Information Security Policy


Contents

  • Introduction
  • Scope
  • User identification and authentication
  • Personal use of facilities
  • Connecting devices to NAC networks
  • Use of services provided by third parties
  • Unattended equipment
  • Unacceptable use
  • Penalties for misuse

Introduction

This Acceptable Use Policy sets out the responsibilities and required behaviour of users of NAC’s information systems, networks and computers.

Scope

All members of NAC (staff, students and associates), members of other institutions who have been granted federated access to use NAC’s facilities together with any others who may have been granted permission to use NAC’s information and communication technology facilities by the MD or associated Senior Managers are subject to this policy.

User identification and authentication

Each member will be assigned a unique identifier (userID) for his or her individual use. This userID may not be used by anyone other than the individual user to whom it has been issued. Each member will be assigned an associated account password which must not be divulged to anyone, including IT Services staff, for any reason other than a technical issue which can only be resolved by Service Staff accessing a dedicated area to the individual. This NAC password should not be used as the password for any other service. Individual members are expected to remember their password and to change it if there is any suspicion that it may have been compromised.

NAC staff will be assigned a unique email address for his or her individual use and some members may also be given authorisation to use one or more generic (role based) email addresses. Members must not use NAC email address assigned to anyone else without their explicit permission.

Email addresses are NAC owned assets and any use of these email addresses is subject to NAC policies.

Personal use of facilities

NAC information and communication facilities, including email addresses and computers, are provided for academic and administrative purposes related to work or study at NAC. Very occasional personal use is permitted but only as long as:

  • it does not interfere with the member of staff’s work nor the student’s study
  • it does not contravene any NAC policies
  • it is not excessive in use of resources, so as to impact on performance or cause detriment to other staff members

NAC facilities should not be used for the storage of data unrelated to membership of NAC. In particular, NAC facilities should not be used to store copies of personal photographs, music collections or personal emails.

Members of staff should not use a personal (non-NAC provided) email account to conduct NAC business and should maintain a separate, personal email account for personal email correspondence.

All use of NAC information and communication facilities, including any personal use is subject to NAC policies.

Connecting devices to NAC networks

In order to reduce risks of malware infection and propagation, risks of network disruption and to ensure compliance, it is not permitted to connect personally owned equipment to any network socket which has not been provided specifically for the purpose. It is permissible to connect personally owned equipment to NAC’s wireless networks.

To further reduce risk of data loss, members of staff and learners should not store sensitive data on personally owned peripheral devices (for example, a personally owned USB stick) using NAC owned equipment, irrespective of where the equipment is located. If a USB device has been provided by the company, it is imperative that the device be used only for its intended purpose unless permission is given by Head Office.

Any device connected to a NAC network must be managed effectively. Devices which are not are liable to physical or logical disconnection from the network without notice.

Use of services provided by third parties

Wherever possible, members should only use services provided or endorsed by NAC for conducting NAC business. NAC recognises, however, that there are occasions when it is unable to meet the legitimate requirements of its members and that in these circumstances it may be permissible to use services provided by other third parties.

Unattended equipment

Computers and other equipment used to access NAC facilities must not be left unattended and unlocked if logged in. Members must ensure that their computers are locked before being left unattended. Care should be taken to ensure that no restricted information is left on display on the computer when it is left unattended.

Particular care should be taken to ensure the physical security of all equipment when in transit.

All of the above to be compliant with GDPR guidelines.

Unacceptable use

In addition to what has already been written above, the following are also considered to be unacceptable uses of NAC facilities:

  • Any illegal activity or activity which breaches any NAC policy.
  • Any attempt to undermine the security of NAC’s facilities. (For the avoidance of doubt, this includes undertaking any unauthorised penetration testing or vulnerability scanning of any NAC systems.)
  • Providing access to facilities or information to those who are not entitled to access.
  • Any irresponsible or reckless handling or unauthorised use of NAC data.
  • Any use which brings NAC into disrepute.
  • Any use of NAC facilities to bully, harass, intimidate or otherwise cause alarm or distress to others.
  • Any unauthorised access or sharing of websites that could be deemed as promoting radicalisation or extremism, as stated within the Prevent Policy.
  • Sending unsolicited and unauthorised bulk email (spam) which is unrelated to the legitimate business of NAC.
  • Creating, storing or transmitting any material which infringes copyright.
  • Creating, storing or transmitting defamatory or obscene material. (In the unlikely event that there is a genuine academic need to access obscene material, NAC must be made aware of this in advance and prior permission to access must be obtained from the MD or Head Office.)
  • Using software which is only licensed for limited purposes for any other purpose or otherwise breaching software licensing agreements.
  • Failing to comply with a request from an authorised person to desist from any activity which has been deemed detrimental to the operation of the

NAC Group.

  • Failing to report any breach, or suspected breach of information security to IT Services.
  • Failing to comply with a request from an authorised person for you to change your password.

All members of NAC (staff, students and associates), who have any causes for concern regarding any of the above are to inform a member of the safeguarding team immediately. Please refer to the safeguarding policy and procedure.

Penalties for misuse

Minor breaches of policy will be dealt with by Senior Managers.

More serious breaches of policy (or repeated minor breaches) will be dealt with under NAC’s disciplinary procedures.

Where appropriate, breaches of the law will be reported to the ICO/Police. Where the breach has occurred in a jurisdiction outside the UK, the breach may be reported to the relevant authorities within that jurisdiction.