1. This policy defines and enforces an appropriate level of IT protection within the Polytechnic. It serves to protect the Polytechnic's IT and information assets across the Polytechnic.
It aims to provide the following protection:
- Confidentiality - the prevention of unauthorised disclosure of information.
- Integrity - the prevention of the unauthorised amendment, corruption, or deletion of information.
- Availability - the prevention of the unauthorised withholding of information or resources.
The policy applies to all kaimahi and ākonga of Otago Polytechnic, and also, to contractors, consultants, and visitors engaged to work with, or who have access to, the Polytechnic technology infrastructure and its information.
3.1. Users are responsible for:
3.1.1. Operating within the bounds of the IT Use and Security of Information Systems Policy.
3.1.2. Ensuring that no breach of information security results from their actions.
3.1.3. Reporting any breach or suspected breach in security to the Otago Polytechnic Information Systems and Support (ISS) Service Desk.
3.1.4. The confidentiality of their user account and password information.
3.2. ISS are authorised to:
3.2.1. Protect information and computing resources through implementing and administering the IT Use and Security of Information Systems Policy and associated Security Standards.
3.2.2. Implement new systems and processes that are compliant with industry standards, or any governing body as applicable.
3.2.3. Ensure that the Polytechnic complies with relevant legislation and regulations relating to IT.
3.2.4. Take all reasonable steps to limit remove risk to the Polytechnic's operational environment e.g. includes removing access, blocking files/ functionality etc.
3.2.5. Search kaimahi email and files if instructed, to do so, by the Executive Director or Otago Polytechnic Privacy Officer.
4. Acceptable and Unacceptable Use
4.1.1. Communicating and sharing information the individual is authorised to share with Otago Polytechnic kaimahi or the public.
4.1.2. Research on the internet to develop professional and educational skills related to the user's position at Otago Polytechnic.
4.1.3. Broadening knowledge of the education sector, clients, and applicable news within the context of an individual's assigned responsibilities.
4.1.4. Acquiring or sharing information necessary or related to the performance of an individual's assigned responsibilities.
4.1.5. Reasonable use of computing facilities for personal correspondence e.g. sending personal emails and using internet web- sites so long as it does not interfere with kaimahi productivity, bring Otago Polytechnic into disrepute, pose a security risk, or consume sustained high-volume traffic.
4.2. Unacceptable Practice
4.2.1. Use of IT services for illegal or unlawful purposes. This includes, but is not limited to intentional copyright infringement, obscenity, fraud, defamation, discrediting the Polytechnic or third party, plagiarism, harassment, intimidation, forgery, impersonation, and computer tampering (e.g. spreading computer viruses).
4.2.2. Intentionally using IT services to visit internet sites that contain sensitive obscene, pornographic, hateful, or other objectionable material.
4.2.3. Where access to websites is deemed sensitive it is necessary for teaching and learning or research purposes, specific access may be authorised via the Head of College applying to the Executive Director. This access is recorded on a register.
4.2.4. Using IT services to reveal or publicise confidential or proprietary information which includes but is not limited to financial information, new business and product ideas, marketing strategies and plans, databases and the information contained therein, customer/ākonga/kaimahi details, personal details about an individual, technical product information, computer software and code, computer network and access details and business relationships.
4.2.5. Intentionally saving any Polytechnic-owned information deemed as records under the Public Records Act to external systems not endorsed or operated by ISS. This includes but is not limited to Cloud service providers, Google, Amazon etc.
4.2.6. Where the use of IT service/s is deemed unacceptable practice (as per but not limited to the descriptions above) then disciplinary action may be taken in line with policy Resolving Performance Problems (kaimahi) and Ākonga/Learner Discipline Policy (ākonga).
5.1. The Polytechnic provides both open and closed access to its IT services. Specific permissions are required to access closed aspects of the IT services and infrastructure to ensure confidentiality and maintain the integrity of the infrastructure.
5.2. Only authorised users are permitted to access and use the Polytechnic's Closed IT services.
5.3. Kaimahi and ākonga user accounts are created and managed by ISS under direction of Otago Polytechnic, People and Culture.
5.3.1 Creating and deleting of user accounts as directed by Otago Polytechnic, People and Culture.
5.3.2 Annual auditing of accounts to verify account status.
5.3.3. Disablement of kaimahi accounts two (2) weeks post Otago Polytechnic People and Culture notifying of the termination date, unless requested sooner.
5.3.3.1 Or when kaimahi accounts are to be retained as active, with approval from the Executive Director’s Office.
5.3.4. Deletion of kaimahi accounts five (5) years post Otago Polytechnic, People and Culture notifying of termination date with the exception of access for Otago Polytechnic honours awards recipients as per Honorary Degrees and Recognition Awards Policy.
5.3.5. Deleting ākonga accounts that have not been accessed for at least twelve (12) months from the last time of access.
5.3.6. Ensuring that no account user IDs are to be used again unless a returning kaimahi or ākonga.
5.4. Contractor (non-staff) access created and managed by ISS.
5.4.1 Contractor accounts will all have account expiry set on creation; these force review of account validity.
5.4.2 Only the Otago Polytechnic kaimahi responsible for the contractor can request the enablement of disabled and expired accounts.
5.5. System access audit review.
5.5.1 Systems will have an access review every four (4) months. This includes the following systems:
- Learner Management System
- Organisational Finance System
- People and Culture system
- Physical access security (Cardax).
5.6. IT accounts can be disabled at the request of the Executive Director or a member of Te Kāhui Manukura.
6.1. Remote access to the Polytechnic's IT services is provided for kaimahi working offsite. Refer to Flexible Working Policy.
7.1. Passwords must be kept confidential and are the responsibility of the individual user. They are not to be shared or used by anyone else, even for a short period of time.
7.2. Password construction must comply with the following minimum standard.
7.2.1. All passwords are required to be a minimum length of sixteen (16) characters (Passphrase) and are not required to contain special or numerical characters.
7.2.2. Access is denied after three (3) unsuccessful login attempts and a security process is required to reinstate.
7.2.3. When passwords are first issued, users are required to change their password on first use.
7.3. Privileged user accounts (i.e. system-wide administrator accounts) are subject to additional password requirements.
7.3.1. All administrative accounts are subject to passwords of not less than eight (8) characters, using special characters, forced change every one-hundred and eight (180) days with unique last 24 passwords.
7.3.2. Long-term contractors (generally external providers i.e. not kaimahi) are subject to passwords of not less than eight (8) characters, using special characters, forced change every ninety (90) days with unique last 5 passwords.
8.1. Personal devices are welcome on the Otago Polytechnic "OP -Guest" WiFi network. Personal devices are not authorised to connect to the internal Polytechnic cabled networks.
8.2. ISS are authorised to install, remove, and configure software and make configuration changes to IT services. This includes returning Otago Polytechnic IT equipment to its original build status to rectify faults and remove unlicensed software.
8.3. Computers and mobile devices issued by the Polytechnic to users remain the property of the Polytechnic unless otherwise agreed with the Formal Manager, which often are in cases of redundancy.
8.4.1. Information stored electronically on removable devices must be encrypted if it contains any information listed below. The ISS Service Desk is available to assist in this activity in confidence.
a. Personal Information about any customer/kaimahi/ākonga of Otago Polytechnic.
b. Confidential Financial data.
c. Passwords or secure user information.
8.4.2. information stored on removable devices, not included under 8.4.1, is the responsibility of the device owner to ensure it is used by the intended recipient.
8.5. All Polytechnic IT equipment is required to be identified with a unique asset number. This number is to remain accessible and only ISS kaimahi are permitted to remove the asset identifier in coordination with Otago Polytechnic, Finance.
8.6. All Polytechnic IT hardware or media are to be returned to ISS when no longer required or when users terminate their association with the Polytechnic.
8.7. In the event of a Polytechnic IT asset being lost, accidentally damaged, or stolen, the incident is to be reported to the ISS Service Desk. It is at the discretion of the Executive Director or equivalent whether theft or damage is escalated to the New Zealand Police following the report to the ISS Service Desk.
8.8. Only ISS is authorised to dispose of Polytechnic IT equipment, including software.
Note: Polytechnic IT assets include but are not limited to equipment such as laptops and desktop computers, printers and peripheral devices that connect or have access to the Polytechnic network. This also includes handheld mobile devices, e.g. phones, and tablets. IT assets also include all software, whether packaged or custom-built. IT media includes but is not limited to USB keys and portable hard drives.
9. Communications and Operations Management
The following security requirements apply to the operations of ISS services.
9.1.1. No investigations are permitted without authority from either the Executive Director or Otago Polytechnic Privacy Officer. The Executive Director must be notified in all cases of an investigation being authorised.
9.1.2. ISS kaimahi who are authorised on a case-by-case basis by any of those identified in 9.1.1 are permitted to search, collect, and report on IT activity for the purposes of a specific security audit and/or investigation.
9.2 Physical and Environmental Security
9.2.1. Access to IT infrastructure facilities is restricted to authorised individuals whose job responsibilities require access to IT facilities. This will be reviewed every four (4) months.
9.2.2. Visitors requiring access to IT infrastructure facilities are required to sign in through the Otago Polytechnic Campus Services Health and Safety sig- in/out process.
9.2.3. IT facilities are to be protected against environmental changes in power, cooling and flooding as defined within the physical computer standards.
9.3 Operational readiness
9.3.1 Any new systems must be fully tested prior to implementation to ensure they are secure and will not have a negative effect on Polytechnic operations or expose the Polytechnic to risk.
9.3.2 Any ākonga-developed systems must comply with the guidelines set out in the Product to Production Specification (Use and Security of Information Systems Appendix One).
9.3.3 ISS are responsible for ensuring that all systems are secure and patched to an appropriate level in accordance with vendor recommendations and this policy.
9.4 Disaster Recovery and Incident Management
9.4.1 Disaster Recovery: The information systems disaster recovery is maintained and tested regularly to ensure the ability of Otago Polytechnic to continue operations as required by the business continuity plan.
9.4.2 lncident Management
9.4.2.1. All incidents will be recorded and managed in the service management system operated by the Otago Polytechnic ISS Service Desk.
9.4.2.2. Incidents will be classified by severity and reported on.
9.5 Internet Access and Communications
9.5.1. Kaimahi can access the internet and browse sites that comply with the Acceptable Use as defined in Section 4.
9.5.2. Kaimahi must not transmit sensitive Polytechnic information or information that is classified as highly confidential through the internet unless the information is encrypted to reduce the risk of data being compromised. The ISS Service Desk can advise of secure methods that can be used to transmit highly confidential information across the internet.
9.5.3. The Executive Director has the right to block internet sites that do not comply with the Acceptable Use policy in Section 4. Or that poses a risk to the Polytechnic’s ability to operate effectively.
9.6 Email Access and Communications
9.6.1. Email messages sent from and received to the Polytechnic's email service are the property of the Polytechnic and may be accessed by the Polytechnic under order – refer to Clause 9.1.
9.6.2. Email messages subject to retention requirements noted in Information Management Policy must be electronically saved in the manner and for the period specified in the policy.
9.6.3. AII email originating from or destined for Otago Polytechnic will be digitally recorded (in the 'Cloud'), scanned and blocked where it is deemed a risk to organisational security.
9.6.4. Email access will be terminated when kaimahi or third party terminates their association with the Polytechnic unless an extension has been agreed by the Formal Leader or by the Honorary Degrees and Recognition Awards Policy.
9.6.5. Email signature blocks must follow the agreed standard as defined within the Email Communications Guidelines, refer to Otago Polytechnic Intranet site (Tūhono I Marketing, Engagement and Communications I Email Communications Guidelines).
9.6.6. Email is not to be used for unsolicited mass mailings, political campaigning, dissemination of chain letters, and use by non-kaimahi sending chain emails, malicious data (viruses), solicitation emails or any offensive material. This is deemed unacceptable practice and subject to disciplinary action - refer to Clause 4.2.5.
9.6.7. Email accounts are provided for Polytechnic kaimahi sole use. One account is created and exists independent of how many roles are held, e.g. kaimahi and ākonga. It is not appropriate to send, reply or modify another kaimahi's email without the authority of the person.
9.6.8. Confidential or sensitive email messages, including confidential or sensitive information in attachments, are not to be sent outside the Polytechnic without the authority of the originator or owner of the information contained within the email. This includes but is not limited to information about kaimahi and ākonga, refer to Te Pūkenga Protected Disclosures Policy and Procedures, Privacy Policy and Procedures and Appendix Two Business Email Etiquette Basics.
9.6.9. Kaimahi are encouraged to manage emails appropriately by deleting those emails which are not Polytechnic business as soon as possible.
9.7 Ākonga Email Accounts
9.7.1. AII ākonga have an Otago Polytechnic email account, which provides access to a number of ISS services. More information is available on the Otago Polytechnic website.
9.8.1. If an onsite computer or laptop is left idle for more than five (5) minutes, it is programmed to automatically lock. To unlock the device, the user must enter their network password.
