IT Policy Framework
Version Number: 1.0
Revision date: Wed, 23 Aug 2017 09:29:00 IST
Policy Owner: Director of IT Services
Policy Contents
- Purpose
- Scope
- Roles and Responsibilities
- Policy Text
- Supporting Policies, Guidelines and Statues
- Breach of Policy
- Approval and Review
- Definitions
Back To Top
2 Policy Scope
3 Roles and Responsibilities
3.1 Overview
IT Services recognises that there are two broad types of content and resources that must be considered when applying and enforcing IT policies. While all IT policies apply in each case the governance and oversight may differ.
- There is user generated content that relates to the university websites and social media presence. The activity and content under this definition will primarily be governed and guided by the Digital Estate Working Group.
- There is corporate (or university) content and resources relating to the operational, administrative, academic and research activities of the university. This activity and content will primarily be governed and guided by the External Hosting Group.
The diagram below provides a summary of how this content is governed and the various stakeholders across the university.
Figure 1
The following roles and responsibilities apply in relation to this Policy:
3.2 Digital Estate Working Group (DEWG)
With representation from IT Services, Marketing & Communications, Academic Affairs & Registry, and Audio Visual, the Digital Estate Working Group (DEWG) provides guidance and direction for the day to day running of the universities websites and social media presence. The group implements policy, defines standards and agrees content for the university homepage and other web pages. The DEWG also have a key role in ensuring compliance with IT Policies and responding to breaches of same. In terms of IT policies, the DEWG will:
- Assess incidents/policy breaches and action next steps;
- Escalate more serious issues where appropriate to IT Policy Breach Emergency Management Team (EMT);
- Manage any operational risk to the University, from breaches of approved IT policies.
3.3 External Hosting Group
The External Hosting Group chaired by the University IT Security Officer is responsible for approving the hosting of corporate data and information off-premise and in third party data centres. Included in this group is the Data Protection Officer and the Legal Secretary who will advise data owners on matters of data protection and legal matters. This group is also tasked with advising and directing a response to any IT Policy breach relating to corporate data or resources. In the event of a policy or data breach this group will:
- Assess incidents/policy breaches and to agree the next steps;
- Escalate more serious issues where appropriate;
- Manage any operational risk to the University, from breaches of approved IT policies;
- Advise data owners on appropriate hosting options and controls.
3.4 IT Policy Breach Emergency Management Team
The IT Policy Emergency Management Team (EMT) will meet in response to a breach in IT Policy that has been escalated from the DEWG or the External Hosting Group and decide if the University Emergency Response Plan needs to be invoked (https://www.ucc.ie/en/ocla/emergencyplan/) This team will include the Director of IT Services and the Corporate Secretary. Other relevant stakeholders will be invited to any meetings called by this team based on the details of any IT Policy breach. This team will act as an escalation point for serious incidents or breaches of policy relating to user generated or corporate data and resources, examples of these include:
- Incidents that may result in disciplinary action against Staff or Students.
- Incidents that may result in the invocation of the University Emergency Response Plan https://www.ucc.ie/en/ocla/emergencyplan/
- Incidents that may result in a legal action, where there are clear legal implications, or where An Garda Síochána are involved.
- Incidents that may warrant a communication plan for internal or external stakeholders.
3.5 Staff/Students/External Parties
All staff, students, and external parties or users authorised to use university data or university IT resources are expected to adhere to all IT Policies.
4 Policy Text
| IT Policies Overview | Monitoring |
| IT Policy Breach | Governance |
4.1 IT Policies and Procedures Overview
The following IT policies have been developed to facilitate and ensure consistent, high quality implementations and management of the University’s IT resources and information.
UCC IT policies are divided into two areas: policies pertaining to IT Service Resource Usage and Security, and policies pertaining to UCC Data.
Acceptable Usage Policy
The purpose of the Acceptable Usage policy is to provide all Users of the University’s IT Resources with clear guidance on the acceptable, safe and legal way in which they can use the University’s IT Resources.
Providing an efficient and reliable computing and networking service, as well as access to communications devices, to Staff, Students and alumni depends on the cooperation of all Users. It is therefore important that Users are aware of their responsibilities as detailed in the Acceptable Usage policy.
Data Policies and Procedures
University Information Assets are of important value to the University. The following policies and procedures provide clear guidance on the acceptable, safe and legal way in which Users should use and manage the University’s Information Assets:
|
Title |
Description |
|
The Data Management Policy requires Data Owners to classify their data according to its sensitivity and criticality. This procedure sets out how this classification is to be performed. |
|
|
The purpose of this policy is to enable access to data and information held by UCC, to the greatest extent possible, consistent with legislation and relevant UCC policies, whilst ensuring that electronic data is protected from unauthorised use, access and breaches of privacy. |
|
|
This policy is a statement of the University's commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts. |
|
|
The purpose of this policy is to ensure the safekeeping of data which is controlled by UCC, when it is hosted externally and that UCC fulfils all its obligations under the Data Protection Acts. |
|
|
The purpose of these procedures is to provide a framework for reporting and managing data security breaches affecting personal or sensitive personal data held by the University. These procedures are a supplement to the University’s Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation. |
Internet and Social Media Policies
The University recognises that the Internet provides unique opportunities to participate in interactive discussions and to share information on topics of interest via a wide variety of social media platforms, such as Facebook, Twitter, YouTube, blogs, etc. However, as the content of such media is largely user-generated, this poses a unique set of legal and reputational risks for the University.
The purpose of the Web and Social Media Policy is to inform Staff and Students of the University what the University deems to be acceptable use of these platforms; and to offer Staff and Students a level of protection from any misuse of this medium.
Version Control Information
The University requires that all IT documents within the scope of this Policy are version controlled and, as such, each separate document includes a control sheet which must be completed as in Appendix 1.
In addition, the footer of the document will clearly indicate the current version number/ revision number. Where the document is in draft or going through a review cycle it will be numbered as version number/ revision number – for example 1.02 is the second revision of version 1.0 prior to finalisation of version 2.0. When a final version is agreed, it should be version 1.0, 2.0 and so on.
All IT policy documentation will be held in one secure central location to which access is restricted to “READ ONLY”. Once finalized, changes to documents are not allowed. To amend a document a new version needs to be created and reviewed. The IT policy documentation custodian (IT Director) will be the only person with full access to upload new documents/new versions and will only do so following the appropriate review cycle (Review and Approval section). This access restriction is critical to ensure appropriate documentation change control.
4.2 Monitoring
4.2.1 Network Usage
The University network usage is logged using multiple IT tools to protect the University IT Resources and provide forensic methods for problem solving. Logging can come from various sources including but not limited to:
- server system auditing;
- network security monitoring;
- firewall intrusion detection;
- web and network file sharing activity.
IT Services will monitor and investigate these logs in the following circumstances:
- there is reason to suspect that an IT Policy is being breached;
- bandwidth trouble shooting;
- problem solving;
- the University has other legitimate reasons for doing so.
You must therefore be aware that such logging and monitoring is taking place and the data being logged may be used if requested by an authorised officer of the University or the appropriate legal authority (Gardaí, Judiciary, etc.).
4.2.2 University Data
Data in the University’s systems (including documents, other electronic files, e-mail and recorded voicemail messages) is normally considered the property of the University, except where this data is received from an external source in the course of academic business and therefore may be the property of the sender. The University may inspect and monitor such data at any time in the following circumstances:
- there is reason to suspect that an IT Policy is being breached;
- for the purposes of backup and problem solving;
- there are other legitimate reasons for doing so;
- it is required to do so by law.
Therefore, no individual should have any expectation of privacy for messages or other data recorded in the University’s systems. This includes documents or messages marked “private”, which may be inaccessible to most Users. Likewise, the deletion of a document or message may not prevent the University from subsequently accessing the item in question.
4.2.3 Email
The email account of a Staff member and of Students, and any information contained in it including content, headers, directories and email system logs, remains the property of the University. In general, the University will respect the privacy of a Staff member’s email account. However, the University reserves the right to review, audit, intercept, access and disclose messages created, received or sent in the following circumstances:
- where there is reason to suspect that an IT Policy is being breached;
- for the purposes of back-up and/or problem-solving or where there are other legitimate reasons for doing so;
- when the University is required to do so by law;
- where, without access to the information in the account, the operations or functions of the University or a University department are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications;
- where the account holder is no longer a member of Staff or retired Staff; and
- when an e-mail message is undeliverable (this is normally due to an incorrect address in which case the e-mail is redirected to the e-mail administrator who has to either open or redirect it accordingly or discard it).
Email traffic is monitored by IT Services to ensure efficient system performance and, when necessary, to locate problems/bottlenecks. Monitoring for this purpose may require an examination of the contents of messages.
4.2.4 Internet Usage and Social Media
Internet usage is monitored on a systematic basis by the University in the following circumstances:
- where there is reason to suspect that an IT Policy is being breached;
- for the purpose of back-up and/or problem solving;
- where there are other legitimate reasons for doing so;
- when it is required to do so by law.
Arising out of the need to protect the University’s network, the University cannot guarantee the confidentiality of information stored on any network device belonging to the University.
All Users should be aware that the University monitors the internet and social media on an ongoing basis to keep abreast of matters of general interest, brand presence and third party perception. The University does not specifically monitor social media and other sites of Staff, Students or External Users for content, but reserves the right to utilise for disciplinary purposes any information that could have a negative effect on the University, its Staff or Students which comes to the attention of the University or is brought to the attention of the University by Staff, Students, External Users and/or other third parties.
4.2.5 Access by or Disclosure to a Third Party of Information in a Staff Member's or Student’s Files or Email Account
While the University retains the right to monitor, read or disclose the information in a Staff member's or Student’s files or email account without the User's consent, the need to do so should arise only in exceptional circumstances. The circumstances in question would include the following:
- where there is reasonable evidence that there is or has been a violation of the Acceptable Use Policy.
- when required to do so by law or by the Gardai in accordance with the Data Protection Act[s].
Or, additionally in the case of a Staff member:
- where, without access to the information in the account, the operations or functions of the University are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications.
- where the account holder is no longer a member of Staff or retired Staff.
Any request to IT Services to disclose, or to provide access to, a third party to information in a Staff member’s or Student’s files or email account must be in accordance with the following steps:
- The request must be authorised in writing by
- the Staff member's Head of Department or by two members of the University Management Team Operations (for Staff)
- the Registrar or the Academic Secretary. (for Students)
- The request must indicate the reason for access/disclosure. In the case where the request is from the Head of Department, a copy of the request must be sent to the Staff member's home address.
- Those authorising the access will nominate one or more individuals to be provided with access. Alternatively, the Director will nominate two members of the IT Services Staff to extract the necessary information both of whom will be present at all times when the information is being accessed. They will disclose the information directly to the individual(s) making the request and to no one else.
- Only the minimum information required to satisfy the request should be accessed.
- In an emergency situation where it is not possible to get the necessary authorisation within the time available, approval should be sought by the person requesting access/disclosure as soon as possible thereafter. The IT Services Staff who respond to the request in this case must provide a report for the Director stating the reason for the request, the name of the person who made the request and the name of the User whose information was to be accessed.
- Notwithstanding the above, disclosure in all cases will be in accordance with legal requirements.
5 Supporting Procedures, Policies and or Statutes
Relevant Statutes
Statutes relating to the use of computers and networking:
- University Act 1997, University College Cork: http://www.irishstatutebook.ie/eli/1997/act/24/enacted/en/html
- Criminal Damage Act, 1991 (particularly Section 5) http://www.irishstatutebook.ie/1991/en/act/pub/0031/ ;
- Data Protection Act, 1988 http://www.irishstatutebook.ie/1988/en/act/pub/0025/ ;
- Child Trafficking and Pornography Act, 1998 http://www.irishstatutebook.ie/1998/en/act/pub/0022/ ;
- Copyright and Related Rights Act, 2000 http://www.irishstatutebook.ie/pdf/2000/en.act.2000.0028.pdf ;
- Health and Safety Act (1989) http://www.irishstatutebook.ie/1989/en/act/pub/0007/index.html ;
- Intellectual Property Miscellaneous Provisions Act (1998) http://www.irishstatutebook.ie/1998/en/act/pub/0028/index.html
6 Breach of Policy
Any incidents relating to breaches of approved UCC IT polices as listed on our website http://www.ucc.ie/en/it-policies/policies will be managed using the IT Policy Breach Handling Protocol defined below. This includes but is not limited to:
- social media issues;
- acceptable use issues, such as on email or websites;
- security issues, password loss;
- notification of loss of sensitive equipment, hardware;
- copyright Infringement issues;
- cyber bullying or harassment issues.
The University operates a strict “notice and takedown” procedure. Users are encouraged to be vigilant and to report any suspected violations of this Policy immediately to helpdesk@ucc.ie or itsecurity@ucc.ie On receipt of notice (or where the University otherwise becomes aware) of any suspected breach of this Policy, the University reserves the following rights:
- to remove, or require the removal of, any content which is deemed by the University to be in breach or potentially in breach of this Policy; and/or
- to disable any User and access to the University’s IT Resources.
If any breach of this Policy is observed, then (in addition to the above) disciplinary action up to and including dismissal in the case of Staff, expulsion in the case of Students or contract termination in the case of third parties may be taken in accordance with the University's disciplinary procedures (Principal Statute for staff) and Student Disciplinary Procedure for Students as amended or updated from time to time.
|
Step |
Action |
Executor |
|
1 |
The IT Security Officer is notified of a potential breach of IT policy directly or via the itsecurity@ucc.ie mailbox. |
Notifier/ IT Security Officer |
|
2 |
Information is gathered relating to the reported breach of IT policy in order to determine if breach relates to user generated content or corporate data/resources |
IT Security Officer |
|
3 |
IT Officer directs the reported breach to either DEWG or External Hosting Group. |
IT Security Officer |
|
4 |
DEWG or External Hosting Group decides whether, in fact, a breach of IT policy has taken place. If it is decided that a breach of IT policy has not taken place this decision is communicated to the interested parties and the incident is closed. |
DEWG/ External Hosting Group |
|
5a |
DEWG or External Hosting Group agrees appropriate actions to take in response to the breach of IT policy. The first step will usually be to inform the User involved that their actions breach standard IT policy and request immediate cessation/takedown where applicable. Other possible actions include (but are not limited to) restricting or disabling Users’ accounts and issuing takedown notices to 3rd party sites such as social networking sites. |
DEWG/ External Hosting Group |
|
5b |
DEWG or External Hosting Group considers whether a potential disciplinary issue arises. Such cases involving students are referred to the Registrar’s Office (Head of Student Experience) and in the event of Staff, the User that reported the incident can make a formal complaint to their head of department in the first instance and then HR, standard UCC grievance procedure applies. |
DEWG/ External Hosting Group |
|
5c |
DEWG or External Hosting Group escalates serious breaches of IT policy to IT Policy Breach Emergency Management Team |
DEWG/ External Hosting Group |
|
6 |
Examples of breaches of IT policy which will be escalated to IT Policy Breach Emergency Management Team include:
|
IT Policy Breach Emergency Management Team |
|
7 |
DEWG or External Hosting Group implements its agreed actions and closes the incident. |
DEWG/ External Hosting Group |
6.1 Typical Incident Types and Actions Required
|
Incident Type |
Owner |
Action |
|
Copyright breach |
Corporate Secretary |
IT Director will forward to OCLA |
|
Network breach/Hack |
IT Director |
IT Director will forward to network team |
|
Social Media Abuse |
Director Marketing & Communications |
Offensive material will be removed Facebook will be contacted if required |
|
Complaint about Student |
Head of Student Experience |
Relevant details will forward to Head of Student Experience |
|
Complaint about Staff |
Staff Head of Department and HR |
IT will check if the issue is in breach of policy, will offer the Staff member their opinion, Staff will escalate to HoD, via the standard Grievance procedure |
|
IT detect a breach of Policy |
IT Director |
Will inform Head of Department or Head of Student experience about the breach |
6.2 Types of Incidents that will be Escalated to the IT Policy Breach Emergency Management Team
|
Incident Type |
Owner |
Action |
|
Suspected Staff Disciplinary issues |
Head of Department |
Ask the User to inform their Head of Department of the incident |
|
Suspected Student Disciplinary issues |
Head of Student Experience |
Student experience will notify Campus watch and follow process |
|
Reputational Damage to the University |
VP of external Affairs |
|
|
Data protection breach |
Data protection officer |
Data protection incident procedure will be followed |
|
Emergency Response Issue |
UMT Member |
Relevant Emergency response plan followed |
|
Serious IT Incident (outage, Hack, Breach) |
Director of IT |
IT Director will take immediate actions to address the breach. |
7 Review and Approval
Definitions
For the purposes of this Policy, the following capitalised terms (which are used throughout this Policy) shall have the following meanings in the context of this Policy:
|
Term |
Definition |
|---|---|
|
External Parties |
All the University’s subsidiary companies, contractors, researchers, visitors and/or any other parties who have access to the University’s IT Resources. |
|
High Severity Incident |
An incident that may result in the following. a) referral under relevant disciplinary procedures for staff or students b) the invocation of the University emergency response plan; c) a legal action or where there are clear legal implications; d) warrant a communication plan for internal or external stakeholders. Examples include: a) abusive email; b) offensive social media complaint made against a member of Staff.
|
|
Low Severity Incident |
An incident that breached policy but not in a way that is personally damaging to the University or to others. Examples include: a) copyright infringement notice; b) mistaken breach of policy; c) unwelcome social media comments.
|
|
Policy |
This IT Policy. |
|
Staff |
All full-time and part-time employees of the University, including hourly occasional, research Staff funded externally |
|
Student |
A Student, either full-time or part-time, registered with UCC. |
|
University Information Assets |
Information which is of value to the University. This includes, but is not limited to, information regarding: a) Students; b) Staff; c) financial matters; d) research. This information may be stored on many different media including: a) paper; b) electronic hardware devices (hard drives, flash drives); c) centrally managed infrastructure including servers and storage; d) mobile devices; e) cloud hosted services. |
|
University IT Resources |
IT resources include those provided centrally by the University’s IT Services as well as those provided locally in its offices, departments, schools, colleges or other units. This includes University IT resources accessed remotely via without limitation: a) The University’s network and connected networks and to all equipment connected to those networks physically or via wireless. b) Any networks created independently off the campus network, if they are connected to the University network. c) All University-owned IT equipment including servers, desktops, laptops, tablets, mobile devices and network-related equipment. d) Any equipment owned by third parties, leased or personally-owned which use the University network, in conjunction with their work or study in the University. |
|
University or UCC |
University College Cork – National University of Ireland, Cork |
|
Users |
All Students, Staff and External Parties. |
Back To Top
