SOAS IT Policy (under revision)
The IT policy was originally approved by the SOAS Executive Board on 19 July 2002. Subsequent minor revisions have been reviewed by the School's Information and Internal Communications Committee (IICC). During the 2011/12 session a major review of the School's over-arching Information Strategy was undertaken and it is expected that a new ICT/IS Strategy will be approved early in the 2012/13 session. In the meantime, the policies outlined below (which have been revised to reflect the current organisation of the School) remain in force.
IT Services at SOAS supports the development and operation of information and communication technologies (ICT) for research, learning and administration within the School and between the School and the rest of the world. These policies are intended to facilitate the smooth and consistent running of these technologies which include multimedia, telephones and faxes, copiers and printers, computers and network infrastructure.
Index to Policies
- A School IT Policy Statement
- B Supporting Policies
- B1 Compliance with legislation
- B2 Conditions of Use for IT systems
- B3 IT Security Policy
- B4 Use of Information Servers
- B5 Individual and Workgroup Equipment & Software
- B5A Mobile Equipment
- B6 Maintenance and Support of IT Equipment and software
- B7 Connection To and Accounts On the School Network
- B8 Use of E-Mail
- B9 Use of the World Wide Web
- B10 Use of Telephones
- B11 Use of Facsimile machines.
- B12 Use of Photocopying and Printing Equipment
- B13 IT Purchasing Policy
- B14 Disposal of IT Equipment
- B15 The Community beyond SOAS
- B16 Noncompliance with these policies
- ANNEX 1 Definition of Terms Used in the Policies,Procedures and Standards
- ANNEX 2 The IT Security Working Party
- ANNEX 3 Agreements and Disclaimers
- ANNEX 4 Supported Systems
- List of Supported Hardware
- List of Supported Operating Systems
- List of Supported Applications
- List of Supported Media
- List of Supported Formats
- List of Supported Network Services and Protocols
- ANNEX 5 - IT Services for visitors who are at SOAS under formal Academic Hospitality arrangements
Typographic convention: italicized text indicates explanatory notes rather than policy.
A. School Policy Statement
A.1 Scope of IT Policies
A.1.1 The SOAS IT policy and its supporting policies apply to:
A.1.1.1 all staff and students of the School and all other users authorised by the School, whether at SOAS premises or elsewhere. This includes visitors who are at SOAS under formal Academic Hospitality arrangements.
A.1.1.2 users from other institutions under arrangements covered by EduRoam.
A.1.1.3 the use of School-owned, -leased, -rented and on-loan facilities. They also apply to all private systems, whether owned, leased, rented or on-loan, when connected to the School network directly or indirectly.
A.1.1.4 all School-owned or licensed data/programs, be they on School or private systems, and to all data/programs provided to the School by sponsors or external agencies.
A.1.2 The IT systems covered include servers, workstations, desktop computers, laptop/notebook/handheld computers, communications equipment, photocopiers, telephones, facsimile machines and audio visual equipment installed anywhere in the School, or operated on behalf of the School at another location.
A.2.1 The objectives of IT policy and its supporting policies are to:
A.2.1.1 Provide systems that are suited to their purpose;
A.2.1.2 Provide and maintain safe IT equipment in a suitable environment, and to ensure safe working practice in the operation of IT equipment;
A.2.1.3 Ensure that the School achieves best value in its IT provision;
A.2.1.4 Ensure that School IT facilities are adequately secure;
A.2.1.5 Ensure that users are aware of and fully comply with the relevant legislation, policies, procedures, guidelines and standards;
A.2.1.6 Ensure safe, and socially and environmentally responsible disposal of equipment;
A.2.1.7 Ensure that SOAS plays an active and responsible part in the wider higher education community in its use of information technology.
A.2.2 Definitions of terms used in this Policy Statement can be found in ANNEX 1.
A.3 Responsibilities for IT Policies
A.3.1 The Registrar and Secretary has responsibility for initiating and drafting IT policies and for delegating the production of supporting documentation.
A.3.2 The Registrar and Secretary has responsibility for arranging the consultation process as appropriate for each policy.
A.3.3 The Registrar and Secretary has responsibility for arranging approval of IT Policies.
A.3.4 The Registrar and Secretary has responsibility for maintaining IT policies in an up-to-date and accessible form.
A.3.5 The Registrar and Secretary has responsibility for arranging the dissemination of IT policies in an appropriate and accessible way.
A.3.6 It is the responsibility of each individual, defined in paragraph A.1 above, to ensure their understanding of and compliance with this and associated policies. Such responsibility is part of a member of staff's contract of employment and a student's contract to study. All other users are required to sign the agreement in ANNEX 3.
A.4 Compliance with Legislation
A.4.1 The School has an obligation to abide by all relevant legislation. This policy and supporting policies, procedures, guidelines and standards must satisfy all applicable legislation. This obligation formally devolves to all users defined in A.1 above, who may be held personally liable for any breach of the legislation . Policy B.1 Compliance with Legislation gives more detail.
A.4.2 If anyone finds an inconsistency between policies and legislation, or between individual policies, they must bring this to the attention of the Registrar and Secretary.
A.5 Health and Safety
A.5.1 The School will provide and maintain equipment that is safe in the context of its intended use. Individual users have a responsibility to operate these systems safely and report any defects. Managers with responsibility for health and safety should follow recognised guidelines in assessing risk, and should consult the School Safety Officer when advice is needed.
A.5.2 All users must follow manufacturers instructions or handbooks in the installation and operation of IT systems, and should consult the School Safety Officer when advice is needed.
A.6 Environmental responsibility
A.6.1 All systems within the scope of this policy will be acquired, operated and disposed of in an environmentally responsible manner.
A.7 Policy Awareness
A.7.1 All IT policies and guidelines will be made freely available electronically on a SOAS Web server to everyone to whom they apply (see A.1.1 above) and these will form the up-to-date official version. Policies and guidelines will also be published in Staff handbooks, Student handbooks and contractors guidelines, and will be available as paper copies for issuing to users as appropriate.
A.7.2 Anyone responsible for authorising the use of facilities within the scope of this policy and its supporting policies is responsible for informing new users of IT policies.
A.7.3 All IT procedures and standards will be published electronically wherever possible, however where publication could compromise safety or security, procedures and standards will be restricted.
A.8 Changes to IT Policies
A.8.1 The normal process for changing IT Policies will be for a request to be made to the Registrar and Secretary who will arrange for suitable approval from the Executive Board, Director and Governors. At this point the published IT Policies will change.
A.8.2 In the event of a need for urgent change, this may be approved by the Registrar and Secretary and implemented immediately, pending formal approval from the Executive Board, Director and Governors. Any urgent changes will be published immediately with the changes highlighted as provisional.
A.9 Status of IT Policies
A.9.1 It is a condition of employment that staff will abide by School Rules and Policies of which IT Policies are a part.
A.9.2 The School's Rules and Policies, including IT Policies, are an integral part of Student Regulations.
A.9.3 IT policies are an integral part of the the School's Policies to which contractors must adhere.
B1.1.1Users must comply with current British legislation in all respects when using IT systems and equipment. Legislation which applies particularly to these circumstances are: The Health and Safety at Work etc. Act and the work of the Health and Safety Executive, The Computer Misuse Act 1990, The Data Protection Act 1998 and the work of the Data Protection Registrar, The Regulation of Investigatory Powers Act 2000, The Communications Act 2003, The Copyright, Designs and Patents Act 1988 and the work of the Copyright Licensing Agency. Further advice and information is available from the JISC legal service.
B1.2 Data Protection Act
B1.2.1 Users must comply with the School's Data Protection Policy. An on-line guide to your rights and obligations under the Act is available.
B1.3 Intellectual Property Right, Licenses etc.
B1.3.1 No user may copy programs or information to paper, removable media (such as USB drives), non-removable media (such as hard discs) or to portable computers except where explicitly allowed by the license agreement/contract and where no copyright or intellectual property right is infringed.
B1.4 Theft and misuse
B1.4.1 Unauthorised removal of School-owned, -leased, -rented or loaned IT equipment, software or data from the School premises and systems constitutes a theft.
B1.4.2 No user may interfere with protection systems. This includes: any device which is provided to prevent removal or theft of equipment; any software or configuration that detects or prevents virus infection; any software or configuration that prevents the running of non-approved software.
B1.4.3 No user may install or use software or systems which are not licensed for use.
B1.4.4 School systems may not be used to transmit, store, share or access text, images, recordings, scripts, programs or telephone calls that contain:
- material likely to contravene current legislation such as sexist, racist, homophobic, xenophobic, pornographic, paedophilic or discriminatory material, except in the legitimate pursuit of valid pre-authorised research;
- text, images or recordings to which a third party hold copyright or other intellectual property right, without the written permission of the rightholder;
- material that is defamatory, libelous, slanderous or threatening;
- material that could be used to breach computer security or to facilitate unauthorised entry into computer systems;
- material that is likely to prejudice or seriously impede the course of justice in UK criminal or civil proceedings;
- material containing personal data as defined by the Data Protection Act 1998 unless the subjects' permission has been explicitly given in writing.
B1.5 The Regulation of Investigatory Powers Act 2000
B1.5.1 The School may intercept any communication transmitted across or stored on its systems provided that this is within the framework of the RIP Act 2000. In particular, it may monitor but not record communications:
B22.214.171.124 to anonymous helplines
B126.96.36.199 to determine whether communications are for personal or business purposes
The School may monitor and record communications for the following purposes:
B188.8.131.52 to ensure that users are complying with School policies, Conditions of Use, procedures and guidelines and with British legislation, except that recording may not take place under the criteria in B1.5.1
B184.108.40.206 to monitor standards of quality, performance and security
B220.127.116.11 to prevent or detect crime
B18.104.22.168 to investigate unauthorised use of systems
B1.5.2 When an external agency requests information under the RIP Act, the Director of Service Delivery and Infrastructure will be the point of contact. In his absence, the Network Manager shall be the point of contact.
B1.5.3 The School routinely logs transactions on its systems. This logging covers network traffic, the transmission of e-mails, access to Web pages, the placement of telephone and fax calls and logging in and out of user network accounts. Some administrative systems also have transaction logging enabled. Electronically recorded messages and logs may be automatically backed up; these backups will also be covered by the RIP Act 2000.
B1.5.4 All other interceptions must be authorised by the manager responsible for the system on which the interception is to take place. In this person's absence, responsibility will be assumed upwards through the line management, and ultimately to the School's Director. The IT security officer will act as the compliance officer and is responsible for ensuring that policies and procedures are implemented in accordance with the RIP Act.
B1.6.1 Where electronic information is provided with the intention of being generally accessible, this information should be in a suitable form for those with disabilities to gain access to the information wherever practicable. This particularly applies to information on the World Wide Web where internationally recognised Accessibility Guidelines should be used when authoring material.
B1.6.2 The School will, wherever possible, make suitable provision for legitimate users with disabilities to access School information using appropriate information technology.
B2.1.1 School IT assets must be safeguarded, and operated and administered in the best interests of the School and its community as a whole. The interests of individuals or sections should not override the requirements for provision and continuity of service for the remainder of the School.
B2.2 Access to equipment and information
B2.2.1 Only those within the scope of the IT Policy, A.1, may use School IT systems.
B2.2.2 No user may read/view/listen to, modify or delete any file or information without authorisation from the owner of the file. The School reserves the right to remove material from its systems or systems operated on its behalf which it deems to be unsuitable. Criteria for suitability are given later in this section. Removal of material may be governed by the Policy on Information Servers but where this is not applicable the authority is vested in the Director of Service Delivery and Infrastructure and his authorised deputy. Where information is clearly provided for other users to access (such as on the Internet or intranet), authorisation to read/view/listen to is implicit.
B2.2.3 Shared access to file space htat is accessed using FTP, FTPS, SCP or drive drive mapping must be managed through the use of operating system services.
B2.2.4. Shared access to files that are stored in Web 2.0 applications and accessed using HTTP or HTTPS must be managed by the file owner. It is the responsibility of the file owner to ensure that the file is adequately secure.
B2.2.5. It is not normally permitted for others to use an account that is logged-in in someone else's name. Such use will be dealt with as a disciplinary offence.
B2.2.6. It is not normally permitted for anyone to log in using someone else's user name in order to make use of their file space, to share files or for any other purpose. Such use will be dealt with as a disciplinary offence.
B2.2.7. A user must login to a shared system only with a user name which he or she has been allocated. Logging in to a machine using someone else's username, password or PIN number is an offence unless it is for legitimate operational or training reasons and with the approval of the department manager. A manager may consider it necessary to access an absent member of staff's files or email messages in order to maintain continuity of service. Where the absent member of staff's password is not known, I&T should be contacted in order to gain access. For a teacher or expert advisor to take over a terminal session for the purpose of instructing another person in the use of a system or investigating problems is legitimate once the person has logged in. However, procedures should not normally require a user seeking assistance to divulge his or her password to anyone else, including the teacher or advisor.
B2.3 Security of passwords and PIN numbers
B2.3.1 It is the responsibility of all users to maintain the security of their own passwords and PIN numbers. Any user who fails to take reasonable steps to do so breaches this policy and may be liable for any consequences which follow if another person makes use of one of them. It is good practice to periodically change your password, and if you suspect that your password has become known to someone else you should change it immediately. Passwords should be chosen with care: do not use a dictionary word or a name, use a mixture of upper and lower case letters and include at least one number. Passwords should not be made readily accessible: treat passwords as you would a credit card - safe and secure.
B2.3.2. If, for legitimate operational or training reasons and with the approval of the department manager, a password is divulged to someone else, the password must be changed as soon as possible.
B2.4 Use and security of equipment and information
B2.4.1 IT resources are only available to users as defined in policy A.1. Additionally, the resources must have been allocated and/or approved by the School for their use.
B2.4.2 IT resources may only be used for the purpose they are intended and in the way these systems are configured. Only I&T staff, approved contractors or others with approval from the Director of Service Delivery and Infrastructure are permitted to change the use or system configuration of School IT equipment and software. Users are permitted to change user preferences to suit their working practice or style provided the settings do not compromise security or alter operability for others.
B2.4.3 No user may use a computer system in any way which puts files or information belonging to someone else at risk of damage. In particular, knowingly introducing a computer virus is a serious offence which may result in disciplinary action.
B2.4.4 Users must cooperate with I&T in preventative or remedial action concerning equipment and data security.
B2.4.5 Publishing, or communicating without the authority of either the Director of Service Delivery and Infrastructure or the IT Security Officer, any information which allows someone else to breach the security of the computer systems is an offence. Examples are user's passwords or loopholes in system security which a user may come across accidentally whilst making legitimate use of the facilities. All users must inform the computing section when they find evidence of failures or weaknesses in security. The Director of Service Delivery and Infrastructure and the IT Security Officer have the authority to give information which allows a breach of security, but this would normally be confined to testing and detection purposes only.
B2.4.6 When requested to do so by the attendants or other responsible persons, anyone using School communication and information technology equipment must be prepared to identify himself or herself by presenting their SOAS-issued identity card.
B2.4.7 Users are required to treat IT equipment with care, and other users and IT Department staff courteously.
B2.4.9 School systems may not be used to transmit, store, share or access text, images, recordings, scripts, programs or telephone calls that:
- will consume sufficient network or server resource as to impede the effective use of systems by other users;
- is likely to incur unwarranted costs on the School;
- is likely to involve users or support staff in wasted time;
- contain misleadingly out-of-date information;
- contain inaccurate or deceiving information;
- seeks to unreasonably trivialise, insult or degrade other individuals, groups or bodies, or infringe others' human rights;
- use techniques that capture or otherwise display third party information is such a way as to give the impression that they come from anywhere other than the original source.
B2.4.10 No material may display the School logo or name, or otherwise give the impression that they are official School documents, except in accordance with approved School policy. This policy is controlled by the School Directorate.
B2.4.11 No material may imply or form a contract on behalf of the School except in accordance with approved School policy. This policy is controlled by the School Directorate.
B2.4.12 The Network Manager and other designated Operating staff are authorised to read any file stored on the system and, if it is necessary to safeguard the integrity of the system, to delete any file without warning.
B2.4.13 Trade Union representatives and members may use School systems for School-related Trade Union communications as regulated by the appropriate policy. This policy is controlled by the School Directorate.
B3.1 Scope and Purpose
B3.1.1 The purpose of this policy is to ensure the availability, confidentiality and integrity of IT systems which support the academic and administrative activities of the School. Effective security is achieved by working with a proper discipline, in compliance with legislation and School Policies, and by adherence to approved School procedures and standards.
B3.2.1 The objectives of this policy are to:
- Ensure that School IT facilities are adequately protected against loss, misuse or abuse.
- Raise awareness of IT security issues throughout the School and to ensure that they are considered at every stage of an IT system life cycle.
- Ensure that users understand their responsibilities for protecting the data they handle.
B3.3 Responsibilities for Information Systems Security
B3.3.1 The IT Security Working Group is responsible for implementation of this policy and related projects.
B3.3.2 Proposals for IT Security Projects should be made to the Director of Service Delivery and Infrastructure, and will be prioritised by the Working Group. The IT Security Working Group will appoint Project Boards and Teams to implement scheduled projects and will monitor progress.
B3.3.3 The role of School Computer Emergency Response Team (CERT) is at an operational level within the remit of the Network Team. The School's CERT has the authority to take any action deemed necessary to protect the School's systems and information within the scope of this policy.
B3.4 Compliance with Legislation
B3.4.1 The School has an obligation to abide by all relevant legislation. This policy and supporting policies, procedures and standards satisfy the requirement under the Data Protection Act 1998 for a formal statement of the School's security arrangements for personal data. The requirement formally devolves to all users defined in Policy A.1 above, who may be held personally liable for any breach of the legislation. Ref. Policy B1
B3.5 Risk Assessment and Security Review
B3.5.1. All proposed new systems and modifications to existing systems will be assessed for the security risk they may represent in advance of their introduction. This risk assessment will normally be documented in writing by the Information Server Owner and will be brought to the attention of the Director of Service Delivery and Infrastructure who may either: (a) approve the system or modification; (b) prevent the introduction of the new system or modification; or (c) refer the risk assessment to the IT Security Working Group for consideration. Director of Service Delivery and Infrastructure or the IT Security Working Group may require action to be taken to reduce risk before allowing the intorduction of a new or modified system.
B3.6 Provision of Network Services
B3.6.1 The Network Manager is responsible for authorising standard and non-standard services on the School network. Standard services, and guidelines for requesting non-standard services, are contained in the document Requesting Non-standard Services through SOAS Firewalls.
B4.1 An Information Server must have an owner who is authorised by the Director of Service Delivery and Infrastructure.
B4.2 The Information Server Owner (ISO) is responsible for compliance with all relevant School Policies and current legislation. This makes the ISO responsible to different people or groups for their actions, for example, to the Data Protection Officer for compliance with Data Protection legislation, to the Network Manager for network funtioning, to the IT Security Officer for audit availability and to users for the quality of the data.
B4.3 Each ISO is responsible for the availability, accountability, authenticity, confidentiality, integrity and reliability of their systems and data. This responsibility brings with it an additional workload and every ISO's line manager must be aware of and agree to this arrangement.
B4.4 The ISO will assess the value to the School of the information served, identify threats to that information and arrange safeguards which are commensurate with the identified risk.
B4.5 The ISO is responsible for monitoring changes to the value of information, or the threats to it and making appropriate changes to the safeguards.
B4.6 The ISO will regularly review the operation of the above safeguards to identify attempts to compromise the server. All "successful" compromises must be reported immediately to the School's Computer Emergency Response Team (CERT). All attempts, whether successful or not, should be reported to the School's Information Security/Strategy Committee.
B4.7 The ISO will take all possible precautions to ensure that system does not interfere with the operation of any of the School's IT systems.
B4.8 Information Servers must be available at any time for a security audit by The School's IT Security Officer or auditors.
B4.9 The ISO must ensure that it is possible to disconnect the server immediately at all times.
B5.1 The following policies apply to equipment and software which is used by an individual or shared by a group of users and are additional to the Conditions of Use of IT Systems and other appropriate policies. Examples of equipment to which this policy applies are telephone handsets, AV equipment, desktop and laptop computers, individual and shared printers, photocopiers.
B5.2 Specification and selection of IT equipment must be done by or in consultation with I&T.
B5.3 Purchase of equipment and software must be in accordance with IT Purchasing Policy.
B5.4 I&T will maintain a record of the current location of School IT equipment. Movement of normally fixed equipment should be supervised by I&T personnel wherever possible. Where this is not possible, I&T should be notified of all changes.
B5.5 I&T will maintain a record of all software licences it purchases. Licence agreements are published on the School's network.
B5.6 Installation and upgrading of individual and workgroup equipment and software will normally be undertaken by I&T or its approved contractor.
B5.7 No user may install additional hardware, software or alter the configuration of any IT equipment except:
B5.7.1 I&T staff and other authorised personnel may install hardware, software or alter equipment configuration for testing and evaluation.
B5.7.2 Where hardware or software has been procured via I&T and is accompanied by adequate instructions for installation, the hardware or software may, by mutual agreement, be given to the user for them to install. This shall be deemed as authorisation to install only this item.
B5.7.3 Auto-updating software (e.g. virus signature files) originally installed and configured by I&T may continue to install updates under the authority of I&T.
B5.7.4 Periodic updates to software may be undertaken by a member of staff provided the member of staff has adequate instructions, appropriate skill and legitimate access to the equipment involved.
B5.7.5 If hardware or software, other than updates to existing software, is acquired by an academic member of staff other than via I&T (e.g. by personal purchase or download from the Internet), the academic member of staff may only install it after consulting I&T for known issues concerning that hardware or software.
B5.7.6 Portable computers belonging to users or their employers may be connected to the School's network provided that the software is adequately patched and it is protected from infection by malicious software and from transmitting malicious software to other systems. Notes of Guidance for connecting to the School's network will be available but no support for non-SOAS equipment will be provided by SOAS. Non-SOAS users, such as those from other institutions using location independent networking (LIN), must operate within the SOAS IT Policies including, where appropriate, EduRoam policies.
B5.8 The installer must ensure that data is backed up before installing additional hardware or software.
B5.9 No licence agreement may be entered into if the consequences or potential consequences will adversely affect performance or incur direct or indirect costs on the School unless authorised by I&T.
B5.10 All installations and upgrades must be within the terms of the licence agreement and must be deleted in accordance with the licence.
B5.11 Every user must ensure the correct use and adequate safeguarding of data for which they are responsible. This includes suitable backups of the data. Guidelines on the transmission, storage and backup of data should be followed.
B5.12 No equipment may be used to serve information except in compliance with the Policy for Use of Information Servers. Examples of serving information include creating a Web or ftp server; allowing other computers to connect to your computer or obtain remote access.
B5.13 All portable equipment and software shall have a designated user. The designated user is the person with whom the equipment is normally lodged and this person is responsible for the security of the equipment and software. The designated user, the designated user's line manager, and I&T have the ability to authorise the use of that portable equipment and software outside of the School premises. The designated user may be a Faculty Administrator where the equipment is a shared resource.
B5.14 Equipment on temporary loan must be recorded in the central loan system as being on loan to a named individual who will be responsible for the security, correct operation and condition of the equipment, and for its return in good condition within the agree period of the loan. This recorded loan will authorise the individual to remove the equipment from SOAS premises for the period of the loan. Failure to return the equipment by the end of the loan period will be considered as theft. The central loan system for IT equipment is adminstered by the technicians.
B5.15 No equipment may be taken off SOAS premises (unless covered by policy B5.13 or B5.14) without the written permission of the Director of Service Delivery and Infrastructure or their designated deputy.
B5.16 I&T may make arrangements for the temporary provision of equipment to individuals or workgroups. Temporary provision of equipment to a student will only be made with written authorisation from the student's academic supervisor. A charge may be made for temporary provision equipment. This equipment is available on a first come, first served basis.
B5.17 All redundant equipment and software must be passed to I&T for redeployment or for disposal in accordance with the Disposal Policy.
B5A.1.1 This policy covers the supply, maintenance, support and disposal of mobile IT equipment by the School to SOAS members of staff where the member of staff is the sole user or is the main keeper of the equipment (when the equipment is intended for use amongst a group of staff). It does not cover equipment that is available for short-term loan from I&T, which is covered in policy B5.13 to B5.16.
B5A.2.1 Mobile IT equipment means laptop computers, palmtop or PDAs (personal digital assistants), digital pens, mobile telephones, and portable image, sound and video playback/recording devices, also equipment that is a combination of these technologies.
B5A.3 General principles
B5A.3.1 The provision of mobile IT equipment is a balance between the needs of a member of staff's job and the ability of the School to support that equipment through its life cycle of typically 3 years.
B5A.3.2 I&T will identify a range of mobile equipment that is likely to meet the normal needs of staff that can be afforded and supported through its life cycle and that fits with the IT systems strategy of the School.
B5A.3.3 The provision of mobile IT equipment will be based on the needs of the job and will be judged on the basis of a cost/benefit analysis.
B5A.3.4 Provision will not be based on status or seniority.
B5A.4 Entitlement to standard provision
B5A.4.1 The School's line management will identify those jobs that will require mobile IT, and this will be routinely provided by I&T.
B5A.4.2 Line managers will periodically review this need and discuss any variations with I&T.
B5A.5 Non-standard provision
B5A.5.1 Individuals, groups or line managers may request mobile IT equipment to support their jobs that is not part of the standard provision. To justify the provision of equipment they will need to prepare a business case that will need to be costed in conjunction with I&T management. If there is a justified case and the equipment can be provided from existing resources, a decision will be made by the I&T Assistant Director (Information Systems) and implemented by I&T. Where the case is strong but cannot be filled from existing resources, the I&T Assistant Director (Information Systems) will forward the costed request to the Resources Committee for consideration. A form to assist in the requesting of mobile equipment is available on the IT Web site.
B5A.5.2 Costs should reflect the whole-life cost of providing the equipment, including the cost of training, support, replacement and disposal.
B5A.6 Duty of care
B5A.6.1 The member of staff who is the sole user or the main keeper of the equipment is required to take all reasonable measures to prevent loss, theft or damage to the equipment whilst it is in their care. This includes using protective carrying cases and security devices.
B5A.7 Proper use
B5A.7.1 The member of staff who is the sole user or the main keeper of the equipment is required to ensure that the equipment is only used for the purpose for which it was supplied. Any proposed novel use of the equipment should be discussed with I&T to ensure that security or performance are not compromised.
B5A.7.2 Personal use of equipment by the member of staff in person is allowed provided there is no additional cost to the School for this use. Where specific provision is made for personal use, for example with mobile phones, the approved charging mechanisms must be followed and the invoice paid promptly.
B5A.7.3 Unauthorised personal use or unwarranted excessive use of equipment may result in the withdrawal of the equipment and in disciplinary action.
B5A.8 Withdrawal/return of equipment
B5A.8.1 Equipment that is no longer needed or which is being withdrawn from service must be returned to I&T for re-use or disposal.
B6.1 Resources for the maintenance and support of IT equipment and software will be managed based on the needs of the School as a whole. Priority will be given to maintenance and support of equipment and software that is widespread or critical in nature. Lower priority will be given where equipment or software is older, less widespread or non-critical to the School.
B6.2 I&T will provide maintenance and support for IT equipment and software provided:
B6.2.1 it is School owned or leased, and
B6.2.2 it is less than 3 years old, and
B6.2.3 it is covered by a 3-year warranty provided such a warranty was available at the time of purchase and the warranty has not been invalidated, and
B6.2.4 it is on the list of Supported Systems (ANNEX 4)
B6.3 IT equipment and software that does not fall within the scope of B6.2 may be maintained and supported by in-house repair, by out-sourced repair or by replacement. In-house repair must not interfere with the maintenance and support of systems covered by B6.2 and will only be undertaken as workload permits. In-house supported systems are listed in ANNEX 4. A charge may be made for this provision in negotiation with the budget holder.
B6.4 The School will designate information storage formats and media that it supports. These are listed in ANNEX 4. Older formats that were supported will have an obsolescence period during which the format will no longer be actively used but can be transferred to a supported format.
B7.1 Health and safety
B7.1.1 All equipment connected to the School network must conform to the School's Health and Safety Policy.
B7.2 Connections to the School network
B7.2.1 Only approved equipment may be connected to or used to access the School network. In particular, no wireless access points may be connected to the SOAS network without approval. Approval is given by the Network Manager. Approval will not normally be given for the temporary connection of non-SOAS owned or leased equipment in connection with conferences except where the user is operating in accordance with location independent networking (LIN) arrangements. Conference use requiring Internet access should be via SOAS-provided equipment or via a telephone line to an external Internet Service Provider.
B7.2.2 Operating procedures and conditions for all connected equipment must be approved by the Network Manager.
B7.2.3 Connection of equipment to the School network shall only be performed by staff from I&T or approved contractors, except that:
B22.214.171.124 Users may connect their own or their employer's laptop computer to the network provided they follow the latest guidelines available from I&T and in accordance with LIN policies.
B7.2.4 All equipment connected to the School network must be registered with the School either prior to, or for the purpose of, connection. Network configuration and registration information about the network is maintained centrally by the SOAS Network Manager.
B7.3.1 All remote access to the School's network and systems will be via secure Internet connection.
B7.3.2 Remote access for users to the School's network is only permitted for the retrieval of e-mail and information from designated servers. For details of these servers contact the Network Manager. Users are responsible for their own equipment and connection outside the School premises.
B7.3.3 Staff users can be enabled to connect to the School's virtual private network (VPN) on request to the Network Manager. This requires that the personal computer and other equipment used to connect is compliant with the Pre-requisites for VPN Use (ANNEX 6). It is the responsibility of the staff wishing to connect to ensure that their computer and Internet connection are compliant.
B7.3.4 The School will not provide or maintain dial-up connections into the SOAS network except:
B126.96.36.199 where an approved contractor or service requires a dial-up link for the purposes of maintaining specific systems or services. Such connections must be set up and maintained in accordance with procedures agreed with the SOAS Network Manager.
B7.3.5 No user may set up or maintain a private dial-up connection into the School's IT resources.
B7.4 Approved services
B7.4.1 Only approved services may be used on the School network. Current approved services are determined by the Network Manager and available in ANNEX 4 Approved Services and Protocols.
B7.5 Accounts on the network
B7.5.1 All staff whether full-time, part-time, permanent or temporary, academic guests and enrolled students may have an account on the School network. Temporary accounts for academic purposes may be obtained when a request is supported by a Dean of Faculty. Temporary accounts for operational purposes may be obtained when a request is supported by the Deputy Secretary. All requests for accounts should be to the Network Manager. IT Services for visitors who are at SOAS under formal Academic Hospitality arrangements are detailed in Annex 5 of these policies.
B7.5.2 Academic staff who retire but continue their academic asociation with SOAS may retain their account on the network. Periodic checks will be made on the use of the account and the account will be expired in accordance with policy B7.5.3 when the account is no longer in use.
B7.5.3 Every account will be set as "expired" no earlier than two months and no later than four months after the account holder leaves SOAS. An "expired" account remains on the system and will process email messages via a Web interface. It will also allow the account holder access to the School intranet. However the account holder will not be able to log in to the School network.
B7.5.4 Every account will be deleted no earlier than 6 months and no later than 8 months after the account holder leaves SOAS. When an account is deleted, the contents of all network directories (including email directories) associated with the account will also be deleted.
B7.5.5 Staff account holders may have a grace period exceeding the limits in B7.5.3 and B7.5.4 on request to and at the discretion of the Network Manager.
See also the E-Mail Acceptable Use Policy.
B8.1 School e-mail systems are provided for the conduct of School-related business. Incidental and personal use of e-mail is permitted so long as such use does not disrupt or distract the individual from School business (due to volume, frequency or time expended), does not incur unreasonable cost to the School, and/or does not restrict the use of those systems to other legitimate users. Users are reminded that the School can access their e-mail messages for operational and security purposes; in particular, see Compliance with Legislation,section B1.5 and Conditions of Use section B2.2.
B8.2 A user's e-mail account will be assigned and named by the School.
B8.3 The School's email system includes the facility for users to set up their own aliases. Aliases must be unique and can be claimed on a first-come, first-served basis. Aliases must be non-trivial and appropriate. In the event of a trivial or inappropriate alias being set up by a user, the Network Manager has the authority to remove this alias. Examples of acceptable aliases would be the user's real name in dotted or undotted notation (email@example.com or firstname.lastname@example.org) however users with common names are advised to choose a name that is unlikely to be confused with other users with a similar name.
B8.4 Contact e-mail addresses for sections of the School will be provided by setting up a separate account on request to the Network Manager. This may include section contact points such as email@example.com, firstname.lastname@example.org.
B8.5 Anonymous accounts will not be allowed on School systems. Anonymous accounts do not allow proper management, accountability or traceability and would inherently contravene IT Policies.
B8.6 Essential information may be provided to users by the School using e-mail. Users are responsible for reading and responding as appropriate within the time limit specified in the message Subject.
B8.7 Trade Union representatives and members may use School e-mail systems for School-related Trade Union communications.
B8.8 School network and e-mail systems may not be used to transmit:
- material unrelated to School business including bulk e-mail transmissions (SPAM);
- messages requesting the recipient to continue forwarding the message to others, where the message has no educational or School-relevant value;
- messages with forged addresses (spoofing) or otherwise purporting to come from a source other than the true sender.
B8.9 The School will provide 2 types of mailing list:
B8.10 E-mail lists and their operation will be regulated by the Network Manager who will provide a Code of Practice for Mailing List use.
B8.11 The School will designate and regulate Core Announce Lists. Users cannot opt out of these lists. Core announce lists are used as essential communication mechanisms between the School and users, so it is important that the School regulates their membership.
B9.1 Access to the World Wide Web (Web) is provided for research, teaching, learning and other legitimate School-relate business. Incidental and personal use of the Web is permitted so long as such use does not disrupt or distract the individual from School business (due to volume, frequency or time expended), does not incur unreasonable cost to the School, and/or does not restrict the use of those systems to other legitimate users.
B9.3 The School will provide a default home page for all browsers on its owned or leased equipment. Users must not alter this home page without legitimate reason.
B9.4 Essential information may be provided to users by the School using the Web. Users are responsible for reading and responding as appropriate within the time limit specified at the top of the page.
B9.5 Staff will have access to individual Web space for the authoring of HyperText Markup Language (HTML) pages. These pages must be relevant to the business of the School or have educational or research value.
B9.6 It is the responsibility of the information owner (this is normally the member of staff authoring the pages) to comply with School policies regarding content, presentation, accessibility, data protection and security.
B9.7. Where Google Apps are used to share information it is the responsibility of the information owner to control the access rights as appropriate for the content, presentation, accessibility data protection and security of that information. The information owner is the person who controls the rights to access the document.
B9.8. Where documents are developed in a collaborative space such as Google Apps, it is the responsibility of the document owner to copy the final version to an appropriate location on a School-based system for long-term storage and/or dissemination. It should be noted that documents deleted from Google's systems are not recoverable.
B9.9. Where a document is developed using Web-based systems, including Google Apps, the name of the document owner and collaborators must be included on the document. The date of origination and last revision must also be included.
B9.10. Where a document, including a sound recording, image or video, is made available via the World Wide Web on a server within the soas.ac.uk domain, it must identify the copyright holders.
B9.11. It is the responsibility of the information owner of a document, including a sound recording, image or video, that is made available via the World Wide Web on a server within the soas.ac.uk domain to periodically review the document to ensure that it is accurate, appropriate and up-to-date. In the event that the information owner leaves SOAS or changes job function, it is their responsibility to pass on the ownership of the document to another appropriate person. If a document does becomes orphaned for some reason, it will be the responsibility of line management to re-assign information ownership.
B9.12. Group Web folders for collaborative work will be available by arrangement with I&T. Each group must have a designated senior author who acts as the person responsible for compliance with School policies regarding content, presentation, accessibility, data protection and security.
B9.13. Pages containing dynamic content must have the involvement of I&T in their development and approval for their compliance with policies. Where this commitment is substantial, the service will be provided on a consultancy basis."Dynamic content" means that the page's content may change either by user interaction or by changes in the source data used in the page. Examples of dynamic pages are: pages that rely on an element of programming for their content; pages that accept input from users; pages that use a database as their source of information.
B9.14. Students will not have access to SOAS Web space except where it is a requirement of a course of study or programme of research. In such a case a formal request from the tutor or supervisor must be made to the I&T Assistant Director (Information Systems).
B9.15. Non-SOAS users may have access to the Web as part of the location independent networking (LIN) arrangements and inaccordance with LIN policies.
B9.16. Trade Union representatives and members may use School Web systems for School-related Trade Union communications.
B10.1 The School telephone systems are provided for research, educational and other legitimate School-related business. Incidental and personal use of the telephones is permitted so long as such use does not disrupt or distract the individual from School business (due to volume, frequency or time expended), does not incur unreasonable cost to the School, and/or does not restrict the use of those systems to other legitimate users. Short calls of a personal nature that are required as a result of changed School circumstances (such as having to work late at short notice) are considered to be in support of School-related business and may be legitimately made. Users wishing to make private calls should normally do so using a coin- or card-operated telephone or a personal mobile phone.
B10.2 Where exceptional personal circumstances may lead to infringement of this policy, users should agree with their line manager the acceptibility of their telephone useage.
B10.3 Each mobile phone shall have a registered user and that user will be responsible for the use and security of the phone. The registered user must report the loss of or any damage to their phone to I&T.
B10.4 Where technically possible and no cost is incurred, individuals should retain their existing internal telephone number when moving to another location within SOAS. Where this is not possible or an additional charge is associated with the provision, the old number will normally be disconnected immediately on vacating the old location. Where redirection rather than disconnection of the old number is deemed organisationally desirable, old numbers will be redirected to the main switchboard so that callers are informed of the new number. The period for redirection should not exceed 3 months.
B10.5 Trade Union representatives and members may use School telephone systems for School-related Trade Union communications.
B11.1 The School provides facsimile machines for research, educational and other legitimate School-related business. Incidental and personal use of fax is permitted so long as such use does not disrupt or distract the individual from School business (due to volume, frequency or time expended), does not incur unreasonable cost to the School, and/or does not restrict the use of those systems to other legitimate users. Most though not all personal faxes will result in additional cost to the School, which precludes users from sending or receiving faxes using School equipment.
B11.2 The School's facsimile machines may not be used for the bulk distribution of commercial or non-commercial material unrelated to School activity.
B11.3 Trade Union representatives and members may use School facsimile systems for School-related Trade Union communications.
B12.1 The School provides photocopiers and printers for research, educational and other legitimate School-related business. Incidental and personal use of photcopiers and printers is permitted so long as such use does not disrupt or distract the individual from School business (due to volume, frequency or time expended), does not incur unreasonable cost to the School, and/or does not restrict the use of those systems to other legitimate users. In practice copying and printing will incur a cost to the School, however the School provides facilities for payment for copier and printer charges, and these should be used when appropriate.
B12.2 The School will make a charge for all photocopying and networked printing. The charges and waivers will be set by the School from time to time.
B12.3 Refunds of used prepayments will not be made when a user account is closed. Holders of prepay accounts are advised to manage their prepayments with care when they know they will be leaving the School.
B12.4 Trade Union representatives and members may use School photocopying and printing equipment for School-related Trade Union communications.
B13.1 The School's Financial Guidelines and Procurement Guidelines will be followed in the purchase or lease of IT Equipment.
B13.2 All procurement of IT equipment, software and services for the School must be made either through I&T or in full consultation with the relevant personnel in I&T. I&T may veto a purchase or lease if it believes that IT policies have been breached.
B13.3 The School will abide by the EU Tendering framework. For standard equipment, software and services, purchase will be through the London University Purchasing Consortium, regional purchasing consortia, national purchasing consortia or other national agreements. Where no agreement is in place covering a specific project and where the costs are above the EU Tendering threshold level, the School will initiate the appropriate tendering process internally.
B13.4 IT equipment, software and services for the School will be purchased on the basis of best value for money over the complete life cycle of the goods. Initial cost is not the only criterion to be considered: support requirements, warranties, reliability of goods as well as suppliers, longevity, and disposal costs must also be considered.
B13.5 Where a non-I&T budget is being used to fund a purchase or lease, it is the budget-holder's responsibility to ensure that sufficient funds are available for the purchase and that all relevant information is supplied to I&T to facilitate the purchase/lease.
B13.6 Where existing School suppliers make favourable arrangements available to staff or students for equipment or software purchase, these discounts will be made available either directly between supplier and individual or via I&T. In the latter case, the School reserves the right to apply a charge to cover administration costs. To assist staff in the purchasing of personal IT equipment the School operates a Personal Computer Loan Scheme for qualifying staff that is administered by the Payroll Section of the Finance Department.
B14.1 All equipment will be disposed of in compliance with current legislation and with due regard for social and environmental considerations.
B14.2 Disposal shall not expose the School to continuing commitment to support or maintain any systems.
B14.3 Disposal of equipment shall constitute best value to the School.
B14.4 Where equipment has no residual value, recycling of materials or components shall be done in as economical a way as possible.
B15.1 The School will play a responsible role in the UK academic community in support of information technology by participating in and contributing informally to appropriate networks of contacts.
B15.2 The School should maintain formal membership of appropriate organisations in support of IT and its application in the academic community. Appropriate UK organisations are, for example, UCISA, ALT and specialist user groups.
B16.1 Illegal Activities
B16.1 Infringements of the relevant legislation, summarised in Policy B1, will result in legal and/or disciplinary action. All such infringements must be reported to the I&T Assistant Director (Information Systems) or the Registrar and Secretary who have the authority to deal with minor breaches and to escalate more serious offences. The School's Human Resources department maintains a Whistle-blower policy.
B16.2 Breaches of School Policies
B16.2.1 Correcting problems caused by a breach of IT policies will be done at minimum effort and cost to the School. The School reserves the right to pass on some or all of the cost involved to those causing the breach.
B16.2.2 Consequences of violations of School IT Policies, will depend on the intent, the seriousness of the offence and the damage caused. All such violations must be reported to the I&T Assistant Director (Information Systems) or the Registrar and Secretary who have the authority to deal with minor breaches and to escalate more serious offences. The I&T Assistant Director (Information Systems) will follow procedures for dealing with minor breaches. Normal School disciplinary procedures will be used for more serious offences.
B16.2.3 I&T staff may disconnect equipment without notice if it is believed that IT Policies are breached while an appropriate investigation is carried out.
B16.2.4 Breach of Policies by students may result in: (i) Suspension of access to IT equipment and services for minor breaches. (ii) Formal disciplinary action, which may result in expulsion from the School, for more serious offences.
B16.2.5 Breach of Policies by staff may result in: (i) Suspension of access to IT equipment and services for minor breaches. (ii) Formal disciplinary action, which may result in dismissal, for more serious offences.
B16.3.1 If any user believes that the action taken by the School is disproportionate to the alleged breach of policy they may appeal through the School's Grievance Procedure.The School's Human Resources department determines grevance procedures for staff use, the Pro-directors' office maintain procedures for use by students.
Accountability The property that ensures that the actions of an entity may be traced uniquely to the entity. (ISO 7498-2: 1989) e.g. an audit log in a database server.
Announce lists E-mail lists that send a single message to multiple users. Only designated editors may send to an Announce list.
Authenticity The property that ensures that the identity of a subject or resource is the one claimed. Examples of infringement include impersonation and IP spoofing.
Availability The property of being accessible and usable upon demand by an authorised entity (ISO 7498-2:1989)
Confidentiality The property that information is not made available or disclosed to unauthorised individuals, entities or processes (ISO 7498-2: 1989)
Core Announce Lists Announce list that the School regards as essential to effective communication with users and which users cannot opt out of. These lists are:
Information Server Any computer system which may be used to store and make available information. The information may be text, images, video and sound and examples of server systems include Web, E-mail, List, Database and FTP. Networking equipment is also considered to fall within this definition: routers, switches and hubs. The system may be operated by employees of the School or by a third party on behalf of the School.
Integrity Data Integrity is the property that data has not been altered or destroyed in an unauthorised manner (ISO 7498-2: 1989), and System Integrity is the property that a system performs its intended function free from deliberate or accidental unauthorised manipulation.
Private discussion lists E-mail lists that allow members to send a message to a list and that message gets sent to all members of that list. One person controls the list of recipients, the list is therefore "private" rather than "open" for anyone to subscribe.
Private Information Any information which has not been officially approved by a relevant School committee.
Reliability Consistent, intended behaviour and results.
School-related business Any activity or function that directly or indirectly supports or contributes to the School's core business of education and research.
User Any person authorised to use School IT systems including staff, students, visitors and contractors.
- Secretary: Server Systems Administrator Mr. B. Jackson
- Deputy Network Manager Mr. E Spick
- Postmaster Mr M. Douglas
- Library Systems Administrator Mr C. Rennie
|I have read and agree to abide by the IT Policies of the School of Oriental and African Studies as published at http://web.soas.ac.uk/it/policies/
|The content of this e-mail and any attachments are offered in good faith, but the School of Oriental and African Studies cannot accept responsibility for direct or indirect consequences resulting from it. This message does not constitute a contract. The School may monitor and record messages in accordance with the British Regulation of Investigatory Powers Act 2000.|
Systems on these lists are supported to the level shown when within the scope of the Maintenance and Support of IT Equipment Policy
|Description||Full support||Basic support|
|Microsoft Windows||98, ME, NT4, 2000||XP|
|Apple OS||8.x, 9.x||X.x|
|Linux as workstation||Kernel 2.x|
|Linux as server||Kernel 2.x|
|Novell Netware||4.1 to 5.1|
|Description||Version||Level of support|
|IPX||full but will be phased out|
|Appletalk||obsolete and largely replaced with other protocols|
|POP3 and IMAP||full|
- A visitor under Academic Hospitality arrangements becomes a SOAS User and is covered by the IT Policies and Library Policies of the School.
- This entitles the visitor to:
- A network login and email account, which will be set up on request from the Faculty Administrator to the IT Support Desk.
- Connect their own laptop to the School's network at designated points in the Library Reading Room and other study rooms in the School.
- Connect their own laptop to the School's wireless network using EduRoam.
- Use printing and copying facilities, for which visitors are charged at the standard rate.
- Support and advice during non-busy periods. Visitors should note that equipment with an operating system language other than English will be difficult to support.
- SOAS is not in a position to provide visitors with:
- Loan equipment
- Use of School personal computers. Visitors not able to bring a laptop may have special arrangements made via their sponsoring Faculty Administrator, or Conference and Programme Manager (in the case of Centres).