IT Policy Framework

IT Policy Framework

UCC logo

Print

Version Number: 1.0

Revision date: Wed, 23 Aug 2017 09:29:00 IST

Policy Owner: Director of IT Services


Policy Contents


1 Purpose

1.1 Background

The University endeavours, at all times, to ensure consistent, high quality implementations and management of its IT resources, processes and practices. A comprehensive framework of well-defined policies, procedures and standards are required to facilitate and ensure this. The need for formal IT Policies has been highlighted in risk management processes and internal control frameworks for the University. This IT Policy is a key element in meeting and supporting these requirements.

In developing the IT policies, procedures and standards for the University, due regard and consideration has been given to the ISO 27000 series of standards which have been specifically reserved by ISO (International Standards Organisation) for information security matters. It is not intended that the University seeks to be compliant with all aspects of the relevant ISO information security standards as this would not be appropriate in all instances. However, it is intended that the University would aspire to implement policies, standards and procedures which are consistent with key aspects of the standards.

1.2 Aims and Objectives

The purpose of this Policy is to provide context for all other IT policies and procedures.  It will document:

  • High-level description of IT policies, outlining the purpose of these policies and the spirit within which they were developed;
  • Definition of common terms;
  • Roles and responsibilities;
  • Supporting policies and procedures;
  • Relevant statutes;
  • Other relevant information.

Back To Top

2 Policy Scope

This Policy covers documentation of policy and procedures relating to:

  • The University’s information Assets;
  • The University’s IT Resources.

This Policy applies but is not limited to the following:

  • The University’s Staff;
  • The University’s Students;
  • The University’s External Parties and individuals authorised to access and use the university information assets and resources.

3 Roles and Responsibilities

3.1 Overview

IT Services recognises that there are two broad types of content and resources that must be considered when applying and enforcing IT policies. While all IT policies apply in each case the governance and oversight may differ.

  1. There is user generated content that relates to the university websites and social media presence. The activity and content under this definition will primarily be governed and guided by the Digital Estate Working Group.
  2. There is corporate (or university) content and resources relating to the operational, administrative, academic and research activities of the university. This activity and content will primarily be governed and guided by the External Hosting Group.

The diagram below provides a summary of how this content is governed and the various stakeholders across the university.  

IT Policy Figure One

Figure 1

The following roles and responsibilities apply in relation to this Policy:

3.2 Digital Estate Working Group (DEWG)

With representation from IT Services, Marketing & Communications, Academic Affairs & Registry, and Audio Visual, the Digital Estate Working Group (DEWG) provides guidance and direction for the day to day running of the universities websites and social media presence. The group implements policy, defines standards and agrees content for the university homepage and other web pages. The DEWG also have a key role in ensuring compliance with IT Policies and responding to breaches of same. In terms of IT policies, the DEWG will:

  • Assess incidents/policy breaches and action next steps;
  • Escalate more serious issues where appropriate to IT Policy Breach Emergency Management Team (EMT);
  • Manage any operational risk to the University, from breaches of approved IT policies. 

3.3 External Hosting Group

The External Hosting Group chaired by the University IT Security Officer is responsible for approving the hosting of corporate data and information off-premise and in third party data centres. Included in this group is the Data Protection Officer and the Legal Secretary who will advise data owners on matters of data protection and legal matters. This group is also tasked with advising and directing a response to any IT Policy breach relating to corporate data or resources. In the event of a policy or data breach this group will:

  • Assess incidents/policy breaches and to agree the next steps;
  • Escalate more serious issues where appropriate;
  • Manage any operational risk to the University, from breaches of approved IT policies;
  • Advise data owners on appropriate hosting options and controls.

3.4 IT Policy Breach Emergency Management Team  

The IT Policy Emergency Management Team (EMT) will meet in response to a breach in IT Policy that has been escalated from the DEWG or the External Hosting Group and decide if the University Emergency Response Plan needs to be invoked (https://www.ucc.ie/en/ocla/emergencyplan/) This team will include the Director of IT Services and the Corporate Secretary. Other relevant stakeholders will be invited to any meetings called by this team based on the details of any IT Policy breach. This team will act as an escalation point for serious incidents or breaches of policy relating to user generated or corporate data and resources, examples of these include:

  • Incidents that may result in disciplinary action against Staff or Students.
  • Incidents that may result in the invocation of the University Emergency Response Plan https://www.ucc.ie/en/ocla/emergencyplan/
  • Incidents that may result in a legal action, where there are clear legal implications, or where An Garda Síochána are involved.
  • Incidents that may warrant a communication plan for internal or external stakeholders.

3.5 Staff/Students/External Parties

All staff, students, and external parties or users authorised to use university data or university IT resources are expected to adhere to all IT Policies.

 


4 Policy Text

IT Policies Overview  Monitoring 
IT Policy Breach Governance

4.1 IT Policies and Procedures Overview

The following IT policies have been developed to facilitate and ensure consistent, high quality implementations and management of the University’s IT resources and information.

UCC IT policies are divided into two areas: policies pertaining to IT Service Resource Usage and Security, and policies pertaining to UCC Data. 

frame work overview

Acceptable Usage Policy

The purpose of the Acceptable Usage policy is to provide all Users of the University’s IT Resources with clear guidance on the acceptable, safe and legal way in which they can use the University’s IT Resources. 

Providing an efficient and reliable computing and networking service, as well as access to communications devices, to Staff, Students and alumni depends on the cooperation of all Users. It is therefore important that Users are aware of their responsibilities as detailed in the Acceptable Usage policy.

IT Security Policy

The purpose of this IT security policy is to protect the information assets of the University from all threats, internal, external, deliberate or accidental.  The policy is aimed at safeguarding the availability, confidentiality and integrity of the University’s information and protect the IT assets and services of the University against unauthorised access, intrusion, disruption or other damage.  The policy has been written to provide a mechanism to establish procedures to protect against security threats, minimise the impact of security incidents and ensure compliance with applicable legislation and regulations.

Web and Social Media Policy

The University recognises that the Internet provides unique opportunities to participate in interactive discussions and to share information on topics of interest via a wide variety of social media platforms, such as Facebook, Twitter, YouTube, blogs, etc. However, as the content of such media is largely user-generated, this poses a unique set of legal and reputational risks for the University.

The purpose of the Web and Social Media Policy is to inform Staff and Students of the University what the University deems to be acceptable use of these platforms; and to offer Staff and Students a level of protection from any misuse of this medium.

 

Data Policies and Procedures

University Information Assets are of important value to the University.  The following policies and procedures provide clear guidance on the acceptable, safe and legal way in which Users should use and manage the University’s Information Assets:

Title

Description

Data Classification Procedure

The Data Management Policy requires Data Owners to classify their data according to its sensitivity and criticality. This procedure sets out how this classification is to be performed.

Data Management Policy

The purpose of this policy is to enable access to data and information held by UCC, to the greatest extent possible, consistent with legislation and relevant UCC policies, whilst ensuring that electronic data is protected from unauthorised use, access and breaches of privacy.

Data Protection Policy

This policy is a statement of the University's commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts.

Externally Hosted Data policy 

The purpose of this policy is to ensure the safekeeping of data which is controlled by UCC, when it is hosted externally and that UCC fulfils all its obligations under the Data Protection Acts.

Personal Data Security Breach Management process

The purpose of these procedures is to provide a framework for reporting and managing data security breaches affecting personal or sensitive personal data held by the University.  These procedures are a supplement to the University’s Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation.

 

Version Control Information 

The University requires that all IT documents within the scope of this Policy are version controlled and, as such, each separate document includes a control sheet which must be completed as in Appendix 1.

In addition, the footer of the document will clearly indicate the current version number/ revision number. Where the document is in draft or going through a review cycle it will be numbered as version number/ revision number – for example 1.02 is the second revision of version 1.0 prior to finalisation of version 2.0. When a final version is agreed, it should be version 1.0, 2.0 and so on.

All IT policy documentation will be held in one secure central location to which access is restricted to “READ ONLY”. Once finalized, changes to documents are not allowed. To amend a document a new version needs to be created and reviewed. The IT policy documentation custodian (IT Director) will be the only person with full access to upload new documents/new versions and will only do so following the appropriate review cycle (Review and Approval section). This access restriction is critical to ensure appropriate documentation change control.

4.2 Monitoring

4.2.1 Network Usage

The University network usage is logged using multiple IT tools to protect the University IT Resources and provide forensic methods for problem solving.  Logging can come from various sources including but not limited to:

  • server system auditing;
  • network security monitoring;
  • firewall intrusion detection;
  • web and network file sharing activity.

IT Services will monitor and investigate these logs in the following circumstances:

  • there is reason to suspect that an IT Policy is being breached;
  • bandwidth trouble shooting;
  • problem solving;
  • the University has other legitimate reasons for doing so. 

You must therefore be aware that such logging and monitoring is taking place and the data being logged may be used if requested by an authorised officer of the University or the appropriate legal authority (Gardaí, Judiciary, etc.).

4.2.2 University Data

Data in the University’s systems (including documents, other electronic files, e-mail and recorded voicemail messages) is normally considered the property of the University, except where this data is received from an external source in the course of academic business and therefore may be the property of the sender.  The University may inspect and monitor such data at any time in the following circumstances:

  • there is reason to suspect that an IT Policy is being breached;
  • for the purposes of backup and problem solving;
  • there are other legitimate reasons for doing so;
  • it is required to do so by law. 

Therefore, no individual should have any expectation of privacy for messages or other data recorded in the University’s systems. This includes documents or messages marked “private”, which may be inaccessible to most Users.  Likewise, the deletion of a document or message may not prevent the University from subsequently accessing the item in question. 

4.2.3 Email

The email account of a Staff member and of Students, and any information contained in it including content, headers, directories and email system logs, remains the property of the University.  In general, the University will respect the privacy of a Staff member’s email account. However, the University reserves the right to review, audit, intercept, access and disclose messages created, received or sent in the following circumstances:

  • where there is reason to suspect that an IT Policy is being breached;
  • for the purposes of back-up and/or problem-solving or where there are other legitimate reasons for doing so;
  • when the University is required to do so by law;
  • where, without access to the information in the account, the operations or functions of the University or a University department are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications;
  • where the account holder is no longer a member of Staff or retired Staff; and
  • when an e-mail message is undeliverable (this is normally due to an incorrect address in which case the e-mail is redirected to the e-mail administrator who has to either open or redirect it accordingly or discard it).

Email traffic is monitored by IT Services to ensure efficient system performance and, when necessary, to locate problems/bottlenecks. Monitoring for this purpose may require an examination of the contents of messages.

4.2.4 Internet Usage and Social Media

Internet usage is monitored on a systematic basis by the University in the following circumstances:

  • where there is reason to suspect that an IT Policy is being breached;  
  • for the purpose of back-up and/or problem solving;
  • where there are other legitimate reasons for doing so;
  • when it is required to do so by law. 

Arising out of the need to protect the University’s network, the University cannot guarantee the confidentiality of information stored on any network device belonging to the University.

All Users should be aware that the University monitors the internet and social media on an ongoing basis to keep abreast of matters of general interest, brand presence and third party perception. The University does not specifically monitor social media and other sites of Staff, Students or External Users for content, but reserves the right to utilise for disciplinary purposes any information that could have a negative effect on the University, its Staff or Students which comes to the attention of the University or is brought to the attention of the University by Staff, Students, External Users and/or other third parties.

4.2.5 Access by or Disclosure to a Third Party of Information in a Staff Member's or Student’s Files or Email Account 

While the University retains the right to monitor, read or disclose the information in a Staff member's or Student’s files or email account without the User's consent, the need to do so should arise only in exceptional circumstances. The circumstances in question would include the following:

  • where there is reasonable evidence that there is or has been a violation of the Acceptable Use Policy.
  • when required to do so by law or by the Gardai in accordance with the Data Protection Act[s].

Or, additionally in the case of a Staff member:

  • where, without access to the information in the account, the operations or functions of the University are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications.
  • where the account holder is no longer a member of Staff or retired Staff.

Any request to IT Services to disclose, or to provide access to, a third party to information in a Staff member’s or Student’s files or email account must be in accordance with the following steps:

  • The request must be authorised in writing by
    • the Staff member's Head of Department or by two members of the University Management Team Operations (for Staff)
    • the Registrar or the Academic Secretary. (for Students)
  • The request must indicate the reason for access/disclosure. In the case where the request is from the Head of Department, a copy of the request must be sent to the Staff member's home address.
  • Those authorising the access will nominate one or more individuals to be provided with access. Alternatively, the Director will nominate two members of the IT Services Staff to extract the necessary information both of whom will be present at all times when the information is being accessed. They will disclose the information directly to the individual(s) making the request and to no one else.
  • Only the minimum information required to satisfy the request should be accessed.
  • In an emergency situation where it is not possible to get the necessary authorisation within the time available, approval should be sought by the person requesting access/disclosure as soon as possible thereafter. The IT Services Staff who respond to the request in this case must provide a report for the Director stating the reason for the request, the name of the person who made the request and the name of the User whose information was to be accessed.
  • Notwithstanding the above, disclosure in all cases will be in accordance with legal requirements.

 

 


5 Supporting Procedures, Policies and or Statutes

The policies and procedures listed in the IT Policies and Procedures section of this Policy provide information or step-by-step instructions on how to implement this Policy.

The Policy should be read in conjunction with other University policies including UCC’s: 

 

Relevant Statutes

Statutes relating to the use of computers and networking:


6 Breach of Policy

Any incidents relating to breaches of approved UCC IT polices as listed on our website http://www.ucc.ie/en/it-policies/policies will be managed using the IT Policy Breach Handling Protocol defined below. This includes but is not limited to:

  • social media issues;
  • acceptable use issues, such as on email or websites;
  • security issues, password loss;
  • notification of loss of sensitive equipment, hardware;
  • copyright Infringement issues;
  • cyber bullying or harassment issues.

The University operates a strict “notice and takedown” procedure.  Users are encouraged to be vigilant and to report any suspected violations of this Policy immediately to helpdesk@ucc.ie  or itsecurity@ucc.ie  On receipt of notice (or where the University otherwise becomes aware) of any suspected breach of this Policy, the University reserves the following rights:

  • to remove, or require the removal of, any content which is deemed by the University to be in breach or potentially in breach of this Policy; and/or
  • to disable any User and access to the University’s IT Resources.

If any breach of this Policy is observed, then (in addition to the above) disciplinary action up to and including dismissal in the case of Staff, expulsion in the case of Students or contract termination in the case of third parties may be taken in accordance with the University's disciplinary procedures (Principal Statute for staff) and Student Disciplinary Procedure for Students as amended or updated from time to time.

 

IT Policy Figure Two
Figure 2 
 

Step

Action

Executor

1

The IT Security Officer is notified of a potential breach of IT policy directly or via the itsecurity@ucc.ie mailbox.

Notifier/

IT Security Officer

2

Information is gathered relating to the reported breach of IT policy in order to determine if breach relates to user generated content or corporate data/resources

IT Security Officer

3

IT Officer directs the reported breach to either DEWG or External Hosting Group.

IT Security Officer

4

DEWG or External Hosting Group decides whether, in fact, a breach of IT policy has taken place. If it is decided that a breach of IT policy has not taken place this decision is communicated to the interested parties and the incident is closed.

DEWG/ External Hosting Group

5a

DEWG or External Hosting Group agrees appropriate actions to take in response to the breach of IT policy. The first step will usually be to inform the User involved that their actions breach standard IT policy and request immediate cessation/takedown where applicable. Other possible actions  include (but are not limited to) restricting or disabling Users’ accounts and issuing takedown notices to 3rd party sites such as social networking sites.

DEWG/ External Hosting Group

5b

DEWG or External Hosting Group considers whether a potential disciplinary issue arises. Such cases involving students are referred to the Registrar’s Office (Head of Student Experience) and in the event of Staff, the User that reported the incident can make a formal complaint to their head of department in the first instance and then HR, standard UCC grievance procedure applies.

DEWG/ External Hosting Group

5c

DEWG or External Hosting Group escalates serious breaches of IT policy to IT Policy Breach Emergency Management Team

DEWG/ External Hosting Group

6

Examples of breaches of IT policy which will be escalated to IT Policy Breach Emergency Management Team include:

  • Reputational damage to the University. DEWG will notify the office of the Vice President for External Relations
  • Emergency response issues. The UMT is notified and the relevant emergency response plan is followed.
  • Data protection issues. OCLA is notified and the procedure for data protection breach is invoked.

IT Policy Breach Emergency Management Team

7

DEWG or External Hosting Group implements its agreed actions and closes the incident.

DEWG/ External Hosting Group

 

6.1 Typical Incident Types and Actions Required

Incident Type

Owner

Action

Copyright breach

Corporate Secretary

IT Director will forward to OCLA

Network breach/Hack

IT Director

IT Director will forward to network team

Social Media Abuse

Director Marketing & Communications

Offensive material will be removed

Facebook will be contacted if required

Complaint about Student

Head of Student Experience

Relevant details will forward to Head of Student Experience

Complaint about Staff

Staff Head of Department and HR

IT will check if the issue is in breach of policy, will offer the Staff member their opinion, Staff will escalate to HoD, via the standard Grievance procedure

IT detect a breach of Policy

IT Director

Will inform Head of Department or Head of Student experience about the breach

 

6.2 Types of Incidents that will be Escalated to the IT Policy Breach Emergency Management Team 

Incident Type

Owner

Action

Suspected Staff Disciplinary issues

Head of Department

Ask the User to inform their Head of Department  of the incident

Suspected Student Disciplinary issues

Head of Student Experience

Student experience will notify Campus watch and follow process

Reputational Damage to the University

VP of external Affairs

 

Data protection breach

Data protection officer

Data protection incident procedure will be followed

Emergency Response Issue

UMT Member

Relevant Emergency response plan followed

Serious IT Incident (outage, Hack, Breach)

Director of IT

IT Director will take immediate actions to address the breach.



7 Review and Approval

The University reserves the right to amend this Policy at any time in any manner in which the University sees fit at the absolute discretion of the University or the President of the University.

Any such revisions will be noted in the revision history of the policy, which are available to you on the website and by continuing to use the University’s IT Resources following any updated you will be deemed to have accepted the revised terms of this Policy.

Approval Date

Wed, 21 Jun 2017 09:29:00 IST

Summary of Policy Changes

 

Draft Version Number/Revision Number

Revision Date

Summary of Changes

 

 

 

 

 

 

 

 

 

 

This document requires the following approvals:

Name

Title

Date

Gerard Culley

Director of Information Technology

 

John Fitzgerald

Director of Information Services

 

John Morrison

Chair of IS & ER committee

 

Michael Farrell

Corporate Secretary

 

Heads of College

 

 

Academic Council

 

 

 


8 Further Information

Contact Email:itsecurity@ucc.ie

Contact Name:

Director of IT Services

Contact Telephone Number:

021 4902215
Back To Top

Definitions

For the purposes of this Policy, the following capitalised terms (which are used throughout this Policy) shall have the following meanings in the context of this Policy:

Term

Definition

External Parties

All the University’s subsidiary companies, contractors, researchers, visitors and/or any other parties who have access to the University’s IT Resources.

High Severity Incident

An incident that may result in the following.

a)   referral under relevant disciplinary procedures for staff or students

b)   the invocation of the University emergency response plan;

c)    a legal action or where there are clear legal implications;

d)   warrant a communication plan for internal or external stakeholders.

Examples include:

a)   abusive email;

b)   offensive social media complaint made against a member of Staff.

 

Low Severity Incident

An incident that breached policy but not in a way that is personally damaging to the University or to others.  Examples include:

a)   copyright infringement notice;

b)   mistaken breach of policy;

c)    unwelcome social media comments.

 

Policy

This IT Policy. 

Staff

All full-time and part-time employees of the University, including hourly occasional, research Staff funded externally

Student

A Student, either full-time or part-time, registered with UCC.

University Information Assets

Information which is of value to the University.  This includes, but is not limited to, information regarding:

a)   Students;

b)   Staff;

c)    financial matters;

d)   research.

This information may be stored on many different media including:

a)   paper;

b)   electronic hardware devices (hard drives, flash drives);

c)    centrally managed infrastructure including servers and storage;

d)   mobile devices;

e)   cloud hosted services.

University IT Resources

IT resources include those provided centrally by the University’s IT Services as well as those provided locally in its offices, departments, schools, colleges or other units.  This includes University IT resources accessed remotely via without limitation:

a)   The University’s network and connected networks and to all equipment connected to those networks physically or via wireless.

b)   Any networks created independently off the campus network, if they are connected to the University network.

c)    All University-owned IT equipment including servers, desktops, laptops, tablets, mobile devices and network-related equipment.

d)   Any equipment owned by third parties, leased or personally-owned which use the University network, in conjunction with their work or study in the University.

University or UCC

University College Cork – National University of Ireland, Cork

Users

All Students, Staff and External Parties.

 

Back To Top

University College Cork

Coláiste na hOllscoile Corcaigh

College Road, Cork T12 YN60

Top