ICT Staff Equipment Provisioning Policy


 

Policy Statement 

It is the policy of the University of Chichester (“The University”) to ensure that its staff, students and other stakeholders have equipment suitable to the fulfilment of their role and to enable them to participate in and innovate in the University’s learning communities.

The policy is also shaped by the principles of standardisation, simplification and sharing, whilst reflecting the need for value for money and maintaining security against cyber-threats. The policy is similar to those in other Universities, in that it considers the role and context of individuals in how their needs are met, whilst managing an increasing need to ensure that non-university devices present the same integrity for privacy, copy rights, safeguarding and resisting disruptive cyber criminality, all of which are designed into the devices sourced by SIZ Service Delivery and IT Services.

Annual and in-year processes are in place to obtain bulk-buying-discounts from approved suppliers, whose products, ethical and legal practices meet with the University’s financial regulations and other policies. These hardware and software products are tested and designed to fit within the proven security frameworks of the University. Equipment is configured to protect the University from as many of the cyber-crime threats as possible, and configuration settings cannot be overridden. 

Equipment sourced by departments would have to undergo security review, and would likely need custom security arrangements that are expensive to achieve, monitor and maintain, and that would likely be called into question by regulators such as the Information Commissioners Office if there are any data loss issues.

A central inventory of all University IT assets (hardware and software) is maintained. Security and functional updates, etc., are centrally deployed within the University’s approved software inventory. Equipment will be maintained and, unless there are performance or reliability issues, the workable lifecycle of equipment will vary.

Use of all University equipment and its infrastructure must comply with the code of conduct as set out in the Electronic Information Security Policy (Link to policy).

The purpose of this policy is to:
  • Guide expectations of what equipment can be provided (PC/Laptop/Telephony)
  • Raise awareness of how provisioning is shaped by;
    • statutory obligations to avoid loss or exposure of information, and other cyber threats,
    • privacy, and particularly for other people’s information you may have access to,
    • the needs of safeguarding,
    • supportability, and value for money,
    • the code of conduct as set out in the Electronic Information Security Policy (Link to policy),
    • arrangements for when someone leaves the University, and; 
    • environmentally sustainable, and secure disposals.

1.  Staff Computer Packages

Standard IT provision is a registered[1], high performance business class PC or laptop. This will meet almost all needs whilst also enabling a high standard of security, service and support. Commonly, this is provided with a keyboard, mouse and a monitor, and where it is a laptop, a docking station.

PCs and Laptops are fitted with a head-phone socket and are either supplied with, or have an integral web camera. Laptops are WiFi enabled. Whilst equipment can be sourced in-year where there is an urgent need, the case for additional equipment will usually be anticipated in each department’s annual operational plan, or within the Staffing Request Form.

To ensure the best connectivity, interoperability and security, as well as value from economies in purchasing, skills and support, University systems are primarily designed to work with the Microsoft enterprise architecture. This is the connectivity that organises and links information together with systems and facilities (such as firewalls and Virtual Private Networks) to repel unauthorised access to University systems and data.

All University devices are bought from verified providers, and have anti-tamper mechanisms[2] to reduce the risks of a lost or stolen device being used to gain access to University data and private intellectual property.  

Specialised requirements for medical reasons such as alternative, replacement machines or a peripheral device (e.g. ergonomic keyboard, track pad) will involve review and approval through the Health and Safety office who can be contacted at the following email address: healthandsafety@chi.ac.uk.

2.  Additional access to computing resources

All staff and students can use the University log-in credentials provided to them to access other University equipment, such as in teaching rooms, libraries and staff hubs. For staff, this also includes the ability to log in to a colleague’s laptop, and vice versa. Additional flexible facilities enable remote access to ultra-high-performance computing and specialised software. In addition, there is a range of loanable equipment available through the Support & Information Zone (SIZ). 

Each user’s unique log-in configures the computer to the user’s email account, print facility, network and cloud-storage. Some teaching and open access PCs may also have access to additional specialised software.

3.  Bring Your Own Device (BYOD)[3]

It is important to reflect that staff and students at a University are targeted by cyber-criminals to gain access to sensitive and personal information. The University’s centrally provided and configured (referred to as imaged) devices are secured to a validated standard to prevent this and to ensure the University can meet the statutory obligations, the conditions required by external auditors, and the conditions set out by partners such as the Ministry of Defence.

Only a centrally sourced and provided University computer with a University configuration is suitable for accessing sensitive personal information.  

Provided a user does not have access to personal sensitive information, and takes reasonable (as described in the Electronic Information Security Policy, (Link to policyand its supplementary guidance), most other services are web-based (e.g. email, staff intranet, Moodle, web printing) and can be accessed using non-university equipment, either on or off campus. New technologies are being deployed to ensure that any non-university device that is infected with malware or that appears to have unlicenced software, may not be allowed to connect to University services.  It is however important you ensure that when using non-university equipment, that you take extra precautions[4]  to ensure that your device does not compromise the University’s commitment to privacy and security.

In order to connect a personal device to any University infrastructure, or any University information system, the device must be protected with a suitable, up-to-date anti-virus service, and must employ cyber-security such as hard disk encryption. All personal devices must be set to not cache University ID and passwords, and University IDs and password must not be used in 3rd party (non-University) systems and services. If these standards are not met and maintained the device may become excluded. 

The IT Service will try to help if you have issues connecting your personal device to University services, but cannot change the configuration of, or repair personally owned devices.

4.  Premium devices

The University provides high performance, business class equipment. These operate within the University’s enterprise environment to ensure interoperability and security. These are bought through reputable supply chains with assured environmental and anti-slavery policies. 

Whilst other equipment may from time to time be required, it must maintain the same level of integrity, whilst also passing the tests of value for money. Any premium equipment will require an individual business case and for funding to be arranged. Requests based on personal preference is not adequate justification.

5.  Specialist equipment

Equipment defined or sourced by departments will be assessed for risks to the University through its design and operation. This, similarly to the mechanisms to protect the University from the inherent risks of Bring Your Own Devices, will include an initial, pre-purchase review which will consider data access, licencing, procurement route, security risks, unauthorised use and risk of data loss. Specialist equipment may require additional network considerations and/ or bespoke approaches to software licencing.

6.  Telephony[5]

The University’s primary telephony mechanism is Microsoft Teams which operates in conjunction with a Staff Laptop, PC or mobile telephone. The telephony service automatically ‘follows’ the user from device to device and includes additional features, such as the usual range of ‘do-not-disturb’ and ‘out-of-office’ presence functions. MS Teams Telephony will operate anywhere (worldwide) where there is Internet access, and is very cost effective. 

MS Teams telephony also works via an App. The App is freely available to either University or non-University mobile telephones and some staff may choose to use this method of answering or making a telephone call.

Where a member of staff is expected to make and receive telephone calls, a Teams compatible stereo headset will be provided. Where necessary, a MS Teams compatible handset can be provided, however this would be charged to the requesting department. Where the business case justifies it, traditional (IP/Analogue/SIP) telephones can be provided into common areas, office locations etc.

Specialised audio requirements required for medical reasons such as alternative, speakers and microphones will involve review and approval through the Health and Safety office who can be contacted at the following email address: healthandsafety@chi.ac.uk.

7.  Mobile Telephones 

The University’s high-performance mobile telephones are centrally provided to enable cost-effective commercial rates for data and calls, but also to enable essential security mechanisms to be applied.  

Whilst equipment can be sourced in-year where there is an urgent need, the case for additional equipment should be anticipated in each department’s annual operational plan, or within the Staffing Request Form.

It is important to recognise that telephony is supplied for the purposes of the work of the University. Calls, SMS texts and data usage charges are recharged to the respective department.

University provided mobile phones will be assigned with a managed profile to ensure the security of the device and the member of staff using it. This means the mobile phone will have enforced controls, such as automatic screen lock and remote device wipe. The mobile phone is provisioned with University-approved apps (MS Teams, for example). Requests for additional applications will be reviewed on an individual basis where consideration will be made for the business need, and for its prevailing security.

8.  Eligibility

University staff with at least a 0.4 FTE permanent contract will usually be provided with dedicated equipment. Job sharing staff, and those on less than a 0.4FTE contract are normally expected to share[6] office equipment, unless there are reasons such as remote and homeworking that make this not possible.

Associate lecturers and are typically not provided with a University device (e.g. laptop) although short term loans can be arranged. Associate Lecturers can of course use open access facilities or share other staff equipment to access all relevant software and services. 

Where there is extended leave of absence (and with appropriate consultation) accounts, and therefore access, may be suspended.

9.  Software

It is an integral pillar of the University’s security and licencing policies that legitimate software is centrally deployed and that this is therefore incorporated within cyber-security mechanisms. All software enabled or endorsed by University staff must be compatible with the University’s security and connectivity mechanisms and policies. 

Most software is available to most staff. Software that increases risks of cyber-threats or whose purpose is achievable with existing software[7] will not be installed. The IT Service will source and install all software [3]

Software for non-University owned equipment, and for specialised equipment sourced by department, may not be suitable for use within the University’s licencing and network environment.

No software can be deployed, accessed or used without it first being formally reviewed for its cyber integrity and safeguarding facilities through a Data Protection Impact Assessment (DPIA). Subscription and cloud-based software that operates through a local client or a web browser may also be unsuitable.

The case for new software and for subscribing to free or paid web-based services should be anticipated in each respective department’s annual operational plan, and the business case must anticipate future years costs (i.e. annualised licencing).

10.  In-year developments

Equipping learning spaces or large-scale refurbishments identified in annual operational plans will likely be undertaken as a project, approved and overseen by the Teaching and Learning Accommodation Group, (TALAG) and the Space Planning Group (SPG).

Where the business case[8] for an in-year need for new hardware of software is approved, this can be sourced from within the University’s approved suppliers and installed quickly, provided there are no unmanageable security or safeguarding issues.

Ordinarily, a request for a simple commodity item such as a Laptop will be processed in 2-3 weeks. Specialised and premium equipment may take longer and is treated in a case-by-case basis. Most software can be made available quickly, in hours and days as opposed to weeks. It is important to provide ample notice of these requests to ensure reasonable timescales can be met.

11.  Ordering process

The equipment set out in each annual Operational Plan will be collated into a summary report, and will be reviewed by the Capital Projects Monitoring Group. Subject to approvals, and the budget approval cycle, the plan for each year’s new, and renewed equipment will be set out, including its associated purchasing, equipment preparation and delivery arrangements.

The business case for equipment and software not set out during operational planning (e.g. urgent, premium,  etc.) must be identified in a Staffing Request Form, or, if not related to a specific new staffing request can be submitted as an equipment request though the University’s Support-Me on-line service.

12.  Loss and damage

If equipment fails, the IT Service will arrange its repair through its warranty or via a third-party repairer. Where possible, a loan device will be provided for the duration of any repair.

If any piece of equipment is irrecoverably broken, lost or stolen[9], then arranging a replacement and managing insurance claims will require the department and IT Services to work with Finance colleagues. The costs of excess, (if applicable) will normally be met by the department. 

13.  Homeworking

The University’s systems and services are highly flexible, with an everything-everywhere ethos.  University PCs and Laptops used at home or off-campus employ a Virtual Private Network (VPN) which secures information transfer to and from University systems and services[10].

All teaching and core services are available from off-campus, however services may be affected by the configuration and capability of the localised (home) broadband services. Non-University devices may not be connected if the University’s firewall detects malware, unlicensed software or other cyber threats.

The University does not fund home broadband, and does not accept responsibility for any Non-University equipment.

14.  Code of conduct for using University equipment and services

Anyone who uses any University IT Service or equipment, whether on-site and off-site, must adhere to the Electronic Information Security Policy (Link to policy), and the Code of Conduct within it. The policy links to essential conditions for using personal equipment that uses infrastructure or identifies with the University in any way.

The Help website (Link to help site) includes guidance and advice, but also sets out the privacy statements and how the use of services are monitored.

The Electronic Information Security Policy is integrated with other policies, such as the use of social media. Together, these demonstrate the need to ensure that staff and students are vigilant and play an active role in the University’s countermeasures to grooming, bullying, radicalisation, and other cyber-threats including any risk to compromising privacy or intellectual property.

15.  Staff leaving, and the disposal of equipment

If a member of staff leaves the University, the equipment they have been issued should be returned to the IT Service Delivery team. This includes when there is an expectation that it will be reissued to a subsequent role holder.

Under no circumstances should University equipment be agreed to be gifted to (for example) a member of staff who leaves the University.

Where equipment has become surplus, broken or redundant this should be returned to the IT Service Delivery team. This ensures that any residual data is removed following industry standard security process, and that the equipment can be disposed of in a way that causes least detriment to the environment.

For staff that leave, any personal data storage or access to shared documents will be closed through an automated process triggered by the exit date set in the HR system.

Other than in the case of a small number of (time limited) emeritus relationships, there will be no post-employment access retained to University resources, including University email accounts.  

16. Employment Exit Check-list

When an employee leaves, it is the line manager's responsibility to ensure that all information assets are secured and that all physical assets are returned. 

Before the employment end date: The line manager should identify information and physical assets the exiting employee is in possession of, or has access to, and make a plan for their transition, and return, that ensures that the former employee no longer has access to them.   

Physical Assets: PCs Laptops, mobile phones, removable media and other Peripherals (including for example second screens etc that may have been taken to work from home) must be returned. All system documentation, paper copies of manuals etc should be retuned.

All Swipe and ID Cards, and all University door and desk keys should be labelled and returned.

These returns must take place, irrespective of damage of condition and these should be handed in to the SIZ office on either campus.

Non Physical, University domain services: After the employee’s leaving date, there can be no access to the University information services.   

Non Physical, Off-domain services. The line manager should be aware of any subscription and cloud services that the employee had access to, and should ensure that the provider has been asked to rescind the access.

It may be the case that the subscription itself should not be cancelled (for fear of losing editorial access, or that by doing so will delete the data / service). Where this is the case, a new editor/employee should be clarified and a new password created to limit / enable access.

Retained Access: Other than in exceptional circumstances, no retained access can be permitted beyond the employment end date.

Routinely, all data held in the name of the employee, will be deleted. Prior to the employee leaving, it may be possible to copy data (with explicit consent) such that it can be retained by the line manager, temporarily.

17.  Printing, copying and scanning services

All users with a University IT network account can access printing, scanning and copying services. All printers are multifunctional, therefore provide all of the above services. Devices are located in shared areas to ensure access to these services are within reasonable reach of staff locations.

Access to a dedicated printing, scanning or copying device, such as in a single occupancy office, is not supported.

Due to the associated costs involved, it is strongly advised to keep printing to a minimum and colour usage should only be used in exceptional circumstances. All printing and copying is charged to an individual’s department (scanning is provided at no charge). Student printing is charged directly to the student and their account purse can be topped up via an online payment or at the SIZ desk.

Where high-volume printing is required, this should be organised with the University’s Print & Imaging team. All scanning should be completed within each departmental area, as the Print & Imaging service prioritise internal bulk-printing (e.g. student recruitment activities) and income generation through commercial print activities.

 

 

[1] The University is requried to account for all equipment to ensure it is not in the hands of someone who may steal data.

[2] Local administrator rights are not enabled as these are targetted by cyber-criminals, including because unapproved dowlnoaded software can be used to infitrate, and hence this policy is essential to cyber-certification.

[3] For information on BYOD, and non-University devices, please see https://help.chi.ac.uk/personal-devices

[4] Because of the higher risks, the University’s Multi-Factor-Authentication (MFA) makes more stringent and frequent checks for a BYOD device.

[5] It is important to recognise that telephony is supplied for the purposes of the work of the University. Call charges are disaggregated and recharged to the respective department.

[6] The design of IT network accounts readily supports and enables equipment sharing.

[7] Unless there is an approval of the business case for a new, or essential software package.

[8] This should be co-written with IT/Service Delivery.

[9] If equipment is lost or stolen, you must inform the SIZ immediately, to enable IT to prohibit that device’s access to University systems.

[10] NB personal (non univesity) devices, do not use the VPN (as this would require licensing and downloading software to them) and do not have strong security, especially when off campus.

Reviewed:

March 2023

Still need help?