This Policy establishes the digital information security requirements for ACI Global, including the requirement to have an Information Security Management System (ISMS) that takes into account a minimum set of controls, and requirements relating to conformity of the latest ISO 27001:2013 standard, and EU GDPR Guidelines and the establishment of the Digital Information Security Code of Practice within ACI Global.
This policy does not specifically cover the security of hardcopy information; however, the objectives of this policy apply equally to information in any format.
This policy applies to all ACI Global staff, students, facilitators and mentors, or any other persons otherwise affiliated but not employed by ACI Global, who may utilise ACI Global’s ISMS and/or access ACI Global’s applications with respect to the security and privacy of information.
This policy aims to ensure that the following digital information and digital information systems security objectives are achieved by ACI Global:
ACI Global Information Security Management System (ISMS) is based on a comprehensive assessment of the risk to digital information and digital information systems. The ISMS appropriately address all identified risks and takes into account:
ACI Global staff, students, facilitators and mentors, or any other persons otherwise affiliated with ACI Global must also ensure that any Agency under its control with a risk profile sufficient to warrant an certified independent ISMS undertakes to develop and implement an ISMS in accordance with the Core Requirements of this policy. The ISMS must be reviewed at least annually or when changes to risk are identified.
In developing the ISMS, all controls from ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security management must be considered. As a minimum, the ISMS must contain measures that address the risks associated with the set of Security Categories in the Table below, taking into account the controls identified from ISO/IEC 27002.
|Table 1 - Digital Information and Digital Information Systems Security Minimum Controls|
|Security Category||ISO 27002 Controls|
|Information Security Management Systems must include the following governance arrangements:
|2. Information security systems independent review|
|Information Security Management Systems must be reviewed in accordance with the level of risk to digital information and digital information systems. This may be as part of an audit process.||6.1.8|
|3. Information classification|
|All digital information must be classified to ensure it receives an appropriate level of protection.
In classifying information, regard must be given to obligations imposed by relevant laws and regulations, in particular the Privacy and Personal Information Protection Act 2013.
|4. Controlling access to information systems|
|Access to digital information and digital information systems must be monitored and controlled.||10.8.4
|5. Processing, handling, integrity and storage of information and documentation|
|Controls must be in place to prevent unauthorised disclosure, modification, removal or destruction of digital information.||10.7.1
|6. Purchasing/maintaining information systems|
|Security must be an integral consideration in information systems purchasing and maintenance.||6.1.4
|7. Controlling relationships with external parties|
|The security of digital information and digital information systems accessed, processed, communicated to, or managed by external parties must be controlled.
The security of digital information and software exchanged with any external entity must be maintained.
|8. Business processes and continuity|
|Controls must be in place to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of digital information systems or disasters.
The timely resumption of business processes in the event of a major failure must be ensured.
|9. Reporting information security events/incidents/near misses/weaknesses|
|Internal processes must be in place for the communication of digital information security events, incidents, near misses and weaknesses associated with digital information systems, and timely corrective action must be taken.||6.1.6
|10. Collaboration and information sharing|
|A collaborative approach to information security, facilitated by the sharing of information security experience and knowledge, must be maintained.||6.1.7|
Unless otherwise stated, the following definitions apply in this document:
The following documents are referenced in this policy:
Legislation, Policies and Guidelines
The following provides guidance on how ACI Global intends complying with the Core Requirements of this policy.
Core Requirement 1 Notes and Guidance
Senior Responsible Officer
The Senior Responsible Officer is the Managing Director with carriage of the ISMS and delegates when required. The Managing Director has full visibility of all digital information and digital information systems management and policy within the organisation, and has the requisite knowledge and experience to develop amd or change, implement and manage the ISMS.
The Managing Director has the authority to represent the organisation in the Community of Practice.
Reviewing the ISMS
ACI Global undertakes regular self-assessments refer to ACI Global Improvements Monitoring and Measuring (IMM) Process the maturity of their security management using the Gartner IT Score for Information Security. This tool provides an objective estimate of how effectively information security is integrated into business and ICT management processes.
Figure 1 shows key milestones for each maturity level. The resulting score is further used to measure improvements achieved through the implementation of changes to the existing ACI Global ISMS.
Figure 1: IT Score Maturity Levels for Information Security.
In addition to the Security Categories and minimum controls listed in Table 1, the ACI Global ISMS (forms part of the Quality Assurance System) adopts all controls from ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security management based on a thorough assessment of the risk to digital information assets and systems of the organisation.
ACI Global undertakes Independent review through its conformance with ISO/IEC 27001 Information technology - Security techniques - Information security management systems - Requirements in accordance with Core Requirement 3.
The Independent review also forms part of the ACI Global IMM Process and is undertaken by and outsourced third party with an understanding of the digital information and digital information systems security environment; however, it is noted the assessment is done by a person that has not contributed directly to the development of the ACI Global ISMS.
Additionally, ACI Global uses independent review as a part of a peer review process (outsourced to external contractors), who provide audit services without the need for certification and need not be accredited to provide the certification for ACI Global.
In determining the appropriate method of independent review, the sensitivity and business criticality of the information assets covered by the ISMS and the level of risk to information and information systems is taken into account.
Specify what is expected from staff, both permanent and contracted, and students alike as information security is the responsibility of all who utilise the information technology services including third parties.
ACI Global provides students, staff and third parties with access to computing and communications services in support of its teaching, learning, research and administrative activities. These facilities include access to email, Internet, file and print services, an integrated data network across all campuses, Service Desk and Student computer laboratories located across all campuses.
ACI Global does not allow any data to be viewed or distributed outside its secure portal and this relates to all learning, assessmenst, examnations and other personal data which can only be accessed from within the secure portal and only with the express permissed in writing of the owner of that data.
Users are responsible for maintaining the use and security of their assigned user ids and all activity associated with that id. Knowingly disclosing passwords to others will be deemed a breach of policy and could be referred to disciplinary procedures.
ACI Global expects its staff, students and third parties to take all reasonable steps to ensure the integrity and security of ACI Global systems and data.
It is the responsibility of Human Resources to ensure correct termination dates are entered into the HR system for staff terminations. After a fixed number of days from the date of termination, the staff account will be disabled. Following a further pre-determined number of days, the account will be deleted.
There are however, situations where an account may need to be disabled immediately and this can only be per- formed with the authorisation from the Managing Director or Director of ICT Services or delegated officer.
Where temporary access is required for a specific purpose such as, but not restricted to, contract facilitators or mentors and 'test' accounts, a user expiry date based on the completion date of the required tasks must be used to ensure the temporary account is not accessible after that date.
In the case of ongoing maintenance and support from 3rd party companies, access must only be granted to the relevant facilities within the system and be restricted to only the systems for which they provide support.
All specialised computing staff are required to ensure that all systems and procedures are well documented and that there are others who can act in a backup capacity as required.
It is the responsibility of managers, administrators, instructors and mentors to be familiar with Information Security Policies and their requirements.
Identification of what is deemed acceptable (or unacceptable) usage of network, communication and Internet services.
ACI Global provides students and staff with access to computing and communications services in support of its teaching, learning, research and administrative activities.
By signing the appropriate forms for obtaining access to the ACI Global computing facilities, or accepting the online compliance button, users agree to abide by all policies that relate specifically to the use of these facilities. Any breach of these policies will be deemed an infringement and dealt with accordingly which could result in suspension of access privileges or in severe cases, legal authorities will be involved.
Interfering, in any way, with the ACI Global network or associated equipment be it intentional or accidental, is not permitted. Any such interference will be acted upon and may result in removal from the ACI Global network until an investigation can be completed and the source of the interference is removed.
ACI Global encourages staff and students to appropriately use electronic communication in or der to achieve the mission and goals of ACI Global and their own professional development. ACI Global encourages the use of electronic communication to share information, to improve communication and to exchange ideas. Given that education bodies place high value on open communication of ideas, including those new and controversial, the intention of the ACI Global is to maximise freedom of communication for purposes that further the goals of the ACI Global.
The electronic communications services must not be used for the distribution of material that may be deemed offensive, discriminatory or defamatory or the publishing or advertising of personal events or activities.
All usage must comply with ACI Global’s Privacy and Personal Data useage Policy.
ACI Global encourages staff and students to use the internet in order to further the strategic and operational objectives of ACI Global and student’s professional development. ACI Global encourages the use of the Internet to share information, to improve communication and to exchange ideas.
Inappropriate usage of Internet facilities includes, but is not restricted to, accessing or posting of discriminatory, defamatory, offensive material or material that may create or promulgate a negative impression of ACI Global.
Any staff or student required, as part of their job function or course of study, to access information on the Internet that may be deemed inappropriate, must obtain written authorisation from the Managing Director of ACI Global with a copy submitted to the Information Security Officer.
All usage must comply with ACI Global’s use of computing and communication facilities policy.
ACI Global employs Internet Content Filtering technology as a tool in meeting its duty of care obligations by preventing students under the age of 18 from being exposed to inappropriate material including, but not limited to, adult content when utilising ACI Global provided internet access.
Mobiles devices including, but not limited to, laptop and netbook computers, mobile phones, smart phones and tablet devices, and external drives/devices are all subject to the same policies and procedures as for other computing and communication devices.
Refer to ACI Global’s use of computing and communication facilities within the ACI Global Management of Learning Services policy.
In addition, ACI Global supplied mobile devices must be configured with a password or pin code in order to access the device. Preferably, a password or phrase should be used, but at a minimum, a four (4) digit PIN code is acceptable. This becomes essential if corporate data and/or email is held or accessed from the device.
Implementing a suitable environment that protects the integrity, availability and confidentiality of ACI Global data by using logical or 'computerised' controls and processes.
Software security specifically relates to access rights and protection of software packages supplied by, and for the use by, ACI Global Students, Facilitators, Mentors and Staff. All users of the network are supplied with a User Account for authentication and allocation of appropriate access rights to network facilities including software. Access to such network facilities and software is also controlled by the use of secure passwords which must be changed on a regular basis.
All ACI Global staff PCs and laptops must be set with an inactivity screensaver which requires a unique password to reactivate the underlying session and has an idle time of no more than 10 minutes before activation.
As a means of allocating appropriate software packages to specific users, the use of an application deployment tool should be used. This can grant individuals or groups access to various programs and services in accordance to their duties and requirements through their user account.
Where software development is outside of a course of study or ACI Global sanctioned activities or research, the development must only be performed in a controlled, test environment until such time that all flaws, bugs and potential vulnerabilities are removed. Only then can the developed software be applied to a production environment.
Software development, where not part of a course of study, should only be done where required, and for the purpose of enhancing an existing application or meeting a need where no commercial software exists for the purposes required. There may also be instances where it is cheaper, faster or more appropriate to perform the in-house development.
Any software development that may cause harm or impact the ICT resources of ACI Global in an adverse manner including, but not restricted to, scanning, gaining unauthorised access, exploiting vulnerabilities to take advantage of exploits, will be looked upon as inappropriate and treated as a direct attempt to compromise the ACI Global computing facilities and / or infrastructure and will be dealt with accordingly.
All ACI Global issued PCs and laptops have end-point security software installed which has an automatic pattern update feature enabled. This is to ensure that the software is kept updated for the latest threats. There are also antivirus systems in place checking all incoming email into the organisation and also on internally circulating emails.
It is expected that any non ACI Global PCs and / or laptops also have current updated antivirus software installed, and it's the owners / users responsibility to ensure this. Not having current updated antivirus software in- stalled exposes the ACI Global systems and infrastructure to potentially significant disruption and damage due to virus infected computers.
It is essential that those requiring access to the ACI Global computing facilities be issued with a unique login and password. This password is not to be shared with or used by any other individual and failing to comply will be treated as a serious breach of system security which may result in disciplinary action.
Staff Passwords are to meet complexity rules as set by the Identity and Access Management System. These complexity rules will include a minimum password length, character requirements and suitable password expiry period.
In the event that access is required to ACI Global data that is held under a specific staff member’s user id and password and that staff member is unavailable to access the data due to unforeseen circumstances, a request to have the password reset may be made with the authorisation of the Managing Director or delegated officer. This will only be considered when all other avenues to access the data have been exhausted. At the completion of the task accessing the required data, the password MUST be reset again and the staff member notified as soon as is practical.
Student Passwords are to meet complexity rules as set by the Identity and Access Management System. These complexity rules will include a minimum password length, character requirements and will NOT include an expiry date as student passwords have no requirement to expire at regular intervals. However, students will be encouraged to change their passwords on a regular basis.
To ensure that all ACI Global supplied desktop operating systems and applications are kept current and up-to-date, a central Patch Management Server will be used. This server will send out any operating system and / or software to ACI Global supplied PCs and laptops that are required to address any known software vulnerabilities.
It will be the responsibility of system administrators to ensure that the servers under their control are kept updated with required operating system and software updates and patches. Periodic checks will be performed on servers to assess their vulnerability status by the Information Security Officer in consultation with system administrators.
ACI Global's ISMS system ensures that the confidentiality of data contained on the information technology systems is maintained and access is made available to those who are authorised to see that data. This item should also be used in conjunction with ACI Global's Privacy and Confidentiality polices.
The system in places ensures the confidentiality and security of staff and student personal information contained on the ACI Global ICT facilities, it is essential that only those authorised to access such data are permitted to do so. Those who are permitted to access such information are granted appropriate access, as required by their job functions, by Student Administration or Human Resources.
Anyone, staff or student, who gains access to such personal information through methods other than those granted by Student Administration or Human Resources, shall be deemed as unauthorised and subject to disciplinary action.
Staff should be aware of their legal and corporate responsibilities in relation to appropriate use, sharing or releasing of information to another party. Any other party receiving restricted information must be authorised to do so and that the receivers of the data also adopt information security measures to ensure the safety and integrity of the data.
ACI Global provides an open and transparent process for the release of Secure Data to the Owner of the Personal Data upon request and uses its secure data Portal for Storage, Retrieval and if required deletion of Personal Data in line with ISO and EU GDPR regulations. Personal Data cannot be released to a third party unless written approval is provided by the Owner of the personal Data
Communications can take various forms which include, but are not restricted to, voice via land line, voice via mobile phone, voice via computer network (VOIP), email, electronic file transfer, wireless access, Virtual Private Network (VPN) connections, dial up modem, Infra-Red, Bluetooth and ICT network infrastructure.
Each of these communications methods poses its own unique security problems and needs to be addressed individually. In each case, where network communications is required, irrespective of type, only those methods as permitted by ICT Services will be allowed and must be in accordance with the specific Communications Security procedures which are developed to support this policy.
Ensure that the physical ICT devices are kept safe from inappropriate access. This includes the physical access to the server room, switch and patch panel cabinets, and any other ICT devices in both restricted and public access areas.
All ICT devices over a specified value must be registered with the ACI Global asset register. This also applies to the disposal of assets.
When disposing of ICT assets such as computers, laptops, printers, etc. the disposal must be coordinated with ICT Client Services to ensure that all data is removed using approved data removal tools and procedures. It is also a requirement that all software be removed prior to disposal to prevent potential breaches of software licence agreements.
All offices, computer rooms and work areas containing confidential information, or access to confidential information must be physically protected. This means that during working hours, the area must be supervised, so that the information is not left unattended, and after hours, the area must be locked or the information locked away.
It is a requirement that any PC / Laptop / Portable computer be logged out and turned off at the end of the working day unless a specific request is made to leave equipment turned on for the purpose of distribution of overnight processing is required.
The following controls must be applied to restrict building access:
Other workers must not attempt to enter restricted areas in ACI Global or DLS buildings for which they have not received access authorisation.
No computer equipment can be removed from ACI Global or DLS premises unless specific authorisation has been received by the Managing Directors of either ACI Global or DLS or section head or ICT Services. This does not apply to laptop or notebook computers where one of their primary purposes is to allow the custodian to work while away from their normal working location.
Any equipment taken from a ACI Global or DLS campus without appropriate authorisation will be in direct violation of this policy and appropriate misconduct and / or legal action will be taken.
Any physical issue of ACI Global portable equipment must have authorisation from the custodian with ICT Services in- formed. Persons who are issued such equipment must agree to personal responsibility of the equipment. When not in use, all portable IS equipment must be secured.
Specific issues relating to resources such as, but not limited to, iPhone, Smart Phones, PDAs, iPad, mobile phones, laptop or notebook computers and the like and their use within the general system infrastructure.
Any non ACI Global issued laptop or portable device connected to the ACI Global network is the responsibility of the owner. ACI Global will take no responsibility for virus or other damage that may be caused by being connected to the network.
Since portable and hand held devices are more and more common, it is necessary that we allow for their use on the network. All new staff laptops will be passed via the Information Services section, or designated technical staff, for initial setup and testing to ensure that all the correct anti-virus and patch updates are installed and can be used safely on the network.
ICT Services will not be obliged to enter into any other support arrangements for non ACI Global owned devices.
Student laptops and other portable devices can be connected to the network only if they have current and updated end-point security software. These devices should only be connected to the network in authorised Public Access areas on the campuses. The reason being, that these Public Access Areas can be monitored and protected by ICT Services who can remove any devices that may be suspected of inappropriate activity.
The use of mobile devices on the ACI Global network is also subject to the Use of Computing and Communication Facilities policy.
In keeping up with current networking trends and requirements, ACI Global have adopted the use of wireless networking technology. In order to access the wireless networking facilities, portable equipment must first meet strict security criteria as enforced by the use of an SSL/VPN device.
The use of wireless networking not supplied by ACI Global will be deemed inappropriate and will be removed from the network unless provided by schools as part of a course of study. In such cases, the wireless network must be con- fined to a limited area such as a class room or lab and pre-approved by ICT Services.
It is expected that the custodians of laptops or other portable device will still abide by this policy and all supporting documents. Any breaches of this policy may lead to disciplinary action being taken.
Specify how any breaches of security relating to the information systems will be identified and handled.
Any suspected inappropriate or illegal usage of ACI Global Information services network and equipment should be re- ported to the Service Desk or to a school or section head immediately. This information will then be reported to the Information Security Officer for investigation.
Disaster Recovery Plans, Business Continuity Plans, backup strategies and fail over plans for the core ACI Global services and infrastructure are the responsibility of the ICT Services to ensure that any outages or disasters can be recovered from in the shortest possible time with a minimal amount of data or resource loss.
These documents must include step-by-step instructions for the restoration of each service to ensure that, if required, other personnel from the ICT Services are able to perform the recovery. These documents also form part of the ACI Global Business Continuity Plan.
The escalation process for the rating of each reported event will be determined by the relevant ICT Services staff member in conjunction with the Information Security Officer taking into account the event itself and other priorities at that time.
Staff nominated by the Managing Director (Student Support&Services) will be authorised to monitor all aspects of the ACI Global network and associated infrastructure. They are also able to report any suspected inappropriate and / or illegal activity to the Information Security Officer in the first instance for further investigation in accordance with ACI Global’s Incident Investigation procedures.
It is also the role of the Information Security Officer to actively monitor and analyse all network related activity included, but not restricted to, Internet Usage, email and dissemination and use of programs and data across the e-Campus network infrastructure.
This monitoring will be done for the sole purpose of identifying and responding to any suspected inappropriate activity.
"The content of e-mail and other electronic communications will only be accessed by the Information Security Officer -
All information reported to the Information Security Officer shall be treated in the strictest confidence. Any reported information will be logged and relevant action taken, including reporting to relevant School or Section heads and other management as required.
How to ensure that there will be minimal disruption to ICT services in the event of a disaster or the implementation of changes to systems and/or associated infrastructure.
All major systems within the ACI Global computing infrastructure are backed up on a regular basis. Information Services have a Backup Strategy which details the frequency of backups. It is also strongly advised that all users save their work to their network drive as this drive is backed up and any loss or damage to files can often be rectified by the restoration of the files from an existing backup.
To ensure that the ICT facilities and services running within the ACI Global infrastructure are maintained and kept running at maximum performance and functionality, it is often a requirement to perform maintenance and upgrades to equipment. To ensure that there is minimal disruption to essential services, appropriate Change Control procedures are to be followed. This is to ensure that the disruption is kept to a minimum and appropriate roll back procedures exist should there be issues during the system changes.
In the event of a disaster that impacts the ICT infrastructure and / or services, the implementation of a Disaster Recovery Plan is essential. The DRP provides step by step procedures and processes required to ensure that services are returned to normal operation in the shortest possible time. The production and maintenance of such plans are the responsibility of the various ICT staff assigned to any aspect of the network and ICT services.
Failure to abide by these terms will be treated as misconduct.
For a first time offence of a minor infringement, a warning will be issued. A second time offence will result in automatic denial of access to one or all e-campus for a period of three (3) working days and up to two (2) weeks.
A serious infringement includes, but is not limited to, a third and subsequent offence of a minor infringement and will result in automatic denial of access to one or all facilities and will be referred to the Deputy Vice-Chancellor (Student Support&Services).This may result in: