1. This policy defines and enforces an appropriate level of IT protection within the Polytechnic . It serves to protect the Polytechnic's IT and information assets across the Polytechnic.
It aims to provide the following protection:
- Confidentiality - the prevention of unauthorised disclosure of information
- Integrity - the prevention of the unauthorised amendment, corruption, or deletion of information
- Availability - the prevention of the unauthorised withholding of information or resources.
2. Scope
The policy applies to all employees and learners of Otago Polytechnic Limited, and also to contractors, consultants, Council members and visitors engaged to work with, or who have access to, the Polytechnic technology infrastructure and its information.
3. Responsibilities
3.1. Users are responsible for:
3.1.1. Operating within the bounds of the IT Security Policy.
3.1.2. Ensuring that no breach of information security results from their actions.
3.1.3. Reporting any breach or suspected breach in security, to the Information Systems and Support (ISS) Service Desk.
3.1.4. The confidentiality of their user account and password information.
3.2. ISS are authorised to:
3.2.1. Protect information and computing resources through implementing and administering the IT Security Policy and associated Security Standards.
3.2.2. lmplement new systems and process that are compliant with industry standards, or any governing body as applicable.
3.2.3. Ensure that the Polytechnic complies with relevant legislation and regulations relating to IT.
3.2.4. Take all reasonable steps to limiU remove risk to the Polytechnic's operational environment e.g. includes removing access, blocking files/ functionality etc.
3.2.5. Se arch staff email and files if instructed to do so by the Chief Executive or Otago Polytechnic Limited Privacy Officer (Deputy Chief Executive Chief Operating Officer).
4. Acceptable and Unacceptable Use
4.1. Acceptable Practice
4.1.1. Communicating and sharing information the individual is authorised to share with other Otago Polytechnic Limited employees or the public.
4.1.2. Research on the internet to develop professional and educational skills related to the user's position at Otago Polytechnic Limited.
4.1.3. Broadening knowledge of the education sector, clients, and applicable news within the context of an individual's assigned responsibilities.
4.1.4. Acquiring or sharing information necessary or related to the performance of an individual's assigned responsibilities.
4.1.5. Reasonable use of computing facilities for personal correspondence, e.g. sending personal emails and using internet web sites so long as it does not interfere with staff productivity, bring Otago Polytechnic Limited into disrepute, pose a security risk, or consume sustained high-volume traffic.
4.2. Unacceptable Practice
4.2.1. Use of IT services for illegal or unlawful purposes. This includes, but is not limited to intentional copyright infringement , obscenity , fraud, defamation, discrediting the Polytechnic or third party, plagiarism, harassment, intimidation, forgery , impersonation, and computer tampering (e.g. spreading computer viruses).
4.2.2. Intentionally using IT services to visit internet sites that contain sensitive obscene, pornographic, hateful, or other objectionable material.
4.2.3. Where access to websites deemed sensitive is necessary for teaching or learning or research purposes, specific access may be authorised via the Head of College applying to the Chief Information Officer. This access is recorded on a register.
4.2.4. Using IT services to reveal or publicise confidential or proprietary information which includes but is not limited to: financial information, new business and product ideas, marketing strategies and plans, databases and the information contained therein, customer details, personal details about an individual, technical product information , computer software and code, computer network and access details and business relationships.
4.2.5. Intentionally saving any Polytechnic owned information deemed as records under the public records act to external systems not endorsed or operated by ISS. This includes but not limited to cloud service providers, google, amazon etc.
4.2.6. Where use of IT service is deemed unacceptable practice (as per, but not limited to, descriptions above) then disciplinary action may be taken in line with policy Resolving Performance Problems (staff) and Learner Discipline (learners).
5. Access
5.1. The Polytechnic provides both open and closed access to its IT services. Specific permissions are required to access closed aspects of the IT services and infrastructure to ensure confidentiality and maintain the integrity of the infrastructure.
5.2. Only authorized users are permitted to access and use the Polytechnic's Closed IT services .
5.3. Staff & Learner user accounts are created and managed by ISS under direction of Human Resources.
5.3.1 Creating and deleting of user accounts as directed by HR
5.3.2 Annual auditing of accounts to verify account status.
5.3.3. Disablement of staff accounts two weeks post HR notified Termination date, unless requested sooner.
5.3.3.1 Or when staff accounts are to be retained as active, with approval from Chief Executive Office.
5.3.4. Deletion of staff accounts 5 years post HR notified Termination date, with the exception of lifetime access for Council honours awards recipients as per CP0006 Council Honours Awards Policy.
5.3.5. Deleting learner accounts that have not been accessed for at least 12 month from last time of access.
5.3.6. Ensuring that no account user IDs are to be used again unless a returning staff member or learner.
5.4. Contractor (non-staff) access created and managed by ISS.
5.4.1 Contractor accounts will all have account expiry set on creation; this forces review of account validity.
5.4.2 Only the Otago Polytechnic Limited staff member responsible for the contractor can request enablement of disabled and expired accounts.
5.5. System access audit review
5.5.1 Systems will have an access review every 4 months. This includes the following systems:
- Learner Management System
- Learner Heath System
- Organisational Finance System
- Human Resources system
- Payroll system
- Physical access security (Cardax)
5.6. IT accounts can be disabled at the request of a member of Executive Leadership Team or Chief Information Officer.
6. Remote Access
6.1. Remote access to the Polytechnic's IT services is provided for staff working offsite. Refer to policy Enabling Offsite Work.
7. Password Management
7.1. Passwords must be kept confidential and are the responsibility of the individual user. They are not to be shared or used by anyone else, even for a short period of time.
7.2. Password construction must comply with the following minimum standard.
7.2.1. All passwords are required to be a minimum length of 16 characters (Passphrase) and are not required to contain special or numerical characters.
7.2.2. Access is denied after three unsuccessful login attempts and a security process required to reinstate.
7.2.3. When passwords are first issued, users are required to change their password on first use.
7.3. Privileged user accounts (i.e. system wide administrator accounts) are subject to additional password requirements.
7.3.1. All administrative accounts are subject to passwords of not less than 8 characters, using special characters, forced change every 180 days with unique last 24.
7.3.2. Long term contractors (generally external providers i.e. not staff) are subject to passwords of not less than 8 characters, using special characters, forced change every 90 days with unique last 5.
8. IT Asset and Media
8.1. Personal devices are welcome on the Otago Polytechnic Limited "OP -Guest" Wi Fi network. Personal devices are not authorised to connect to the internal Polytechnic cabled networks.
8.2. ISS are authorised to install, remove, and configure software and make configuration changes to IT services. This includes returning Otago Polytechnic Limited IT equipment back to its original build status to rectify faults and remove unlicensed software.
8.3. Computers and mobile devices issued by the Polytechnic to users remain the property of the Polytechnic, unless otherwise agreed with Formal Manager, and which are often so in cases of redundancy.
8.4. Removable Media
8.4.1. Information stored electronically on removable devices must be encrypted if it contains any information listed below. The service desk is available to assist in this activity in confidence.
a. Personal Information about any customer of Otago Polytechnic Limited
b. Confidential Financial data
c. Passwords or secure user information
8.4.2. information stored on removable devices not included under 8.4.1, is the responsibility of the device owner to ensure it is used by the intended recipient.
8.5. All Polytechnic IT equipment is required to be identified with a unique asset number. This number is to remain accessible and only ISS staff are permitted to remove the asset identifier in coordination with Finance.
8.6. All Polytechnic IT hardware or media are to be returned to ISS when no longer required or when users terminate their association with the Polytechnic.
8.7. In the event of a Polytechnic IT asset being lost, accidentally damaged, or stolen, the incident is to be reported to the ISS Service Desk. It is at the discretion of the Chief Information Officer whether a theft or damage is escalated to the New Zealand Police following the report to ISS Service Desk.
8.8. Only ISS are authorised to dispose of Polytechnic IT equipment, including software.
Note: Polytechnic IT assets include but are not limited to equipment such as laptop/desktop computers, printers and peripheral devices that connect or have access to the Polytechnic network. This also includes handheld mobile devices, e.g. phones, tablets. IT assets also include all software, whether packaged, or custom built. IT media includes but is not limited to USB keys and portable hard drives.
9. Communications and Operations Management
9.1. ISS Operations
The following security requirements apply for the operations of ISS services.
9.1.1. No investigations are permitted without authority from either the Chief Executive, or Otago Polytechnic Limited Privacy Officer (Deputy Chief Executive Chief Operating Officer). The Chief Executive must be notified in all cases of an investigation being authorised.
9.1.2. ISS staff who are authorised on a case by case basis by any of those identified in 9.1.1 are permitted to search, collect, and report on IT activity for the purposes of a specific security audit or investigation.
9.2 Physical and Environmental Security
9.2.1. Access to IT infrastructure facilities is restricted to authorised individuals whose job responsibilities require access to IT facilities. This will be reviewed every 4 months.
9.2.2. Visitors requiring access to IT infrastructure facilities are required to sign in through the campus Health and Safety sign in/ out process.
9.2.3. IT facilities are to be protected against environmental changes in power, cooling and flooding as defined within the physical computer standards.
9.3 Operational readiness
9.3.1 Any new systems must be fully tested prior to implementation to ensure they are secure and will not have a negative effect on Polytechnic operations or expose the Polytechnic to risk.
9.3.2 Any learner developed systems must comply with the guidelines set out in the Product to Production specification (Use and Security of Information Systems - SOP).
9.3.3 ISS are responsible for ensuring that all systems are secure and patched to an appropriate level in accordance with vendor recommendations and this policy.
9.4 Disaster recovery & Incident Management
9.4.1 Disaster Recovery : The information systems disaster recovery is maintained and tested regularly to ensure the ability of the Otago Polytechnic Limited to continue operations as required by the business continuity plan.
9.4.2 lncident management
9.4.2.1. All incidents will be recorded and managed in the service management system operated by Otago Polytechnic Limited Service desk.
9.4.2.2. Incidents will be classified by severity and reported on.
9.5 Internet Access and Communications
9.5.1. Employees can access the internet and browse sites that comply with the Acceptable Use as defined in Section 4
9.5.2. Employees must not transmit sensitive Polytechnic information or information that is classified as highly confidential through the internet unless the information is encrypted to reduce the risk of data being compromised. The ISS Service Desk can advise of secure methods that can be used to transmit highly confidential information across the internet.
9.5.3. The Chief Information Officer has the right to block internet sites that do not comply with the Acceptable Use policy in Section 4. Or that pose a risk to the Polytechnics ability to operate effectively.
9.6 Email Access and Communications
9.6.1. Email messages sent from and received to the Polytechnic's email service are the property of the Polytechnic and may be accessed by the Polytechnic under order - see clause 9.1.
9.6.2. Email messages subject to retention requirements noted in policy Records Retention and Disposal must be electronically saved in the manner and for the period specified in the policy.
9.6.3. AII email originating from or destined for Otago Polytechnic Limited will be digitally recorded (in the 'cloud'), scanned and blocked where it is deemed a risk to organisational security.
9.6.4. Email access will be terminated when the employee or third party terminates their association with the Polytechnic, unless an extension has been agreed by the formal leader or by policy CP0006 Council Honours Awards Policy.
9.6.5. Email signature blocks must follow the agreed standard as defined within the Email Communications Guidelines, refer to Otago Polytechnic Limited Intranet site (/nsite I Service Areas I Marketing and Communications I Email Communications Guidelines).
9.6.6. Email is not to be used for unsolicited mass mailings, political campaigning, dissemination of chain letters, and use by non- employees sending chain emails, malicious data (viruses) , solicitation emails or any offensive material. This is deemed unacceptable practice and subject to disciplinary action - refer clause 4.2.5
9.6.7. Email accounts are provided for Polytechnic employees' sole use. One account is created and exists independent of how many roles are held, e.g. learner and staff member. It is not appropriate to send, reply or modify another employee's email without the authority of the person.
9.6.8. Confidential or sensitive email messages, including confidential or sensitive information in attachments, are not to be sent outside the Polytechnic without authority of the originator or owner of the information contained within the email. This includes but is not limited to information about staff and learners, refer to policy Disclosing Personal Information about Learners and Staff. Also refer Appendix Two Business Email Etiquette Basics.
9.6.9. Staff are encouraged to manage emails appropriately by deleting those emails which are not Polytechnic business as soon as possible.
9.7 Learner Email Accounts
9.7.1. AII learners have an Otago Polytechnic Limited email account, which provides access to a number of ISS services. More information is available on the Otago Polytechnic Limited website.
9.8 Staff Security
9.8.1. If an onsite computer or laptop is left idle for more than 5 minutes, it is programmed to automatically lock. To unlock the device, the user must enter their network password.
