Acceptable use policy

The information systems policy covers the use of ICT systems to support learning provided by St Joseph’s Catholic High School.

Equipment Principles

St Joseph’s Catholic High School is committed to safeguarding its ICT infrastructure to ensure it can be used in the most effective manner to support teaching and learning processes. Ensuring the safety and integrity of the School’s ICT infrastructure is the responsibility of all staff.

The School encourages staff to fully use the ICT infrastructure and to make use of portable ICT equipment offsite to support them in their work. The School encourages this use in a responsible and professional manner. Portable computers include for example laptops, tablets and other portable ICT devices.

As a user of ICT services of the School you have a right to use its computing services; that

right places responsibilities on you as a user which are outlined below. If you misuse School computing facilities in a way that constitutes a breach or disregard of this policy, consequences associate with that breach and you may be in breach of other School regulations.

Ignorance of this policy and the responsibilities it places on you, is not an excuse in any situation where it is assessed that you have breached the policy and its requirements.

Staff are advised of this policy during their induction and of the School’s requirement for them to adhere to the conditions therein.

For the purposes of this policy the term “computing services” refers to any ICT resource made available to you, any of the network borne services, applications or software products that you are provided access to and the network/data transport infrastructure that you use to access any of the services (including access to the Internet). Staff who connect their own ICT to the School’s network and the services available are particularly reminded that such use requires compliance to this policy.

Purposes

  • To protect the School’s networks and equipment
  • To protect the School’s data
  • To protect the School and its employees from activities that might expose them to legal action from other parties

Guidelines

Password security

Access to all systems and services is controlled by a central computing account and password. Staff are allocated their User ID and initial password as part of their induction with the School.

Issuance and continued use of your User Account is conditional on your compliance with this policy. User ID’s and passwords are not to be shared or revealed to any other party. Those who use another person’s user credentials and those who share such credentials with others will be in breach of this policy.

Initial default passwords issued to any user should be changed immediately following notification of account set up. Passwords should be routinely changed (every 3 months is recommended) and should be changed immediately if the user believes or suspects that their account has been compromised.

General Conditions

In general, use of School “computing services” should be for your study, research, teaching or the administrative purposes of the School. Modest use of the facilities and services for personal use is accepted so long as such activity does not contravene the conditions of this policy.

  • Your use of the School’s computing services must at all times comply with the law.
  • Your use of the School’s computing services must not interfere with any others’ use of these facilities and services.
  • You are not entitled to use a computer that you have not been authorised to use.
  • You must not access any program or data which has not been specifically authorised for your use.
  • You must not use or copy any data or program belonging to other users without their express and specific permission.
  • You must not alter computer material belonging to another user without the users’ permission.
  • You must not use School computing services to harass, defame, libel, slander, intimidate, impersonate or otherwise abuse another person.
  • You must not use School computing services for the creation, collection, storage, downloading or displaying of any offensive, obscene, indecent or menacing images, data or material capable of being resolved into such. (There may be certain legitimate exceptions for educational purposes which would require the fullest disclosure and special authorisation from the Headteacher).
  • You must not use the School’s computing services to conduct any form of commercial activity without express permission.
  • You must not use the School’s computing services to disseminate mass (unsolicited) mailings.
  • You must not install, use or distribute software for which you do not have a licence, and which is not first authorised by the ICT Department for installation
  • You must not use any peer-to-peer file sharing software
  • You must not use any IRC or messenger software including, but not limited to AOL, MSN, Yahoo! or other “Messengers”, IRC or “chat” clients unless expressly authorized to do so for work related purposes
  • You must not post or subscribe to newsgroups, on-line discussion boards or email list groups from the School’s facilities, unless specifically related to School activities
  • You must not use any form of network monitoring which will intercept data not specifically intended for you unless this activity is a part of your normal job responsibilities or has been specifically authorised by the Head teacher/Governing Board
  • You must not play computer games of any nature whether preinstalled with the operating system or available online

Data Security

The School holds a variety of sensitive data including personal information about students and staff. If you have been given access to this information, you are reminded of your responsibilities under data protection law.

You should only take a copy of data outside the School’s systems if absolutely necessary, and you should exhaust all other options before doing so. This includes putting sensitive data onto laptops, memory sticks, cds/dvds or into emails. If you do need to take data outside the School, this should only be with the authorisation of the School’s Data Protection Officer. As part of this you should perform a risk assessment on the implications of it falling into the wrong hands, and take

appropriate steps to mitigate against this. This will almost certainly include encrypting the information, and checking the data protection statements of any recipients of the data.

There are a variety of methods of remote access to systems available (in particular using VPN and remote desktop or terminal services) which allow you to work on data in-situ rather than taking it outside the School, and these should always be used in preference to taking data off-site.

The ICT Department offers a variety of information and support to help you keep data secure. If you are uncertain about any aspect of data security, you must contact them for advice.

Anti-Virus and Firewall Security

All personal computers are installed with current versions of virus protection and firewall software by the ICT Department. Users are not to alter the configuration of this software unless express permission has been obtained from the ICT Department. This software is installed to prevent an attack from malicious software and to prevent loss of data and corruption of programs/files.

Users must ensure that they are running with adequate and up-to-date anti-virus software at all times. If any user suspects viral infection on their machine, they should inform the ICT Department immediately. If the ICT Department detects a machine behaving abnormally due to a possible viral infection it will disconnected from the network until deemed safe.

Physical Security

The users of ICT equipment should always adhere to the following guidelines:

  • Treat equipment safely, in the same manner as a reasonable person would
  • Keep liquids away from ICT equipment
  • Do not place heavy objects on ICT equipment
  • Do not drop ICT equipment or objects onto it
  • Any portable computer must be securely locked away when not in use.
  • Portable computer security is your responsibility at all times.
  • Do not leave the portable computer unattended in a public place or within the School
  • Do not leave the portable computer on view inside your car. It should be locked away in your car’s boot out of sight.
  • Extra reasonable care must be taken to prevent the loss of USB sticks which contain confidential School data
  • Staff supervising students using ICT equipment should ensure students take reasonable

care of such equipment

Remote Access

Remote access to the School network is possible where this has been granted by the ICT Department.

Remote connections are considered direct connections to the School network. As such, generally accessing services remotely, subjects the user to the same conditions, requirements and responsibilities of this policy.

All connection attempts are logged.

 

Monitoring and Logging

Activities regarding network transactions may be monitored and logged and kept for an appropriate amount of time. Logs are taken for reasons of security, diagnostic and account/audit reasons. Logs are available only to authorised systems personnel and kept for no longer than necessary and in line with current data protection guidelines.

Such records and information are sometimes required – under law – by external agencies and authorities. The School will comply with such requests when formally submitted.

 

Breaches of This Policy

Incidents which are determined to be in contravention of this policy will be assessed for their severity. Investigating such incidents may require the collection and evaluation of user related activity and evidence.

It is not possible to provide an exhaustive list of potential ways in which a user may contravene this policy but in general such breaches will be categorised into one of three levels of severity and each level of breach will carry with it a possible range of sanctions, consequences and/or penalties.

In the event a Portable Computer is damaged or lost as a result of non-compliance with this policy or as a result of other negligent action, then you may be required to make a full or partial contribution towards any reparation/replacement costs, at the discretion of the School.

 

Minor Breach

This level of breach will attract a verbal warning which will be held recorded for 12 months. In general this category will relate to behaviour or misuse of computer facilities that can be characterised as disruptive or a nuisance. Examples of this level of non-compliance would include:

  • Taking food and/or drink into ICT facilities where they are forbidden.
  • Sending nuisance (non-offensive) email
  • Behaving in a disruptive manner.

Not all first offences will automatically be categorised at this level since some may be of a significance or impact that elevates them to one of the higher levels of severity.

 

Moderate Breach

This level of breach will attract more substantial sanctions and/or penalties. Examples of this level of non-compliance would include:

  • Repeated minor breaches within the above detailed 12-month period.
  • Unauthorised access through the use of another user’s credentials (username and password) or using a computer in an unauthorised area.
  • Assisting or encouraging unauthorised access.
  • Sending abusive, harassing, offensive or intimidating email.
  • Maligning, defaming, slandering or libelling another person.
  • Misuse of software or software licence infringement.
  • Copyright infringement.
  • Interference with workstation or computer configuration.

 

Severe Breach

This level of breach will attract more stringent sanctions, penalties and consequences than those above, and access to computing facilities and services may be withdrawn (account suspension) until the disciplinary process and its outcomes have been concluded. Examples of this level of breach would include:

  • Repeated moderate breaches.
  • Theft, vandalism or wilful damage of/to ICT facilities, services and resources.
  • Forging email i.e. masquerading as another person.
  • Loading, viewing, storing or distributing pornographic or other offensive material.
  • Unauthorised copying, storage or distribution of software.
  • Any action, whilst using School computing services and facilities deemed likely to bring the School into disrepute.
  • Attempting unauthorised access to a remote system.
  • Attempting to jeopardise, damage circumvent or destroy ICT systems security.
  • Attempting to modify, damage or destroy another authorised users’ data
  • Disruption of network communication capability or integrity through denial of service attacks, port scanning, monitoring, packet spoofing or network flooding activities.

 

Process

An investigation will be carried out, in confidence, by School Leadership under the direction of the Head teacher. That investigative report will be passed to the staff member’s Line Manager, to be considered within the School’s disciplinary procedures. Each set of disciplinary procedures provide for an appeal stage.