×

  • Email

    info@spesiop.in

  • Phone

    0253 251 4432

IT Policy


Introduction

In Education recognizes that education is much more than the mere collection and distribution of knowledge. It embraces the ideals of intellectual hospitality, fostering an environment that encourages innovation, creativity, and the power of thought and imagination. This policy seeks to foster the holistic development of individuals by nurturing their character and instilling in them a steadfastness of mind and a fervent desire to contribute their best to society. Education, under this policy, is regarded as a means to unlock the moral and spiritual potentialities inherent in every individual.

To achieve these goals, the revised IT Policy in Education will encompass the following principles:

  1. Holistic Development: The policy recognizes that education should go beyond academic excellence. It will promote the holistic development of students by integrating moral, spiritual, and character education into the curriculum. This will be accomplished through the inclusion of values-based learning, ethics, and the cultivation of empathy and compassion.
  2. Intellectual Freedom: The policy will uphold and safeguard the principles of intellectual freedom, encouraging students and educators to engage in critical thinking, questioning, and exploration. It will foster an environment where diverse perspectives are respected, and students are empowered to express their thoughts and ideas freely.
  3. Innovation and Creativity: The policy will prioritize the integration of technology into education to foster innovation and creativity. It will encourage the use of digital tools, platforms, and resources to enhance learning experiences and promote problem-solving skills, collaboration, and adaptability.
  4. Inclusivity and Diversity: The policy will ensure that education is accessible and inclusive for all students, regardless of their background, abilities, or circumstances. It will promote diversity in curriculum content, teaching methodologies, and learning resources, fostering an environment that respects and celebrates differences.
  5. Ethical and Responsible Technology Use: The policy will emphasize the importance of ethical and responsible use of technology in education. It will provide guidelines and support for educators and students to navigate digital spaces safely, protect privacy, and develop digital citizenship skills.
  6. Lifelong Learning: The policy will recognize education as a lifelong journey and promote a culture of continuous learning. It will encourage professional development opportunities for educators, promote self-directed learning among students, and foster a love for learning beyond formal education.

By embracing these principles, the  IT Policy in Education aims to transform education into a nurturing and empowering experience that prepares individuals not only for academic success but also for personal growth, ethical decision-making, and meaningful contributions to society.

Scope of IT policy

Rules for Access to Administrative Data:

  1. Definition: Administrative data refers to any information or data that is collected, stored, and processed by the institute for administrative purposes. This may include personal information, financial records, instituteal data, or any other data that is crucial for the operation of the institution.
  2. Authorized Access: Employees who need access to administrative data must be authorized by their respective roles and responsibilities. Access to specific data should be granted on a need-to-know basis, ensuring that employees only have access to the data necessary for performing their job duties.
  3. Proper Use: Employees accessing administrative data must use it solely for legitimate business purposes and in accordance with the institute's policies and procedures. Personal or unauthorized use of administrative data is strictly prohibited.
  4. Data Protection: Employees must adhere to all applicable data protection laws and regulations when accessing, handling, and storing administrative data. This includes maintaining the confidentiality, integrity, and availability of the data, as well as protecting it from unauthorized access, loss, or misuse.
  5. Security Requirements: When accessing administrative data, employees must comply with the institute's security requirements. This may include using strong passwords, following secure authentication practices, encrypting sensitive data, and utilizing approved secure networks or VPNs for remote access.
  6. Disciplinary Consequences: Failure to adhere to the rules and guidelines for accessing administrative data may result in disciplinary action, which can include warnings, suspension, termination, or legal consequences, depending on the severity and impact of the violation.

Codes of Practice for Information Technology Security: The institute aligns its information technology security program with the following codes of practice:

  1. Widely Accepted Practices: The institute adopts widely accepted security practices that are recognized as effective in safeguarding computing assets. These practices may include industry standards, frameworks, or guidelines such as ISO 27001, NIST Cybersecurity Framework, or CIS Controls.
  2. Higher Education Environment: The security practices implemented by the institute are tailored to the specific needs and challenges of the higher education environment. This may include considerations for academic research, student data privacy, intellectual property protection, and other unique aspects of the institution.
  3. Strong and Persistent Program: The institute maintains a strong, persistent, and coordinated security program to address the growing security threats. This involves regular risk assessments, vulnerability management, incident response planning, security awareness training, and continuous monitoring of the institution's computing assets.

Storage of Highly Sensitive Data on Individual-Use Devices and Media:

  1. Strict Limitations: Highly sensitive data should only be stored on individual-use devices or media when absolutely necessary. The default practice should be to store such data on secure and centrally managed systems within the institute's network.
  2. Security Requirements: If highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media, strict security requirements must be met. This includes encryption of the data, implementation of strong access controls, regular backups, and adherence to the institute's data classification and handling policies.

Use of Instituteal Web Pages:

  1. Non-Commercial Use: Instituteal web pages must not be used for commercial purposes. They should serve as platforms for providing information, resources, and services related to the institute's mission and activities.

Third-Party Access to the Network:

  1. Conditions for Access: Third parties, such as auditors or consultants, may be granted direct access to the network under specific conditions. These conditions may include the need for the third party to sign a non-disclosure agreement, comply with the institute's security policies, and undergo any necessary security assessments or vetting processes.


 

Responsibilities for Device Security:

  1. User Responsibilities: All users are responsible for maintaining the security of their devices when connected to the institute's network. This includes installing and updating security software, applying patches and updates, using strong and unique passwords, and reporting any security incidents or concerns promptly.

Maintaining Privacy, Confidentiality, and Integrity:

  1. Computing Environment: Users must adhere to rules and guidelines for maintaining the privacy, confidentiality, and integrity of the computing environment. This involves using resources appropriately, respecting the rights and privacy of others, refraining from unauthorized access or data manipulation, and reporting any security or policy violations.

Ban on Employee Access to Obscene or Sexually Explicit Materials:

  1. Definition: Employees are strictly prohibited from accessing or viewing obscene materials or sexually explicit material using state equipment. This includes computers, laptops, tablets, smartphones, or any other devices owned or provided by the institute.
  2. Exemptions: Any exemptions to the ban must be clearly defined and justified based on legitimate business needs. These exemptions should be limited, controlled, and subject to approval by appropriate authorities within the institute.

Rules for Using Shared Computing Resources:

  1. Public Labs: When using shared computing resources such as public labs, users must adhere to the institute's policies and guidelines. This may include restrictions on software installation, data storage limitations, compliance with licensing agreements, and respectful use of the resources to ensure fair access for all users.
Aims of IT Policy

Information Security Policies play a crucial role in safeguarding important data, institutional plans, and other confidential information from theft or unauthorized disclosure. Without awareness of these policies, employees may be uncertain about the expected actions when handling such sensitive information.

Additionally, implementing information security policies can have several advantages, including:

  • Empowering citizens, managers, and other stakeholders through online teamwork, enabling increased participation, collaboration, and information sharing via email, the Web, and other remote collaboration tools.
  • Enabling rapid and cost-effective creation and distribution of educational information and knowledge.
  • Encouraging professional development, in-service training, remote support, and mentoring to foster lifelong learning for teachers, managers, and other individuals.
  • Facilitating quick and easy access to information and expertise worldwide.
  • Increasing motivation through multimedia elements like sound, video, graphics, animation, and text.
  • Allowing students to learn at their own pace and level, granting them greater control over their learning experience.
  • Enhancing the development of abilities in mentally and physically challenged students.
  • Promoting active learning rather than passive consumption of information.
  • Engaging students in research, data analysis, and problem-solving, thereby facilitating higher-order thinking processes such as synthesis, interpretation, and hypothesis formation.

Policy Statement

The I.T. Department is tasked with the responsibility of ensuring the sufficient protection and confidentiality of corporate data and proprietary software systems. This responsibility extends to data stored centrally, on local storage media, or remotely, with the aim of ensuring uninterrupted access to data and programs for authorized staff members, as well as maintaining the integrity of all data and configuration controls.

 

 

Benefits Of It

Information Technology (IT) has a significant impact on the spread of education and access to it. It enhances flexibility, allowing students to access educational resources regardless of time and geographical barriers. IT also influences instructional methods and learning approaches, enabling collaborative skill development and knowledge creation. Consequently, students become better prepared for lifelong learning and gain opportunities to join various industries.

The benefits of IT in education include:

  • Increased access and flexibility of content distribution, combining education with work and focusing on student-centered methods.
  • Provision of high-quality and cost-effective professional development, replacing traditional labor-intensive approaches. This improves employee skills and productivity while fostering a culture of continuous learning. It also facilitates cost and time sharing for training among employees.
  • Enhanced capacity and cost-effectiveness of the education system, particularly benefiting target groups with limited access to traditional education. IT support improves the quality and relevance of existing educational structures and establishes connections with educational institutions and curricula through networks.
  • Improved performance of knowledge workers and instituteal learning. IT enhances the performance of knowledge workers in customer, supplier, and partner institutes. It adds value to existing products and services through information integration and enables the creation of new information-based products and services.
  • Internally, IT improves infrastructure performance, enhancing functionality and expanding the range of available options. Externally, it enables the creation of efficient and flexible online/offline platforms for coordination with educational institutes.

limitations of it

·       High cost of technology and maintenance: Implementing IT in education often requires significant investments in hardware, software, and infrastructure. Schools and educational institutions may struggle to afford the initial costs of acquiring technology, such as computers, tablets, and servers. Additionally, maintaining and upgrading these technological resources can be expensive over time, especially if they become outdated quickly.

·       Cost of spare parts: Technology components can fail or become damaged, requiring replacement parts. The cost of these spare parts can be a burden, particularly for schools with limited budgets. Dependence on specific brands or models may also increase the cost and availability of spare parts.

·       Virus attacks and software issues: IT systems are susceptible to malware, viruses, and software vulnerabilities. These security threats can compromise data, disrupt operations, and hinder the learning process. Institutions need to invest in reliable antivirus software and security measures to mitigate these risks, which can further increase the overall cost of IT implementation.

·       Internet connectivity interruptions: Inadequate or unreliable internet connectivity can hinder the effective use of IT in education. Access to online resources, communication tools, and remote learning platforms heavily relies on a stable internet connection. Schools located in rural or remote areas may face challenges in providing consistent and high-speed internet access to students and teachers.

·       Poor supply of electric power: Reliable electricity supply is crucial for the successful integration of IT in education. In regions or countries with inconsistent power grids or frequent power outages, schools may struggle to maintain a consistent and uninterrupted IT infrastructure. This can disrupt teaching and learning activities and make IT less feasible in such contexts.

·       Addressing these technology-related limitations requires careful planning, sufficient funding, and effective maintenance strategies. Schools and educational institutions should assess the costs, benefits, and long-term sustainability of implementing IT solutions while considering the specific challenges and limitations they may face in their environment.

Outline Various Measures To Ensure Data Confidentiality

Ø  Confidentiality through Discretionary and Mandatory Access Controls: This means that access controls should be implemented to restrict data access based on user permissions. Discretionary access controls allow data owners to determine who can access their data, while mandatory access controls enforce restrictions based on predefined security levels.

Ø  Restriction of Internet and External Service Access: Access to the internet and external services should be limited to authorized personnel only. This helps prevent unauthorized access, data breaches, and potential security risks.

Ø  Encryption for Laptop Computers: To maintain data confidentiality in the event of laptop loss or theft, data stored on laptops should be encrypted. Encryption ensures that even if the device is compromised, the data remains unreadable without the appropriate decryption key.

Ø  Authorized Software Installation: Only authorized and licensed software should be installed on instituteal devices. This ensures that software used is legitimate, up to date, and free from potential security vulnerabilities.

Ø  Prohibition of Unauthorized Software: Unauthorized software should not be used within the institute. If any unauthorized software is discovered, it should be promptly removed from the workstation to mitigate potential security risks.

Ø  Controlled Data Transfer: Data transfer should align with the institute's data protection policy. This ensures that data is shared only for approved purposes, preventing unauthorized disclosure or misuse.

Ø  Virus Checking for External Media: Before using any external media such as diskettes or removable drives, they should be scanned for viruses. This practice helps prevent the introduction of malware or other malicious code into the institute's systems.

Ø  Strong Password Requirements: Passwords should consist of a mix of at least 4 alphanumeric characters and should be changed every 30 days. This helps strengthen the security of user accounts by ensuring regular password updates and complexity.

Ø  Controlled Workstation Configurations: Workstation configurations should only be changed by IT Department staff. This ensures that configurations are standardized, consistent, and follow established security guidelines.

Ø  Physical Security of Computer Equipment: Computer equipment should adhere to recognized loss prevention guidelines to prevent physical theft or unauthorized access. Physical security measures may include locked cabinets, restricted access areas, or surveillance systems.

Ø  Regular Data Backups: To prevent the loss of IT resources, regular backups of data, applications, and workstation configurations should be performed. This helps ensure that data can be recovered in case of accidental deletion, hardware failure, or other incidents.

Ø  By implementing these measures, the institute can establish a comprehensive security framework to safeguard data, control access, and maintain the availability of IT resources.

Anti-Virus Policies And Procedures

These are the anti-virus policies and procedures for the institute:

Ø  The IT Department will provide up-to-date virus scanning software for scanning and removing suspected viruses.

Ø  Corporate file servers will be protected with virus scanning software.

Ø  Workstations will be protected by virus scanning software.

Ø  The IT Department will regularly update all workstation and server anti-virus software with the latest patches.

Ø  No disk brought in from outside the institute should be used until it has been scanned.

Ø  All systems will be built from original, clean master copies with write protection in place. Only original master copies will be used until virus scanning has been performed.

Ø  Removable media containing executable software (files with .EXE and .COM extensions) will be write-protected whenever possible.

Ø  Vendor demonstrations will be run on their own machines and not on the institute's systems.

Ø  Shareware will not be used, as it is a common source of infections. If shareware use is necessary, it must be thoroughly scanned before use.

Ø  New commercial software will be scanned before installation, as it may occasionally contain viruses.

Ø  Removable media brought in by field engineers or support personnel will be scanned by the IT Department before use on site.

Ø  Regular backups will be taken by the IT Department to enable data recovery in the event of a virus outbreak.

Ø  Management strongly supports the institute's anti-virus policies and will allocate necessary resources for their implementation.

Ø  Users will be kept informed of current procedures and policies.

Ø  Users will be notified of virus incidents.

Ø  Employees will be held accountable for any breaches of the institute's anti-virus policies.

Ø  Anti-virus policies and procedures will be reviewed regularly.

Ø  In the event of a possible virus infection, the user must immediately inform the IT Department. The infected machine, as well as any removable media or other workstations that may have been affected, will be scanned and the virus eradicated by the IT Department.

These policies aim to ensure the institute's systems and data are protected from virus infections and to respond effectively in case of an outbreak.

 

Access Control

These are the proposed access control policies for the organization:

Ø  Users will only be granted the necessary rights on systems to perform their job functions. User rights will be minimized at all times.

Ø  Users requiring access to systems must submit a written application using the provided forms from the IT Department.

Ø  Where possible, no individual will have full rights to any system. Network/server passwords will be controlled by the IT Department, and system passwords will be assigned by the system administrator in the respective end-user department.

Ø  The system administrator in each end-user department will be responsible for maintaining data integrity and determining end-user access rights.

Ø  Access to the network, servers, and systems will be through individual usernames and passwords, smartcards and PIN numbers, or biometrics.

Ø  Usernames and passwords must not be shared among users.

Ø  Usernames and passwords should not be written down.

Ø  Usernames will consist of initials and surname.

Ø  All users will have an alphanumeric password of at least 4 characters.

Ø  Passwords will expire every 30 days and must be unique.

Ø  Intruder detection will be implemented where possible, and user accounts will be locked after 5 incorrect login attempts.

Ø  The IT Department must be notified of all employees leaving the organization's employment so that their system rights can be revoked.

Ø  Network/server supervisor passwords and system supervisor passwords will be stored securely, such as in a fire-safe in the IT Department, for emergency or disaster situations.

Ø  Auditing will be implemented on all systems to record login attempts/failures, successful logins, and changes made to the systems.

Ø  IT Department staff will not log in as root on UNIX/Linux systems but will use the SU command to obtain root privileges.

Ø  The use of admin usernames on Novell systems and Administrator usernames on Windows should be minimized.

Ø  Default passwords on systems like Oracle and SQL Server will be changed after installation.

Ø  Access to RLOGIN, FTP, TELNET, and SSH on UNIX and Linux systems will be restricted to IT Department staff only.

Ø  Where possible, users will not be given access to the UNIX or Linux shell prompt.

Ø  Access to the network/servers will be restricted to normal working hours. Users requiring access outside normal working hours must submit a written request using the forms provided by the IT Department.

Ø  File systems will have maximum security implemented wherever possible. Users will typically be granted only Read and File scan rights to directories, and files will be flagged as read-only to prevent accidental deletion.

These access control policies aim to ensure that users have appropriate access rights to systems, data integrity is maintained, and unauthorized access is minimized.