Skip to main content [Access key M] Skip to navigation [Access key F] Go to the site map [Access key S].

Policy & Implementation

IT Security Guidelines

Introduction


This Code of Conduct explains the requirements to be followed by users of the Company’s Computing environment. If you have any queries or require any IT specific training or guidance to understand and comply with this Code of Conduct, then please contact your Manager or Site IT Representative.

User Accounts

  • User accounts must not be used by anyone other than the individual to who they have been issued.
  • Passwords must never be disclosed, especially over the telephone.
  • Passwords must be alphanumeric and at least six characters, not be easy to guess or deduce. Therefore, names, birthdays, days, months, registration numbers, predictable sequences etc. should not be included.
  • Passwords or PINs should not be written down or stored on file or e-mail systems. Compromised passwords & PINs must be changed immediately.
  • PCs must be protected by a password-protected screensaver that is invoked after 10 minutes.
  • PCs must not be left unattended “on line” and must be locked using the Ctrl, Alt, and Del command. Whenever it is practical, users must log off systems when not in use for significant periods.

Email & Internet

  • Unsolicited material such as repetitive mass e-mailing, advertising or chain e-mail is forbidden.
  • The forging of e-mail is forbidden.
  • The blanket forwarding of electronic mail messages to any e-mail address external to the IPR Infrastructure is forbidden, unless approved by the IT Manager.
  • Staff must never access or transmit and should discourage others from sending offensive material e.g. pornography, anti-religious, racist material that could seriously offend or break local or International Law. Access, receipt and transmission of such material is monitored and may be quarantined and reported to the individual’s manager.
  • Individuals must not by-pass use of their assigned Exchange Mailbox by implementing Personal Folders for either primary or archived business related e-mail.
  • Staff should be aware that contracts can be formed by e-mail, even if the individual has not been granted the authority and that any subsequent breach of terms or variations could result in liability or damages.
  • Do not “Reply All” to e-mails unless there is a specific need for everyone to receive the message. It wastes disk space, clutters inboxes and can be counter-productive.
  • Compression utilities should be used for large attachments that are going to known dial-in users.
  • Inadvertent access to inappropriate sites should be reported to IT Support immediately.

Information Storage

  • Users of portable devices are responsible for the backup of information held locally to either network drives or external media e.g. CD-ROM or floppy disk.
  • The data storage area available to users is a finite resource and it is the responsibility of users to ensure that good housekeeping practices are adopted and complied with.
  • Subject to existing rights of 3rd parties, all data created or stored on IPR’s IT Systems becomes the property of IPR.

Physical Security of PCs


Staff in possession of portable computing devices should ensure that: -

  • they are never checked into airline luggage systems,
  • they are not left unattended at any time in public places or 3rd party offices,
  • they are not placed on open view in unattended vehicles,
  • they are secured in a locked cabinet or via “Kingston” type lock when left on desks,
  • the laptop and security fob are NOT kept together.

Confidentiality

  • Staff should take all reasonable care with confidential information and comply with such policy on confidential information as the Company may from time to time adopt and notify staff of.
  • Wherever possible, staff should avoid the transmission of confidential information via e-mail.
  • Staff should avoid wherever possible the storage of sensitive or confidential information on laptops. Such information should never be stored on workstation hard drives.
  • Personal information on individuals must only be stored in systems that have been registered under the Data Protection Act or relevant local equivalent.
  • Personal data shall not be transferred to a country outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Computer Viruses

  • Virus protection software must never be disabled or circumvented in any way.
  • All data sent or received by/from 3rd parties using infrared or serial ports to/from IPR devices should be virus scanned before transmission.
  • If viruses are suspected or detected, then the User must contact IT Service Desk for further direction.

Software

  • Additional software installed onto IPR standard PCs or network drives must be approved by the IT Manager and licensed before use.
  • Copyrighted software must only be used in accordance with its licence.
  • Shareware or Freeware must NOT be installed on equipment unless approved by the IT Manager.
  • All PCs and network drives are subject to random audits by the IT Department, to demonstrate software-licensing compliance.

Private Use

  • The computing environment is provided for business use. If the IT Manager considers any private usage is excessive or inappropriate, individuals will be informed and required to curtail such usage.

Monitoring

  • IT systems are continuously monitored and inappropriate use will be reported to the individual’s manager. Offensive e-mails will be quarantined and the individual and manager informed.
  • IPR respects the privacy of personal storage and e-mail. However, if the Company believes there is stored material, which is not in the Company’s best interests, then IPR reserves the right to access, and where the storage is not justified delete such information.

Network & Information Security

  • “Hacking”, attempted access or modification to data that is not relevant to the individual’s duties, or is not properly authorised, is forbidden.
  • Only computers and peripherals approved by the IT Manager may be attached to or installed on the network.

Connections to external IT Systems

  • Individuals must not establish direct connections to external IT Systems without the prior approval of the IT Manager. In such cases, the individual’s Company user account and/or passwords must not be used.
  • Staff must not modify any modem configuration so as to enable auto-answer mode.

Third-Party Access

  • Third-party access to Company IT assets must be based on a formally executed contract approved by the IT Manager.

Mobile Phones

  • Staff should ensure that confidential or personal information is not discussed.
  • Staff seconded overseas should minimise use of their mobile phone and if relevant, and in consultation with their manager, obtain a local device.
  • Staff should ensure that they inform business colleagues of their destination office phone number, when overseas for significant periods. This is especially important as calls received while roaming carry a significant cost to the Company.
  • Only in exceptional circumstances should mobile phones be used to dial into the IPR infrastructure.

IT Procurement

  • All purchases must be in accordance with the “IT Procurement Policy” and local procedures as specified on the Company intranet or in local policy.

Incident Reporting

  • All suspected IT security breaches must be reported to IT Support for further investigation.

Disciplinary action

  • Failure to observe this Code or intentional violation of the Guidelines may subject you to disciplinary action, as set out in the Company’s Disciplinary Procedures.

Your attention is drawn particularly to the paragraphs in italics, violation of which is deemed to be an extremely serious breach of conduct, and could lead to dismissal.

Back to the main Policies page

Back to topBack to top