Information Security Policy Quiz

A password is often all that stands between an intruder and the Sports Leaders UK IT systems. If your password has been compromised you must contact the IT department immediately.

If unsure you should never allow an external company access to your computer without verifying with the IT department that their request is valid. Anybody who is granted access to connect to your computer must be supervised at all times.

If there is a requirement for additional software to be downloaded contact the IT Service Desk and request authorisation from your manager.

Staff should be cautious about opening any e-mails and attachments from e-mails that have dubious or missing subject lines. Don't open attachments unless sure of the source. Report any suspected virus activity to the IT Service Desk.

A new user account or a change in job role will only be actioned on receipt of an NA1 form. This must be filled out by the line manager and forwarded to the IT department a minimum of two weeks before the start date. An NA1 form provides the IT department with the level of detail required to setup the account such as file access, mailing groups, equipment details, terminal services access, etc.

Only Category 4 can be distributed to members of the public. Most reports will be restricted to internal staff either due to the data they hold. Category 1 is restricted to internal departments or groups listed in the report and Category 2 to internal organisational distribution only (contracted staff). Alternatively Category 3 allows external distribution, but restricted to the listed people or organisations.

Staff are reponsible for all equipment given to them during their employment with Sports Leaders UK. An equipment signout sheet must be signed for all mobile equipment to show that the equipment you have been provided with is in operable condition. Staff are also repsonsible for ensuring that no equipment is taken from their surroundings and that all secure areas are kept locked where appropriate.

An AC1 form is used to inform the IT Service Desk that a member of staff is leaving the organisation. It allows the IT department to close down the user account at the appropriate time and setup any relevant forwarding of files and emails. A minimum of one weeks notification is required when using an AC1 form.

Never forward chain e-mail messages or virus warnings. The vast majority are a hoax or they can propagate viruses. The organisation has antivirus and antispyware protection that filters most suspect emails and attachments. If you receicve a chain email or a virus warning from a friend create a brand new email and contact them to ask that they do not send personal emaisl to your work email address. Do not reply to their original email as this could propagate any viruses contained within the email.

All personal equipment must be reported to the IT Service Desk after receiving consent from your line manager to ensure that it meets all hardware and software requirements as stated in the Information Security Policy. All personal equipment must have anti-virus software installed that is regularly updated.

Dates of birth are requested for all individuals registering on to our database. Therefore the date of birth is a form of verification. In addition we request an additional set of information contained on their record. We do not currently ask for mother’s maiden name or name of first pet.

A third party or contractor includes any external organisation or individual that is not classed as a member of staff. These may or may not be contracted to the organisation. When third partiesor contractors are involved in providing support and maintenance of the organisation’s facilities it may be necessary for them to access systems using the highest levels of privilege. It is essential that privileged access to computer areas by third parties or contractors is approved by the IT Service Desk and that a member of staff is responsible for managing the access and that the access is monitored and / or logged.

A risk assessment must be made before third parties or contractors are given access to normally secure areas where confidential information is stored or processed. The outcome may be to deny access, grant access or provide access with provisos to manage the risk such as allowing access while being observed.

Precautions in the form of formal agreements should be taken to protect the information security interests of the organisation where external organisations or individuals are allowed access to the organisation’s equipment, network or systems.

Third parties or contractors should have appropriate assurances within the contract to safeguard the organisation in relation to privacy, access to data and accidental damage. Any third party or contractor who is under agreement with the organisation may have unsupervised access if appropriate.

Our insurance does not pay out on theft from vehicles unless it is protected with an intruder alarm, the doors are locked and the windows closed, and the equipment is concealed in the boot or in a covered luggage compartment. Equipment must not be left under or on any of the car seats.

An email sent to 15 or more external users, or a single email sent with an attachment larger than 10Mb is considered a bulk email. Contact the IT department for advice if you have a vaild reason for needing to send emails to more than 15 people external to the organisation.

You should create a personal folder on your Y drive. This moves storage away from the inbox folder which is subject to size limits. This folder should be maintained and checked regularly. All email folders should be reviewed periodically and emails deleted when not required. If an email is important to a department, they can be saved on the shared S drive under the relevant departmental folder. Regular housekeeping should also take place so that storage limits aren't breached. Contact the IT department for assistance.

Terminal services is a secure environment but if information is transferred and saved on to your personal computer then this organisational data is then stored outside of the corporate network. Any personal information stored outside the corporate network breaks data protection law. It is acceptable to save learner and tutor information to an encrypted flash drive. Data protection states that any personal information about an individual must be stored in a safe and secure environment and encrypted in transit. Sports Leaders UK is the data collector and is therefore responsible for the personal information collected. We provide computers for those based in the office and laptops that are encrypted for those on the move. Encryption means that the information is stored in a secure format, so if the laptop was ever stolen the data would not be retrievable. Our email accounts are not encrypted, therefore if any data is sent to the wrong individual, they would be able to open up this data and see information they are not entitled to view. When sending any information that includes personal data about our customers, employees or corporate partners we should ensure that this is not sent without added protection. This could be by sending the data as an attachment and locking it with a password or by allowing the user to retrieve their data through another medium such as an external storage area (IT Support can advise). If a tutor assessor requests information about their learners it is best to advise them how they can retrieve this by logging on to LEAP. Alternatively a password protected document can be emailed (PDF, Excel or Word). The password should be sent in a separate email after the document has been confirmed as being received by the recipient.

A visitor has three options of accessing the internet at Sports Leaders UK head office. The first option is to connect to Microsmiths' wireless facility, a free service provided by the company Microsmiths for the whole of Linford Forum - It is a network unrelated to the Sports Leaders UK network and therefore poses no security risk for Sports Leaders UK. The second options is to connect to the Sports Leaders UK guest wireless network, a network sectioned off from the main Sports Leaders UK IT systems. The third option is for a visitor to connect to one of the designated 'Secure Ports' within Head Office. These are located around the office marked with green stickers and a sign. These 'Secure Ports' provide an active internet connection but sit outside of the main Sports Leaders UK network, adding an added level of security to Sports Leaders UK systems.

The S and Y drive are part of the corporate computer network and are therefore acceptable areas to store data.

Any emails that we send from our Sports Leaders UK email account represent the organisation. Emails can contain personal information about our staff, our customers, other corporate partners and supporters and corporate information that should not be shared. We ensure that any data contained and distributed through Outlook is stored safely, follows corporate identity rules by ensuring it has the right signature, uses the right font, contact details and disclaimers; is stored and backed up and therefore available if required again in the future for reference or to support regulatory requirements. If an email is forwarded to a home email account the corporate data is then taken out of the corporate environment, does not protect the data, does not archive and store the message within context and does not provide a clear tracking route to support regulatory and legislative requirements. For this reason we do not allow anyone to forward emails containing corporate information to their personal email address.

Terminal services is a secure environment through which staff can access their Sports Leaders UK account and data without being in the office and by using any computer, but it does require an internet connection to be able to access the information which means that some staff will save data on to the personal computer they are working with so they can work offline. The problem with this is that the data is then stored outside the corporate network and is subject to all the above concerns in the previous paragraph.

It is acceptable to store personal information on an encrypted flash drive as the data is protected by the encryption process.

The organisation will not tolerate the use of the Internet or mobile technologies for personal use unless authorised by your line manager.

Please consider the impact of using large distribution groups. For example, an email to inform the Milton Keynes office of cakes in the kitchen is relevant to many, but the same email to the entire Sports Leaders UK organisation may not be.