INVEST NI ICT SYSTEMS ACCEPTABLE USAGE POLICY

spongehousesSecurity

Nov 3, 2013 (3 years and 7 months ago)

88 views





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
1

of
28

Uncontrolled Copy When Printed

INVEST NI ICT SYSTEMS ACCEPTABLE USAGE POLICY


CONTENTS

1

Introduction

3


2

Purpose

3

3

Scope


3

4

Roles & Responsibilities

4

5

Authorised Use of Systems

5

6

Prevention of ICT System Misuse

6

7

Password Policy

8

8

Internet & Email Usage Policy

9

9

Remote A
ccess
& Teleworking
Policy

1
2

10

Mobile Device Policy

1
5

11

Intellectual Property Policy

1
7

12

Access By External Parties Policy

1
8

13

Loss & Damage

20

14

Monitoring

2
1

15

Breaches of the ICT Systems Acceptable Usage Policy

2
1

APPENDIX A


External Acts

2
3

APPENDIX B


Information Asset Owners

2
4

APPENDIX C


Information Security Declaration

2
5

APPENDIX D


Remote Access

Justification

2
6

APPENDIX E


Mobile Device Justification

27

APPENDIX F


Blackberry Online Billing Agreement

28









Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
2

of
28

Uncontrolled Copy When Printed


1

INTRODUCTION


1.1

Invest NI provides
ICT system
services including

IP telephony
, voicemail,
teleconferencing, electronic mail,
internet access,
social networking facilities,

wireless access,

application systems and web site hosting.


1.2

IT Security requirements are based
on an analysis of the risks facing Invest NI so that
they may be properly countered. There are various aspects of computer misuse to
be considered, namely its prevention, detection, investigation and related
disciplinary procedures. This document provides

measures to cover these aspects.


1.3

New risks
, technologies

and
legislation continually appear in regards to electronic
systems. This policy provides a framework to resolve new issues as they arise and
may be subject to change.


2

PURPOSE


2.1

The objec
tive of thi
s policy is to ensure that:



Information on
any of Invest NI’s
ICT systems is protected from
unauthorised sources



Confidentiality required through regulatory and legislative requirements is
ensured



Integrity of information is maintained



Informati
on is available to authorised personnel as and when required.



Users

are aware of their responsibilities towards the security of all
electronic
and communications

systems


3

SCOPE


3.1

All
employees of Invest NI (including secondees and temporary staff) are

subject to
this policy. Contractors and those third parties given access to Invest NI systems are
also subject to this policy.

Throughout this policy, the word ‘user’ will be used
collectively to refer to all such individuals or groups.


3.2

All electroni
c information held by Invest NI is regarded as falling within the scope of
this policy. This policy relates to all elements of Invest NI where information within
ICT systems is used or operated, including those supplied or operated on its behalf
by externa
l contractors. The policy applies further to joint working arrangements
with other agencies and applies to any user accessing information using Invest NI ICT
equipment.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
3

of
28

Uncontrolled Copy When Printed


4

ROLES AND RESPONSIBILITIES


4
.1

All
Users
:


4
.1
.1

U
sers

accessing

any Invest NI I
C
T

system will have a personal responsibility
in the use of that system for its security and integrity.


4
.1.2

U
sers

will ensure that they themselves uphold the principles of
this policy

and

the
Information Security Polic
y
.


4.1.3

Use of Invest NI’s
ICT
syst
ems must not bring the organisation into
disrepute.


4.1.4

U
sers

are responsible for informing the ICT Team if a Third Party requires
access to any of Invest NI’s ICT systems

and ensuring relevant
documentation is signed
.
The user must

provide the followin
g information
to the ICT Team:




Name
(
or names
)

of individual
(
s
)

requesting access



Organisation



Invest NI liaison



Resources required



Length of time access required (maximum 12 months)


4.1.5

All
users

must accept the security responsibility for any ICT ass
ets given to
them by the ICT Team, whether software or hardware.


4
.2

Line

Managers:


4
.2
.1

Line man
agers will inform HR about user

changes affecting systems access
so that permissions and accounts can be changed or withdrawn.


4.2.2

Line managers will d
etermine individual
requirement
s to systems and
ensure that access is based on need rather than status.


4.2.3

Line managers will ensur
e that no unauthorised users

are

allowed access to
systems under their aegis.


4.3

System Managers:


4.3.1

All key
system
s

in Invest NI will have a nominated
Information Asset Owner
(IAO)

who will have responsibility for the
information security of

that system
(see Appendix B).





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
4

of
28

Uncontrolled Copy When Printed


5

AUTHORISED USE OF SYSTEMS


5
.1

The use of Invest NI’s syste
ms and services constitutes acceptance of this policy and
is subject to the limitations described hereafter to ensure reliable operation.

All
Invest NI resources, including email and internet access, are provided for business
purposes and for carrying out
activities consistent with
job

responsibilities.



5.3

Information, whatever ICT system or device it is contained within, is a valuable asset
and must be protected from unauthorised, incorrect or accidental access, use,
modification, destruction or disclos
ure in line with the Invest NI Data Protection
Policy.




5
.2

Only authorised users have the right to access and update Invest NI’s information
systems. Access is restricted to information required for the authorised user’s job
function and is on a need
-
to
-
know basis.


5
.3

All network users must be positively identified before the user is allowed access to
the programs or applications. Users will be asked for the identity authorised for a
particular system.
A warning message stating the need for authorisati
on or in breach
of the Computer Misuse Act will be put in place for all Invest NI systems.


5
.4

Where multiple users share access to an ICT system
, each user must

possess a
verifiable
and
unique

identity.


5
.
5

Updates and changes to data must be made
by
au
thorised personnel
with the
intention
to maintain data accuracy and integrity
.

Other user’s data can only be
changed with their express permission.


5
.6

Information stored in any of Invest NI’s information systems must not be transferred
out of the organis
ation via an unsecure method of transport and without permission
e.g. docume
nts stored in Google Desktop,
using web
-
based email accounts such as
Hotmail for business use

or utilising non
-
Invest NI memory sticks
.


5
.7

All
users

will store confidential hard
copy documents
and media

in safes, locked
cabinets or locked desk drawers and adhere to the Clear Desk Policy


5
.8

All
users

will take adequate care when eating or drinking near ICT equipment.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
5

of
28

Uncontrolled Copy When Printed


6

PREVENTION OF
ICT SYSTEM

MISUSE


6
.
1

All

users

MUS
T be comm
itted to Information

S
ecurity within Invest NI and have
signed the
A
ppendix

A

of
this policy
. When a
user

is appointed, changes role or
leaves Invest NI
,

the
user

access rights will be reviewed or cancelled by the ICT
Team. The ICT Team
will
be informed o
f changes by Human Resources.


6
.
2

All hardware and software must be purchased and installed by the ICT Team.

R
equests must be sent via the ICT Service Desk. Users must not download software
from any source. If a user finds software on the internet that ma
y be useful as part
of their job role, they must in the fir
st instance contact the ICT Service Desk

and
complete a business justification
.


6.3

Any hardware (e.g. tablets, synchronising mobile phones, iPods or flash drives) not
procured by Invest NI’s ICT
Team must not be introduced to the Invest NI network
nor must
personal or
confidential Invest NI information

be transferred on to such
devices
.


6
.
4

Users must comply with the Visitor Care Policy in relation to bringing third parties
on
-
site.
Hardware sho
uld be positioned so that it cannot be viewed by outsiders e.g.
display screens should not be visible from windows outside the building.


6
.
5

Workstations
must be locked immediately using the 'Lock Computer' option when
being left unattended by
a

user
.
All

users

must switch off

all hardware when not in
use for extended periods, such as overnight or during weekends.


6.
6

The security of laptops and mobile devices requires extra consideration:


6.
6
.1

Do not leave a laptop unattended within the office environ
ment unless
secured with a cable lock


6.
6
.2

Take care if you take a laptop or mobile device out of the office especially at
airports, on transport and at meetings.


6
.
7

Sensitive printouts, for example those identifying named individuals or financial
deta
ils, must
be placed in confidential waste bins provided in each building.


6
.
8

All users must report any equipment losses
as soon as is feasibly possible

to the IT
Security Officer and line management.

If any equipment is suspected stolen, users
must repor
t the theft to the police.


6.
9

All users must
ensure the security of the Invest NI wireless network. Usernames and
passwords required for use of the guest wireless LAN must be protected and
disposed of securely.


6
.
10

Invest NI applications and systems

mu
st not be used for the following activities:


6
.
10
.1

The illegal copying of software or data
. This

is theft and will be treated as a




Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
6

of
28

Uncontrolled Copy When Printed

disciplinary offence.


6.
10
.2

C
onnect
ing
personal or third party

ICT device
s (including

any associated
software)

to the Inv
est NI network.
Exceptions can be made only with the
permission of the IT Security Officer.


6.
10
.3

Deliberately
introducing

malware

(including viruses, worms, Trojans or
malicious code)

to Invest NI systems.

If a

user detects a virus

or spyware

on
their m
achine this should be reported immediately to the
ICT
Service Desk.


6.
10
.4

Using computing resources
(e.g. CPU, time, disk space, bandwidth etc.)
in
such a way that it causes excessive strain on ICT systems or disrupts/creates
problems for other users.


6
.
10
.5

Removing hardware
from Invest NI
premises
without the full approval of the
ICT Team
, except for
assigned
laptops or mobile
devices/
media

that are the
responsibility of each individual user.


6.
10
.6

Attempting

to access
server
rooms
and cabinets
withi
n any Invest NI
premises where physical access

has not been granted
.


6
.
1
1

Except to the extent required for the proper performance of
work

duties,
users

may not upload, download, use, retain, distribute or disseminate any images, text,
materials or softwa
re which:




Are or might be considered to be indecent, obscene or contain profanity;



Are or might be offensive or abusive in that its context is or can be considered
to be a personal attack, rude or personally critical, sexist, racist, or generally
distaste
ful;



Encourage or promote activities which make unproductive use of
user

time;



Encourage or promote activities which would, if conducted, be illegal;



Involve activities outside the scope of
user

responsibilities


for example,
unauthorised selling/advertis
ing of goods and services;



Might affect or have the potential to affect the performance of, damage or
overload Invest NI’s system, network and/or external communications in any
way;



Might be defamatory or incur liability on the part of Invest NI or otherwi
se
adversely impact on the image of Invest NI.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
7

of
28

Uncontrolled Copy When Printed



7

PASSWORD POLICY


7.1

Introduction


7.1.1

P
asswords ensure that only authorised individuals have access to relevant
ICT systems and establish accountability for all changes made to system
resources.


7.2

Policy



7.
2.
1

P
asswords must be kept confidential, never be shared with other users and
never be written down or emailed. In the event where a password becomes
known
to another
it is the responsibility of the user to ensure that it is
changed as soon as

possible.


7.2
.2

Invest NI policy for domain passwords ensures the following: passwords
must be at least 7 characters long and be composed of alphanumeric mixed
case characters and will be changed every 45 days.


7.
2.
3

Privileged and administrative passwo
rds (including router, switch, firewall
and system passwords
)

will be subject to stringent composition and secured
by the ICT Team. Service accounts will not rely on administrative
permissions.


7.
2.
4

Critical systems must implement account lockout policie
s and disconnect
idle sessions after a set period.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
8

of
28

Uncontrolled Copy When Printed


8

INTERNET & EMAIL USAGE POLICY


8
.1

Introduction


8
.1
.1

Invest NI owns the corporate email system which can be defined as
messages (regardless of format), attachments and supporting infrastructure
(the

servers that transmit and store email).


8
.1
.2

Incidental and occasional personal use of these systems is permitted,
subject to the restrictions contained in this policy. It is Best Practice that all
non
-
business related sites and emails are accessed dur
ing
users’

‘own time’.
A
user
’s own time would be defined as time when they are not on duty (i.e.
not signed in for work or on a lunch or sanctioned break).


8
.2

Use of Email Policy


8
.2
.1

Care should be taken when using email as it is perceived to be less

formal
than paper
-
based communication. All expressions of fact, intention and
opinion via email can be held against
an individual user

and/or Invest NI, in
the same way as verbal and written expressions or statements.


8
.2
.2

Users

must not include anythin
g in an email which cannot
be
account
ed

for.
Users

must not make any statements on
an individual’s

behalf or on behalf
of Invest NI, which do or may defame or damage the reputation of any
person or organisation. All users must create their own designed
email
signature

which contains an Invest NI disclaimer underneath it.


8
.2
.3

Do not forward non
-
work related emails containing jokes, lurid imagery or
executable attachments to colleagues. Email mes
sages, which have been
deleted from
internal

system
s
, can be traced and retrieved. Email, both in
hard copy and electronic form, is admissible as evidence in a court of law.


8
.2
.4

Care should be taken when adding attachments to corporate email. It is
Inve
st NI policy that no sent or received attachments should exceed
40
Mb in
size. Attachments over
40
Mb should be broken down into smaller
attachments,

shrunk via a data compression utility
or sent via an encrypted
solution such as an Ironkey or SendThisFile.


8
.2
.5

There should be no improper use of email distribution i.e. an ‘all staff’
address must not be used for sending emails that are not relevant to the
business.


8
.2
.6

U
sers must ensure that protectively marked information (i.e. Restricted)
should not
be sent over public networks such as the internet. When sending
information deemed to be confidential users must follow the guidelines laid
out within
10 Key Rules on Securing Sensitive Data
. In these cases the
correspondence must be sent via a secure mode of transport such as an
Ironkey or
SendThisFile
.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
9

of
28

Uncontrolled Copy When Printed


8
.2
.7

Users must not configure t
he corporate email system to auto
-
forward email
to
their own

personal

email accounts such as Hotmail, GoogleMail or Yahoo.


8
.2
.8

Web
-
based email should not be used by
users

for business purpose
s
.

However it is also preferab
le to use these sites to forward emails of a
personal nature during your ‘own time’ rather than use the corporate email
system.


8
.3

Use of Internet Policy


8
.3
.1

When visiting an Internet site
users

should be aware that
identities

(which
are

linked to Inv
est NI’s) may be logged. Therefore, any activity engaged in,
undertaking given or transaction made may impact on Invest NI.


8
.3
.2

The following should be observed at all times
:




Users should

ensure that Invest NI is neither embarrassed nor liable in
any w
ay by use of the Internet.



Users must not access or download any material which is pornographic,
offensive or illegal.



Users

must not download any software or executable files on to an
Invest NI
device

unless you have obtained prior permission from the ICT

Team.



Users

must not use Invest NI equipment to access the Internet from
outside the Invest NI network.



It is Best Practice that all non
-
business related sites (i.e. sports, news
etc) are accessed during
a user’s

‘own time’. Users are
personally
respons
ible

for what they view. This information is logged and reported
on across the organisation.



It is prohibited to use the internet or Invest NI email to carry out
activities for personal gain (e.g. gambling, share dealing, selling on eBay
etc).



Users

must n
ot make any statements on
their

own behalf or on behalf of
Invest NI which do or may defame or damage the reputation of any
person.



Users must follow the guidance given in Invest NI’s
10 Key Rules on
Securing Sensitive Data
.


8.4

Use of Social Networking & Collaboration Technologies

8
.4.1

Social networking
sites allow users to interact and collaborate with eac
h
other in a social media dialogue as consumers of user
-
generated content in
a virtual community.



Examples of such sites include social networking sites (e.g. Facebook,
Twitter, LinkedIn etc.), blogs, wikis, video sharing sites (e.g. YouTube),
hosted serv
ices and web applications.



On
-
line Internet conferencing facilities such as WebEx,




Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
10

of
28

Uncontrolled Copy When Printed

Instant

Messenger, Net Meeting etc. are services that enable the easy
sharing of information on the Web.


8
.4.2

Social networking scams are commonplace on the Internet and m
any PC
users are tricked into giving criminals access to their machines.




Scams can include, for example, pretending to offer software that can
reveal who's checking out users' profiles but that actually turns out to
be malware (phishing) or alleged anti
-
virus software prompting a
download by claiming that PCs are infected (scareware).




Users who believe they have compromised their workstation via a scam
must immediately contact the ICT Team.


8
.4.3

The sensitivity of any information discussed and files sh
ared via
social
networking

or collaboration media must be considered. In particular users
may not post, blog or upload information outside of the company that:




Is commercially sensitive or that may have contractual or other legal
implications to Invest N
I, unless it is sent for a specific, authorised
business purpose and is encrypted.



May damage or embarrass Invest NI’s reputation or its relationship with
its business partners.



That contradicts any aspect of Invest NI’s
10 Key Rules on Securing
Sensitive Data
.


8
.4
.4

Some collaboration technologies allow a user to give permission for
someone else to take cont
rol of a workstation.
This facility should never be
used without the express permission of the ICT Team
. An individual given
control of a PC could potentially access network resources





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
11

of
28

Uncontrolled Copy When Printed


9

REMOTE ACCESS
& TELEWORKING
POLICY


9.1

Purpose


9.1
.1

The objective

of Remote Access services (RAS)

is to facilitate users

working
from home or at another location that

need access to Invest
NI
’s systems.
This access may be during normal hours or outside of normal working hours.


9.1.2

For the purpose of this policy Inve
st NI defines remote access as follows:
Users

connecting

into Invest NI’s network or systems from any external
location.


9.2

Remote Access Principles


9.2.1

Remote access operates on a basis of trust between Invest NI and the
user
.


9.2.2

A
ny user
requiri
ng a
n ongoing

remote connection to Invest NI systems must
sign the
Remote

Access Justification

in the form set out in the Appendix D.


9.2.
3

Remote access operates to Invest NI’s systems is a mutually co
-
operative
arrangement between Invest NI and the
user
. It is an approved and agreed
voluntary arrangement, based on the business needs of the job, the team
and Invest NI.
It is not an entitlement
.


9.2.
4

While accessing Invest NI’s network from an external site, either inside or
outside of core working ho
urs, users are bound by Invest NI’s Information
Security
policies

at all times.


9.3

Equipment Considerations


9.3
.1

Invest NI, at its sole discretion, may choose to provide equipment and
related supplies for use by the user in conjunction with Remote Acc
ess or
may permit the use of user
-
owned equipment subject to
Invest NI security
policies. The decision as to type, nature, function, and/or quality of
electronic hardware, modems, systems access, data and phone lines shall
rest entirely with Invest NI.


9.
3
.2

The use of equipment, software, data and supplies provided by Invest NI for
use at the remote location, is limited to authorised users and for purposes
related to Invest NI business.


9.3.3

Remote access must only be carried out using
methods

and equip
ment
approved by the ICT Team.


9.3.4

If hardware is given to a user to facilitate remote access it will be encrypted
to mitigate potential loss.
Users must never knowingly take an unencrypted
device

out of the office environment.






Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
12

of
28

Uncontrolled Copy When Printed

9.3.5

L
aptop case
s, if p
rovided,
should only house associated equipment i.e.
power cables, mouse etc.
Items such as Ironkeys or remote access tokens
must not be stored within a laptop case.


9.4

Additional Conditions & Guidelines


9.4
.1

In the event that Invest NI deems that the
user’s

role no longer
necessitates/requires Remote Access services, or the
user

has terminated
employment with Invest NI, the
user

must return all Invest NI
-
owned
equipment, software, data and supplies. The decision to remove or
discontinue use of such equ
ipment rests solely with Invest NI.


9.4
.2

Users with home broadband connections are expected to pay their own
ADSL costs. Invest NI will only reimburse the
user

if accessing from a
wireless hotspot or hotel. Appropriate evidence will be required to suppor
t
claims.


9.4
.3

Invest NI may, after an agreed notice period, change any or all of the
conditions under which
users

are permitted to use Remote Access, and will
not be liable for
user

costs, including but not limited to any investment in
furniture or equi
pment for designated work spaces.


9.4
.4

Any remote access expenses not specifically covered in this policy will be
dealt with on a case
-
by
-
case basis between
user

and manager.


9.4.5

The ICT Team reserves the right to review usage periodically and may
rem
ove the service on the grounds that it is not being used in the most cost
effective manner.


9.5

Security


9.
5
.1

All security requirements that apply to on
-
site
users

apply to those using
Remote Access. Any
user

who u
tili
ses Remote Access is responsible fo
r
ensuring

security is upheld

as detailed in this policy.


9.
5
.2

Users should not leave remote access equipment unattended whether
laptop or other mobile device.


9.
5
.3

Any requested new method of remote access must be

approved by the IT
Security Officer
.


9.
5
.4

It is expressly forbidden for any user to connect to an external wireless
network
while connected to the local network
without the express
permission of the ICT Team.


9.
5
.5

Users setting up wireless access to an Invest NI laptop at home must comply

with the Remote Access

Connection

Procedure
. It is recommended
that
cryptographic controls (W
PA
) are enabled for security

and that home
routers are locked down by MAC address
.






Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
13

of
28

Uncontrolled Copy When Printed


10

M
OBILE DEVICE POLICY


10
.1

Introduction


10.1.1

Mobile devices may take th
e form of a Blackberry, Personal Digital Assistant
(PDA), Tablet or a Cellular Phone and can be defined as any portable hand
-
held
device

that provides computing and information storage/retrieval
capabilities for personal or business use. This policy applie
s to use of all
mobile
devices

by
users

on Invest NI premises or in conjunction with Invest
NI equipment.


10.2

Ownership of Mobile Device


10.2.1

The mobile devices

utilis
ed by
users

for
corporate

work must be owned and
maintained by Invest NI. The ICT Te
am must install any mobile device
software for
users
.


10
.2.2

A
ny user
requiring a
n Invest Ni mobile device
must sign the
Mobile Device

Justification

in th
e form set out in the Appendix E
.

If a Blackberry is assigned
to the user then Appendix F must also b
e signed and returned to the Finance
team.


10.2.
3

Users

must not connect their personal mobile
device

or any other piece of
hardware to the Invest NI network.


10.3

Use of Mobile Devices


10.
3
.1

The installation and use of synchronisation software from co
rporate systems
to and from mobile devices must be approved by the ICT Team prior to use.


10.
3
.
2

Users must not access corporate information via Bluetooth or any other
type of wireless synchronisation without
prior
authorisation from the ICT
Team. Such an

act could leave corporate information vulnerable to
interception and will be recorded as a breach of security. Authorised
synchronisation methods are:


10.3
.2.1

Wireless s
ynchronisation
for email enabled phones

via
mobile device software
or


10.3
.2.2

USB
cable for non
email enabled

phones
via

mobile device
s
oftware.


10.
3
.3

Mobile devices are not allowed to connect to any network (including the
internet) other than through the Invest NI network. Any phones using
unauthorised wireless connectio
ns may be rem
oved from the user

and
disciplinary action may result


10.3
.4

Passwords must be used on all mobile
device
s. Users should ensure that




Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
14

of
28

Uncontrolled Copy When Printed

mobile phones have passwords at least five characters long containing a
minimum of one alpha and one numeric character. The

password must be
different from other passwords used on the corporate network.


10.
3
.5

Network systems passwords (for example, any application system, Windows
login details, etc.) must not be stored on mobile devices.


10.
3
.6

Mobile devices should be conf
igured to lock following a maximum of 10
minutes of inactivity. A password must be required to re
-
establish access
with the mobile phone. Individuals are not allowed to share mobile devices
or their mobile device passwords.


10.3
.7

All
mobile devices

and i
nstalled memory cards must be fully encrypted.


10.
3
.8

Data

enabled

(i.e. email receiving)

device
s,
includi
ng their installed memory
cards,

will be automatically encrypted via policy.


10.
3
.9

Non
-
data
-
enabled devices

(including their installed cards) that
synchronise
via
software

must be manually encrypted. For instructions on how to
manually encrypt your device and its installed memory card please follow
the instructions detailed in the following link:


http://svrintranetapps/intranetapps/ininetdocmanager/uploads/docs/black
berry_manual_encryption_procedure.doc




10.
3
.10

In the event
that

mobile device

is stolen or lost
, the ICT Help
d
esk will take
steps to disable the device and ensure that the service provider blocks the
SIM card.






Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
15

of
28

Uncontrolled Copy When Printed


11

INTELLECTUAL PROPERTY POLICY



11
.1

Intellectual property (IP) is the term used to describe intangible assets resulting from
creative work carried out

by an individual or an organisation. For example, IP can
arise from contracts or letters of agreement with the providers of activities for
Invest NI. IP can be traded in the same way as physical assets.


11.2

Invest NI
owns the intellectual property creat
ed by its employees under the
conditions stated below:


11
.2.1

IP
created by an employee within the scope of employment.

11
.2.2

IP
created on Invest NI’s time with the use of corporate facilities or Invest NI
financial support.

11.2.3

IP
commissioned by Invest NI

pursuant to a signed contract.

11.2.4

IP resulting from research funded by Invest NI.


11.3

Invest NI claims ownership of all IP which is devised, made or created:


11
.3.1

by persons employed by Invest NI in the course of their employment:

11
.3.2

by other

persons engage
d in research for Invest NI. A

condition of their
being granted access to co
rporate premises or facilities is that they agree

in
writing that this claim shall apply to them;

11
.3.3

by persons engaged by Invest NI under contracts for services

during the
course of or incidentally to that engagement.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
16

of
28

Uncontrolled Copy When Printed


12

ACCESS BY
EXTERNAL

PARTIES POLICY


12
.1

Introduction


12
.1.1

All on
-
site third parties or third parties requiring a remote connection to
Invest NI systems must sign the
Third Party Connection and Confidentiality
Agreement

in the form set out in the Appendix D hereto.


12
.1.2

A third party could be defined as any of the following:




Hardware & so
ftw
are maintenance/support contrac
tors.



NICS or other public sector staff



Any other third party who must have access to Invest NI
information systems


12
.
2

Scope


12
.
2
.1

All connections and network access by third parties that require access to
internal n
etwork resources fall under this policy, regardless of the
technology used for the connection.


12
.
3

Prerequisites for Network/System Access


12
.
3
.1

External entities must have an executed contractual agreement with Invest
NI prior to any third party syste
m access being granted.
The ICT Team must
be informed about the third party requiring access to Invest NI’s internal
network resources in order to allow a security review to be conducted which
will ascertain the level of access needed to match the business

requirements.


12
.
3
.2

It is required that the third party and an Invest NI liaison (
normally

the
user

arranging systems access) signs the
Third Party Connection and
Confidentiality Agreement
.


12
.
3
.3

The liaison acts on behalf of Invest NI and is responsi
ble for ensuring that
the sections of this policy are adhered to and for putting in place the
Third
Party Connection and Confidentiality Agreement

if needed
. The relevant
third party person/organisation must be informed in the event that the
liaison change
s.


12.
3
.4

All connectivity requests will have a specific beginning and end date. In no
case will Invest NI rely upon the third party to protect Invest NI’s network
and/or resources. The ICT Team will grant access to all approved resources
but reserves the

right to refuse access at any time on the basis of legitimate
security concerns.


12.
3
.5

Any changes in access must be accompanied by a valid business justification
that is subject to security review by the IT Security Officer
.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
17

of
28

Uncontrolled Copy When Printed


12.
3
.6

When access is no l
onger required the liaison must inform the ICT Team who
will then terminate the access. The ICT Team conducts regular audits of
existing connections. Connections that are no longer used to conduct Invest
NI business will be terminated immediately.



12.
3
.
7

Invest NI may allow a form of remote access (e.g. virtual private network
connection or web conferencing) in order to access Invest NI’s internal
systems. This access will be at the discretion of Invest NI’s IT Security Officer.


12.
3
.8

If remote access
has been agreed, the following procedures must be
followed:


12
.3
.8
.1

The Invest NI

Project Manager/liaison must be informed at
least one day in advance of any potential work to be carried
out remotely. Details of the work requiring to be done,
length of t
ime and individual(s) carrying out the work must
be given to Invest NI. The Project manager/liaison will
forward the request to Invest NI’s Infrastructure Team who
will record details of the work carried out.


12
.3
.8.
2

An internal Change Control will be wr
itten detailing the
changes by Invest NI.





Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
18

of
28

Uncontrolled Copy When Printed


13

LOSS & DAMAGE


13.1

Liability


13.1.1

Invest NI will be liable for appropriate insurance cove
r for any Invest NI
equipment utilis
ed
by users
.
However this does not cover the following
scenarios:


13.1.1.1

Whe
n ICT equipment is left unattended.
Equipment will not
be considered as being unattended when left in a user

s
home if they are out, provided that normal security
measures were taken i.e. locking doors/closing windows.
However leaving
equipment

unattended
at an airport or
other public place would not be acceptable.


13.1.1.2

When ICT equipment is damaged as a result of personal use
by users
.


13.1.1.2

When ICT equipment or services are affected by external
providers and/or faults in their networks and equi
pment.


13.1
.2

The
user

is responsible for any Invest NI equipment whilst it is located in a
motor vehicle.


13.1.
2
.1

Users

would be expected to take the usual security
measures when leaving their vehicle.


13.1
.2
.2

Any valuable items including Invest NI
laptops should be
locked in the boot or out of sight in the event that their
vehicle is unattended and it is not practical to take the
laptop on their person.






Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
19

of
28

Uncontrolled Copy When Printed


14

MONITORING


14
.1

All Invest NI resources, including internet browsing and corporate email
,

are
provided for business purposes.

Any information stored on a PC, server,
hard drive,
CD, USB device
, mobile device etc.

may be subject to scrutiny by Invest NI.


14
.2

Invest NI has the right, but not the duty, to monitor and record any aspect of its ICT

and electrical systems including, but not limited to, monitoring and recording web
sites visited and email sent by users.


14
.3

It may be necessary as part of technical/legal proceedings in respect of harassment,
defamation or breach of contract etc. to r
eview a system. Users must be aware that
material on
Invest NI hardware

cannot be regarded a
s private or confidential to any

specific user.


14
.4

Internet sites classed as containing inappropriate content will be barred from all
access. Attempts to access
such sites may lead to appropriate action being taken by
Human R
e
sources as defined in Section 15
.

Users with a r
equest to open up web
sites for business purpose
s

should fill in the form at
http://ininet/itso.htm






Inve
st NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014

Page
20

of
28

Uncontrolled Copy When Printed



15

BREACHES OF THE
ICT SYSTEMS ACCEPTABLE USAGE POLICY


15
.1

Breaches of the
ICT Systems Acceptable Usage Policy

shall be logged by the ICT
Team.

Any b
reach discovered by a
user should be forwarded to the IT Security
Officer for further investigation.


15
.
2

The ICT Team will assess the level of risk associated with any violation and take
appropriate action to minimise the risk and prevent re
-
occurrence of the violation.


15
.3

The IT Security Officer will notify the appropriate
individual/line manager
depend
ing
on the seriousness of any breach as well as the consequences related to the breach
and remedial action taken.


15
.4

Serious breaches will be reported to
the Information Governance Group. Breaches
may also be reported to
Human Resources
,

especially whe
re the Equal
Opportunities Policy or
Harassment Policy may have been breached. In any case of
possible theft/fraud the H
uman
R
esources

and Finance Directors will be notified as
stated in the
Invest NI Fraud Response Plan
.









Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed

Appendix A


External Acts


Invest NI is required by law to comply with the following Acts. Please note that this list is not
exhaustive.




Computer Misuse A
ct (1990)
-

http://www.legislation.gov.uk/ukpga/1990/18/contents




Copyright, Designs & Patents Act (1988)
-

http://www
.legislation.gov.uk/ukpga/1988/48/contents




Data Protection Act (1998)
-

http://www.legislation.gov.uk/ukpga/1998/29/contents



Employment Act (2002)
-

http://www.legislation.gov.uk/ukpga/2002/22/contents



Environmental Information Regulations (2004)
-

http://www.legislation.gov.uk/uksi/2004/3391/contents




Freedom of Information Act (2000)
-

http://www.legislation.gov.uk/ukpga/2000/36/contents




Malicious Communications Act (1988)
-

http://www.legislation.gov.uk/ukpga/2000/23/contents



Obscene Publication Act (1964)
-

http://www.legislation.gov.uk/ukpga/1964/74?view=extent



Protection of Children Act (19
78)
-

http://www.legislation.gov.uk/ukpga/1978/37



Regulation of Investigatory Powers Act (2000)
-

http://www.legislation.gov.uk/
ukpga/2000/23/contents



Sex Discrimination Act (1975)
-

http://www.legislation.gov.uk/ukpga/2000/23/contents






Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed


Appendix B


Information Asset Owners


The following table contains the con
tact names of the people responsible for managing major Invest
NI application systems:


System Type

Information Asset Owner



Client Database

Damian McAuley

Client Contact Management System

Damian McAuley

Document & Record Management System

Steve Cha
mbers

Human Resources Management System

Amanda Braden

Finance system

Mel Chittock

Offers and Claims Management System

Mel Chittock

Overseas CRM system

(Goldmine)

Barry McBride

Reporting system

Damian McAuley

Payroll system

Amanda Braden

Web Content
Management System

Peter Harbinson

Network

Steve Chambers

www.nibusinessinfo.co.uk

Olive Hill

www.investni.com

Peter Harbinson

www.buynifood.co.uk


John Hood

Telephony system

Steve Chambers






























Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed



Appendix
C



Information Security Declaration


I, ______________________________________ (Print Name)


Having read this policy and the:

Please

Tick √


Invest NI Information Security Policy




I
nvest NI Data Protection Policy





I do acknowledge the necessity for information security and affirm that I will do my utmost to ensure
the integrity of all information by applying the principles described above.









Signature: _______________________







Date: _______________________










----------------------------------------------

For HR Use
--------------------------------------






HR ACCOUNT MANAG
ER

(Print Name):




___________________________________




SIGNATURE:


________________________
DATE: _____________








When this form is completed and signed, please
detach it and return

it
to your HR Account Manager

on your first day of work








Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed

Appendix D


Remote Access Justification


Why is remote access critical for your working needs? Please indicate if you wi
ll be
connecting from one location (e.g. home) or many.

If you are connecting from many
locations (particularly international) please give the reason.









What type of work will remote access be used for (e.g. working from home, client visits etc)?
Please list the applications that will be used and the reasons why?









What will be the estimated frequency of remo
te access use?


Daily


Set period

Weekly


(please highlight period required for)

Occasional





Do you currently have broadband and if so are y
ou willing to use it to connect to Invest NI?








I, ______________________________________ (Print Name)


confirm that I have read and fully understand section 9 of the ICT Systems Acceptable Usage Policy
and agree to abide by all the terms and guidelines within this document. I confirm I ha
ve read the
Remote Access Procedure document.


Signed: _______________________________ Date: ______________



Authorised by (signed): ______________________

(Team Director/G6)


Authorised by (PRINT): ___________________________


Grade: _______
_______




Date: ______________





Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed

Appendix E


Mobile Device Justification


Why is the need for a Mobile Phone critical for your working needs?



What will be the estimated frequency of
mobile phone use?

While out of the office; is there a requirement

to send and receive emails or access the
internet via mobile phone?



Daily


No, supply a mobile phone


Weekly


Yes, supply a device with Data
services*


Monthly


* i
f yes, is this a new
connection or an upgrade

New

Upgrade

Occasional




I, ______________________________________ (Print Name)


confirm that I have read and fully understand section 10 o
f the ICT Systems Acceptable Usage Policy
and agree to abide by all the terms and guidelines within this document.



I have signed
the Mobile Device Billing Agreement
and
sent
to
the
Finance Team


Signed: _______________________________ Date: ____
__________



Authorised by (signed): ______________________

(Team Director/G6)


Authorised by (PRINT): ___________________________


Grade: ______________




Date: ______________

















Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed


Appendix F



Blackberry Online Billing Agreement


Billin
g for Vodafone will be online. You will receive an Email that will give you
instructions on how
to activate this facility. The email will supply a username and
password.

You will be emailed monthly when your billing information is available. It will be you
r
responsibility to
allocate calls made as either personal or business; the allocation for
each number will be stored and
carried forward as a default in subsequent months.

The ICT Team is working with Vodafone to default our mobile and land line
numbers t
o be
allocated as business calls.

Finance will deduct personal usage amounts from your salary. Any calls not
allocated as
business 30 days after your bill has been sent to you will be treated as
personal usage.

A link to an online tutorial will be accessib
le from within the billing system.

In order to make this facility operate as smoothly as possible for users and
administration staff, we
would ask you to authorise deductions from your salary. If
you have any questions please raise
these with the staff on
hand when the phones
are handed out or with the ICT Service Desk. Please
note failure to sign the form
may result in a delay issuing your new mobile phone.

I hereby authorise Invest NI to deduct any amount not classified as
being 'Business Use' 30 days aft
er being notified
of my bill being
available for classification. I understand I will be given a reminder
email (or emails) before the 30
days and a further email before the
deduction is made from my salary.

PRINT NAME: ____________________________________

Signature: _______________________________________

Mobile Number: __________________________________


PLEASE READ, SIGN & RETURN TO FINANCE


















Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE D
ATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Copy When Printed

Version

Control



Author: Martin Graham

Issue Date: 1
st

June 2002

Issue Number: 1.0

Approver: Liam H
agan & NIPSA

Status: Approved

Review Date: 1
st

September 2003



Review History


Issue
No.

Reviewer

Review Date

Approver

Amendment History

1.0

Marti n Graham

June 2002

NIPSA & Li am
Hagan


1.1

Susan Cai rns

14 August 2003

Nei l McGarry


1.2

Nei l McGarry

2
1 November 2003

Susan Cai rns


1.3

Nei l McGarry

7
th

March 2005

Ian Boyl an


1.4

Nei l McGarry

9
th

November 2005

Ian Boyl an


1.5

Nei l McGarry

5
th

Apri l 2006

Ian Boyl an


1.6

Nei l McGarry

11
th

Apri l 2007

Li am Hagan


1.6.1

Nei l McGarry

19 May 2009

Ian Boyl an

www.ni bspdatabase.co.uk

changed to
www.edpmi s.co.uk

1.7

Nei l McGarry

31
st

October 2010

Charl es Hami l ton

Pol i cy ti tl e changed

from
Computer Mi suse Pol i cy

2.0

Nei l McGarry

1
st

February 2010

Li am Hagan

Password Pol i cy secti on
amended

3.0

Nei l McGarry

30
th

August 2012

Steve Chambers

Pol i cy now combi ned wi th al l
other IT Securi ty pol i ci es

3
.
1

Nei l McGarry

30
th

September 2013

Steve Chambers


FOR INVEST NI BUSINESS USE ONLY


8

Invest NI ICT Systems Acceptable Usage Policy

VERSION:

3.1

ISSUE DATE:

30 September 2013

REVIEW DATE:

31 August 2014


Uncontrolled Co
py When Printed