Governance

Electronic Security, Data Backup and Recovery Policy

Importance

The College’s position and reputation is increasingly reliant on the electronic storage of academic and administrative information, and on the principles of information security set out in the Records Management Policy.

It is vital for everyone to ensure that electronic information is held securely and that it can be restored in line with business priorities in the case of an emergency of any scale.  Emergencies and disasters do happen and the College and its employees must not be materially affected if one occurs.  Even with all reasonable preventative measures taken, security breaches and data corruption can happen so it is important that swift action can be taken to ensure normal working is restored as soon as possible.

Principles

We will conduct our activities and operations to reflect good practice electronic security and data management by following these principles:

·        Good practice relates to People, Process and Technology and all have to be addressed.

·        Individuals or machines should not jeopardise the College’s reputation, resources and investment or the availability, integrity or confidentiality of any data for which the College is responsible.

·        There should be systematically planned arrangements for access to data, taking into account appropriate levels of confidentiality and operational need.

·         Information Technology (IT), corporate systems and data will have differing levels of security and recoverability needs depending on their importance to the College, department or individual.

·        Appropriate access and security is likely to change over time and circumstance.

·        Everyone should be aware of the importance of electronic security and good data management.  All members of the College must ensure that they remain familiar with this Policy and follow its principles.

·        A balance is needed between privilege and responsibility: the easier access individuals have to electronic information, the more responsibilities individuals have to maintain the appropriate security of that information.

·        All machines that hold data or allow access to data need to be physically secure.

·        Passwords are the main means of maintaining electronic security and safeguarding personal and College information.  They must be used according to best practice.

·        Data must be capable of being restored to a sufficiently recent state in a timescale that does not compromise the effectiveness, reputation or future of the data owner.

·        Obsolescence of machines or software needs to be managed to maintain long-term digital preservation.

·        After an emergency, IT, Corporate systems and their associated data should be usable again in a timescale and at a cost that does not materially prevent the organisation from continuing its normal business. 

·        Everyone should be mindful of statutory regulations that affect IT and data. 

·        Risks associated with electronic security, data backup and recovery need to be assessed and managed.

Implementation

·        It is recognised that full implementation of the above Policy will take time and involve a cultural change in many areas across the College. 

·        Implementation will require changes and additions to hardware, software and processes.

·        Following the Policy will have a resource impact on all departments and services  which will need to be planned, budgeted and funded as necessary.

·        Wherever possible, economies of scale and support should be provided by central services; in most cases this will be by Information Technology Services.  This should cover the provision of a properly equipped machine room and reliable data storage and recovery facilities for departmental use.

·        Workload must continue to be balanced to ensure no undue pressure on any individual.

·        It is acknowledged that enforcement of the Policy is desirable from a College and audit point of view but timescales for this must take into account the size of change and resources available to effect that change.

Policy Guidelines

Physical Security

·        Information servers and communications equipment should be kept physically secure.  The level of security will depend on the type of server (e.g. corporate, departmental, research) and the importance of the data held but all need to be held in locked rooms and/or be physically secured and protected.  Access to this equipment should be limited and traceable to reduce the risks of accidental or malicious damage to the servers.

·        Desktop machines, laptops and Personal Digital Assistants (PDAs – blackberrys etc.) should be secured according to need. 

·        Hardware required to deliver essential services needs to be capable of being replaced or sourced within timescales to suit business needs.  This could include guaranteed server replacements from suppliers, outsourced Disaster Recovery contracts, arrangements with ITS  or with another College.

·        The physical environment of information servers should consider items such as suitable air conditioning, power availability, Uninterruptible Power Supplies ( UPS ) and proper management of services (such as cables) which may require the installation of a raised computer room floor.

Electronic security

·        All electronic information should be held as secure as required for its purpose.  The level of security will depend on the type of server (corporate, departmental, research) and the importance of the data held. 

·        Information servers need to be maintained at appropriate ‘patch’ levels.

·        Security software and hardware, such as ‘ firewalls’, should be used wherever required.  Their configuration needs to be appropriate for their use and remain current.

·        Data encryption, both stored on information servers and being transmitted across networks, should be used where appropriate. 

·        The use of digital certificates as a mechanism for improving levels of authentication and authorisation should become widespread throughout the College where appropriate.

·        Virus protection for all equipment needs to be freely available and regularly updated.

·        All individual security incidents must be recorded and reported in a timely manner.

Password Protection

·        Individual IDs and passwords should be used for all machines and access to all resources.

·        IDs and passwords should not be shared.

·        Passwords should be sufficiently long and obscure (for instance at least six characters and use both letters and numbers, but with a maximum of eight characters for backwards compatibility).

·        Passwords should be changed periodically and immediately if an individual feels they may have become compromised.

·        Screensavers should be activated within a reasonable time and should require a password.

Data storage

·        Data should not be stored in only one location (e.g. on the hard disk of a PC).  It should ideally be stored on a network resource (e.g. server) that is effectively backed up. 

·        The backups must be kept securely and remotely from the computer being backed up. Storage outside the computer suite is recommended for all essential back-up data.

·        Storage solutions must be designed to have minimal single points of failure (hardware, software and people). 

·        People responsible for data backup and restoration should be suitably trained and supported as well as having the time to ensure this Policy is followed.

·        Any backup and restore scheme must be fully and securely documented.

·        The system must be tested and proven to work. 

Data Continuity

·        Archiving of data needs to be considered – to avoid inefficiencies of access as data volumes grow and to potentially allow access to historic data again in the future.

·        Consideration should be given to avoiding data obsolescence e.g. by future hardware or software preventing data access (particularly if some non-standard proprietary data format has been used).

Recovery

·        The prioritisation of recovery needs must be defined and documented before a disaster happens.

·        Alternative accommodation for both hardware and for people needs to be planned. 

·        Communications mechanisms need to be established taking into account that College phones could be unavailable or the network and IT systems may be affected by the disaster. 

·        Testing of disaster recovery scenarios is the only true way of verifying their effectiveness.  This is most likely to be carried out as a series of incident scenarios but all procedures must be tested at least once every two years.

Acceptable Use

·        Staff and students need to comply with the General Regulation for IT Services , and the Policies referred to in that Regulation. 

Statutory Implications

A number of areas of legislation impact on electronic data security - primarily the Data Protection Act, the Regulation of Investigatory Powers (RIP) Act, and the Special Educational Needs and Disabilities Act. The Goldsmiths Data Protection Policy addresses the first two (the Third Party Disclosures section being particularly relevant to the RIP Act). The Disability Action Plan contains a commitment to the development of appropriate assistive technology.

Risk Management

·        Risk assessment needs to be carried out by all departments, identifying risk areas with the impact and the likelihood of occurrence also assessed.  These risks will vary according to department, location and current use of IT infrastructure however, these assessments must not rely in ITS being able to respond and should be without IT Services involvement. 

·        Impact and likelihood assessments should be used to determine priorities for attention in recovery scenarios.

·        Strategies to reduce or eliminate risk should be developed. 

Approved by Information Management and Systems Committee

14 October 2009