Security Policy 03 - Use of Computer Systems

OBJECTIVE
To maintain equipment, systems and data in a controlled environment

POLICY
General
All computers connected to the University network must be registered with Information Services. Only authorised users may have access to computer equipment. Computer equipment must have security facilities appropriate to the sensitivity of the data held. Account holders are responsible for ensuring that their computers have suitable Anti-Virus software installed and up to date with most recent virus definitions. Account holders are responsible for ensuring installation of all relevant security patches released by the Operating System provider (e.g. Microsoft). Where appropriate, if using systems not managed by Information Services, uninterruptible power supply units should be used to protect critical systems. Critical systems must be subject to maintenance contracts defining level of maintenance and minimum levels of performance. Information Services is responsible for the control and maintenance of all centrally managed hardware. Account holders will be responsible for any computer activity performed using their account. Inactive terminals will be set to timeout after a pre-set period of inactivity.

Page 1

Version 2.0

Data Management
All users should store master copies of data in secure networked data repositories, whether central, School or Directorate based. All users are provided with central storage for this purpose. Where it is not possible to move data to managed storage, users should ensure backup copies of critical information are taken and held securely until data can be moved to a secure location. All users creating/managing/working with data classed as personal or confidential should refer to SP05 Data Protection Regulations and SP06 Information handling Policy. To ensure compliance with data security requirements, Departments and/or individuals should carry out a risk analysis where it is planned to take data off site. This is covered in detail in SP05, SP06 and SP07. All confidential or personal data used on a mobile device (laptop, or portable storage) must be in an encrypted state.

Prohibited Actions
Modem devices should not be connected to a networked computer without proper authorisation. Modem devices should not be connected to the telephone system when not in use. Active computer terminals should not be left unattended. Data that was not created by the user, must not be deleted from any computer system without consultation. Books, files or other objects should not be placed on equipment or cabling. Eating and drinking should not take place within the immediate vicinity of computer equipment. Portable computers, PDAs, memory devices (e.g. USB pens or hard drives) should not be left unattended in public places.

Page 2

Version 2.0