Network any device for which no owner can be identified;
- We have the authority to remove from Our Network any device which is interfering with Our Network service or is deemed likely to compromise the security of Our Information Systems. While every effort will be made to contact the owner of the Device in advance, maintining Our network and Information Systems must take precedence.
Availability
Maintaining the availability of Our Information and Information Systems for business processes usage as required.
Software Licensing and Maintenance
- The Development Team and Users must ensure that all software licenses are up-to-date and that maintenance support is available for both the hardware and software associated with their Device;
- Software licencing for standard software is managed centrally via the Development Team. Licensing for non-standard software is the Users responsibility;
- Illegal and unlicensed software must not be installed on any Device owned by Us.
Disaster Recovery and Backup Strategy
- It is the responsibility of the User and the Development Team to ensure that an adequate business continuity plan is in place in the event that their Information Systems is affected by the non-availability of the relevant servers, network or other elements of the IT infrastructure;
- The Development Team and Users must ensure the prevention of Data loss through Data back-ups;
- The Development Team maintain Disaster Recovery plans for all of Our centrally managed Information Systems;
- Disaster Recovery plans and processes are tested regularly;
- Recovery from backup is tested regularly.
Incident Management
Formal incident management procedures are in place for IT related security incidents and procedures relating to personal Data breaches. Please see IT Policy Framework for further details.
Security Operations
The Development Team manage multiple security tools with the aim of protecting Our Information systems against unauthorised access, intrusion and disruption. Processes are in place to support these tools and ensure proactive management of IT vulnerabilities and reported incidents.
Physical computer storage Environmental provisions
Any servers hosting production services must be housed in a suitable environment with regard to security, electrical power and air cooling.
- All hardware used for the storage of Our Data is to be purged of all Data and securely destroyed once it is no longer to be used;
- When tapes and other secondary storage Devices reach the end of their useful life they are to be purged of all data and securely destroyed.
Supporting Procedures, Policies and or Statutes
The Policy should be read in conjunction with the following policies and Users should ensure compliance with these policies in addition to this IT Security Policy. The following subsidiary policies, procedures and standards shall be considered part of this IT Security Policy:
Changes to Our IT Security policy
This IT Security Policy replace all previous versions. We reserve the right to change this IT Security Policy at any time.