Acceptable Usage Policy

Introduction

This Acceptable Use Policy (“Policy”) sets out the approach Saigon South International School (“we”, “our”, “us”, “School”) takes to managing hardware, technology services and information security threats and events. This provides a framework for the protection of the school and its information assets from an IT security perspective.

This Policy applies to all Users of devices or information systems at Saigon South International School. It is critical that all Individuals read and understand this document and make themselves aware of the risks and exposure involved. A user should contact the IT Team if they are unclear about any requirement in this Policy. 

Effective and proper use of information technology is fundamental to the successful and efficient running of the school. However, misuse of information technology - including but not limited to misuse of email Internet services - exposes the school to liability and can cause unnecessary use of resources. The school encourages the use of its devices for the mutual benefit of all Users and the wider school community. Similarly, this policy seeks to provide for the mutual protection of the school, its students, the rights of its employees and the wider school community.

This Policy should be read with, among others, the following policies:

• Data Incident and Breach Policy and Procedure 

• Anti-bullying policy / Code of Conduct in Divisional Handbooks

Scope

This Policy provides the framework for the management of information security within the school. This applies to the various forms of hardware and software operated by the school. This policy applies to (but is not limited to):

• All information systems operated by the school, including; Computer devices, Network devices and Telecommunication devices 

• All software installed on school owned devices and applicable information systems including; operating systems, network services and application software

• All electronic information stored on applicable information systems, including; school owned hardware (including removable media), school provided cloud services, and school / 3rd party provided online/locally hosted services and solutions 

This Policy shall include protection for the following;

• Confidentiality: Assuring that the school’s information systems and information assets will only be accessible to authorized personnel or systems.

• Integrity: Safeguarding the accuracy and validity of the school’s information systems and processing methods. Ensuring that data or system configuration changes are not performed without documented authorization.

• Availability: Ensuring that authorized Individuals have access to relevant information systems and services provided by the school when they are needed or within a reasonable amount of time.

This Policy and the processes, procedures and standards outlined within this document apply to all the school’s staff, third parties and individuals who have been provided with access to the school’s information systems and information assets.

Devices owned by the school, including software and/or data developed or created (for whatever reason) on such devices, remain in all respects the property of the school.

Definitions

A data breach can be broadly defined as a data security incident that has affected the confidentiality, integrity, or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or unlawfully disclosed. This can include if someone accesses the data or passes it on without proper authorization, or if the data is made unavailable, for example, when it has been encrypted by ransomware.

Authentication shall mean the verification of an individual, based on unique identifiers, provided this identification is unique to an individual.  It can also be used to monitor individuals’ activity.

Authorization shall mean the security mechanism used to determine individual/client privileges or access levels related to system resources.

Availability shall mean authorized Individuals have access to information and associated assets when required.

Data Security Incident means an event that compromises the integrity, confidentiality, or availability of an information asset. Data Incidents are situations which, upon further analysis, might be deemed by the Data Protection Office to be a Data Breach (if the incident affects the confidentiality, integrity, or availability of personal data) or might not.  In short, every breach

will necessarily involve a Data Security Incident, but not every Data Security Incident will result

in a Breach.

Devices shall mean any computing device hardware, mobile telephone, portable electronic device or software owned, issued or operated by Saigon South International School. It shall also include any allocation of time, memory, disk space or other measure of resources on any of the school’s hardware, software, servers, or networks.

Confidentiality shall mean information is accessible only to those authorized to have access.

Information systems shall mean any computer program or application or system which collects, stores, or processes information. 

Information asset shall mean information or data that is of value to an organization. 

User shall mean any employee, contractor provided access to Saigon South International School devices. For the purposes of this policy, ‘individuals’ does not include students of the school.

Integrity shall mean the correctness and completeness of information and processing methods.

Near miss shall mean a reported security event which the school determined after investigation

 did not impact the confidentiality, availability, or integrity of any data (and thus are technically 

not “incidents”).

Personal Data means any information relating to an individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions, or their behavior. Personal Data may be held on paper, in a computer or any other media whether it is owned by the organization or a personal device.

Confidential information means any data or information classified by the school’s Data Classification Policy as requiring the highest degree of protection. 

Generative Artificial Intelligence (GAI): AI systems capable of generating content such as text, images, audio, and video based on input data. Examples include language models, image generators, and other generative algorithms.

IT Provision

General use

The school provides access to a range of technology to support the delivery of learning and teaching. Individuals are responsible for the security of the devices and information systems they are allocated or provided access to use. Along with other relevant policies, individuals must comply with the Acceptable Use Policy whenever using any device, network or information system.  That policy requires individuals to, among other things, not share any devices, or passwords to information systems. 

Individuals are responsible for ensuring that all written documents containing confidential or personal data are kept secure. They are not removed from the school premises or made available to third parties (including uploading to websites and applications not approved by the school) without the prior consent of the school.

Devices must be locked or logged off if left unattended, to prevent unauthorized Individuals accessing any information system in any absence. 

Desktop PCs and cabling for telephones or computer devices should not be moved or tampered with without first consulting the IT Team.

Individuals issued a device must ensure that it is kept secure at all times, especially when traveling. Device-based encryption must be activated to enhance the protection of personal data in the event of loss or theft. Individuals remain responsible for the particular device until it is returned to the IT Team.  Individuals should also be aware that when using devices away from the school, documents may be read by third parties, for example, passengers on public transport. 

Employees must seek approval from the IT / Edu Team before using any Generative Artificial Intelligence tools or applications on school-owned devices or networks. This is to ensure that such tools comply with the school’s data protection policies and do not pose security risks.

Devices

Fixed desktop PCs and other non-portable devices are a critical asset to the school and must be managed carefully to maintain security, data integrity and efficiency. Laptops and other portable devices are at high risk from loss or theft and thus require additional security protection. All reasonable precautions must be taken to ensure that devices are stored securely. In addition, to protect the integrity of the school systems and data, all personal data must be encrypted to secure it in the event of laptop and other portable device loss. 

Apple and Microsoft whole disk encryption tools are in use and enforced.  The school maintains the master keys to decrypt as needed.

If a device is lost, stolen or damaged, it must be reported to the IT departments within 2 hours of

the event.

After a report is submitted, the IT Department will determine if the device was lost or damaged through negligence.  The IT Department is responsible for providing digital image evidence to management of damage during their diagnostic or physical review. If so, the member of staff will be required to pay 50% of the cost to repair or replace the device. A panel of three members of management will decide whether an incident is negligent, and whether a contribution is payable towards the replacement. The Associate Head of School for Finance and Operations’s decision is final.

The school has a BYOD (Bring-Your-Own-Device) and school-owned 1:1 scheme for some grade levels. All use of personal (“BYOD”) devices must conform to the school’s Responsible Use Policy published online in Divisional Student Handbooks (for students). All staff are issued with a portable device (currently a laptop) for their use within the school, primarily for administration and teaching.  In some cases, a tablet (currently an iPad) may be issued as well. Staff personal devices are not to be used as a replacement for an SSIS issued device.

When devices are no longer required, the school's IT Team will determine whether a device can be repurposed for a different function in the school. This is to ensure that the device is not disposed of before the end of its natural / defined lifecycle and in accordance with the school's green policy.  If a device is repurposed, it will first be wiped clean and reset to factory specifications to ensure that any personal data that was previously saved on the device is no longer accessible.  The disposal of the device will only occur when a device has reached the end of its life cycle or if it is otherwise unusable. Such that it is regarded as no longer fit for purpose or would pose a security risk to the school if left in service. 

If a device cannot be recycled or repurposed, the school will arrange for secure disposal through appropriate channels in accordance. 

The school shall maintain a disposal and depreciation log for all systems as well as a disposal log for all devices that are disposed of (including, where possible, secure disposal certifications).

Storage

Users are provided with appropriate and secure access to areas of the school's file storage platforms. Users shall not store documents and files locally on any device. Locally stored files are at greater risk of loss through hardware/software failure or automated administrative activity and are not centrally backed up. Additionally, centralized storage of files and documents enables our school to more easily facilitate data subjects’ right to request access to their personal data.  

Users shall not store non-School-related (i.e., personal) documents and files on the school’s devices or information systems. Additional storage creates a cost for the school. If personal documents are held on the school’s devices, the documents may be subject to disclosure under data protection law. 

Where portable or removable media (e.g., SD cards, USB file storage, CD, flashcards, etc.) is used to store or transport information containing personal data, it must be approved by the IT department. Unencrypted removable media devices will not be allowed on school owned devices, preventing the storage or transfer of Personally Identifiable Information or classified information. Staff must make themselves familiar with the school’s Policy Records Management Policy, including retention periods for the documents which they hold.

Personal use

SSIS permits the incidental personal use of the school provided internet, email and telephone systems to send personal email, browse the internet and make personal calls (voice over internet protocol VOIP) subject to certain conditions set out in the Acceptable Use Policy. Personal use is a privilege and not a right. It must not be overused or abused. We may withdraw permission for it at any time or restrict access at our discretion.

Personal use must meet the following conditions:

• use must be minimal and take place out of normal working hours (that is, during lunch hours, before or after working hours);

• personal emails should be labeled “personal” in the subject header;

• use must not interfere with business or office commitments;

• use must not commit us to any costs; and

• use must comply with this policy and our other policies including the Data Protection Policy and end-individual device policy and the school’s code of conduct.

Personal use of our systems may be monitored and, where breaches of this policy are found, action may be taken under the disciplinary procedure. The school reserves the right to restrict or prevent access to certain telephone numbers or internet sites if we consider personal use to be excessive. 

Electronic Communications

Email and Chat

All Individuals are provided with their own school email address. Individuals are responsible for checking and responding (where necessary) to any email addressed to them as required by their division head. This can be a holding response, but it should give an estimated time for a full response. During academic breaks or periods of annual or other leave, Individuals are responsible for setting their out-of-office reply. This will include:

• Return date, alternate contact if applicable, and if you are periodically checking email while on leave.

Phishing attacks, a scam by which an Internet user is duped (as by a deceptive email or chat message) into revealing personal or confidential information which the scammer can use illicitly, are on the rise.  Key tips on staying safe:

1. are you expecting / would you expect that email from that person;

2. be very suspicious of all links and attachments in emails, particularly from senders who are not school staff or students;

3. messages can look like they’re coming from someone when it is not that person – hover over their name to be certain it was sent by the expected email address;

4. be suspicious of any request for the purchase of gift cards, or for the provision of log-in credentials (username and password) for any school information system (either operated by the school or by an approved service provider).  School IT staff will never ask for your login credentials. 

The school’s email and chat system is provided for the school's business purposes. Although email and chat is a vital business tool, you should always consider if it is the appropriate method for a particular communication. Correspondence with third parties by email should be written as professionally as a letter. Messages should be concise and directed only to relevant individuals (a disclaimer should always be included).

You must not send abusive, discriminatory, obscene, racist, harassing, derogatory, defamatory, or otherwise inappropriate emails or chats. Anyone who feels that they have been harassed or bullied, or are offended by material received from a colleague via email (or in another manner) should inform the human resources department.

You should take care with the content of email and chat messages, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. Remember that you have no control over where your email may be forwarded by the recipient. Avoid saying anything which would cause offense or embarrassment if it was forwarded to colleagues or third parties, or found its way into the public domain. There is no exemption for embarrassment under the data protection laws.

Email messages may be disclosed in legal proceedings in the same way as paper documents. Deletion from an Individual’s inbox or archives does not mean that an email cannot be recovered for the purposes of disclosure. All email messages should be treated as potentially retrievable, either from the school’s backups, the provider's backups or through the use of specialist software.

Staff should avoid sending confidential or sensitive information via email or chat unless absolutely necessary, and extra care should be taken to ensure that this is sent to the correct recipient. If possible, staff should send this information in a password-protected document and give the recipient the password by telephone. Email messages, however confidential or damaging, may have to be disclosed in court proceedings or under a subject access request (see the school’s Privacy Notice). 

Individuals shall not use school-provided email addresses to:

1. send or forward private emails at work; 

2. send or forward chain mail, junk mail, cartoons, jokes or gossip; 

3. contribute to system congestion by sending trivial messages, copying or forwarding emails to those who do not have a real need to receive them, or using “reply all” unnecessarily on an email with a large distribution list;

4. sell or advertise using our communication systems or broadcast messages about lost property, sponsorship or charitable appeals (InfoExchange or other school facility should be used for these purposes;)

5. agree to terms, enter into contractual commitments or make representations by email unless appropriate authority has been obtained. 

6. download or email text, music and other content on the internet subject to copyright protection, unless it is clear that the owner of such works allows this;

7. send confidential messages via email or the internet, or by other means of external communication which are known not to be secure.

Do not use your personal email or chat accounts to send or receive email for school business. Only use the email account we have provided for you for school related activities and business communications.

Users must not use GAI tools to generate or respond to emails or chats without proper oversight. Generated content should be reviewed to ensure it aligns with professional and ethical standards.

Personal Social Media

The school details our Social Media rules within our Digital Media for External Use Policy.  The virtual world can be a dangerous one. These seven simple steps may help to ensure that you stay safe:

1. Hide yourself from the public

2. Don't let search engines find you

3. Don’t allow social media sites to hand over your details to other companies

4. Make sure nobody else is using your account

5. Don’t put your full date of birth in your profile

6. Ensure your friends and family do not share your information with companies

7. Don’t advertise your home

School Website & Social Media platforms

The day-to-day administration of the school website and social media platforms where content is published is the responsibility of the Admissions, Marketing, and Communications Office.

In certain circumstances, controls are required in the publishing of content. Before publishing, authorization must be obtained for the following:

• identifying images of students, either directly or by file name;

• using of pictures of individuals;

• Using students names and personal information;

• identifying images of staff;

• using plans of the school; and

• advertising events which would make it easy for unauthorized individuals to gain access to the school or students.

Network Security

Access Control and Permissions

Access to information assets shall be specifically authorized in accordance with this Policy. Information will be controlled according to business and security requirements, as well as the access control rules defined for each information system. Individuals shall only be allowed to access critical business information assets and processes, which are necessary for performing their respective duties. Access to information assets and activation of Individual accounts for contractors, employees, students, and third-party vendors must only be initiated when necessary. Access for contractors, employees, or third parties to the school’s information assets will only be provided when a contractual agreement is in place. A proportional level of auditing at both an operational and systems level is in place to monitor access control measures. 

Individual accounts will only be created (e.g., for new employees or employees changing roles, etc.) upon instruction from Human Resources.  It is the responsibility of the IT Team creating the Individual account(s) to confirm the account creation authorization and to discern to what extent the account should have access to the information systems and/or services. The institution intends to provide all personnel, students, and subcontracted third parties with on-site access to the data necessary to perform their respective duties in the most effective and efficient manner possible.

The allocation of privilege rights (e.g., local administrator, domain administrator, superuser, root access) shall be restricted and controlled and will never be provided by default. Account profiles and privileges are to be restricted to the minimum necessary in order for Individuals to fulfill their roles. Authorization for the use of such accounts will be provided explicitly, upon written request from appropriate individuals (such as the head of department/division) and will be documented by the system owner. 

Access to operating systems and application management is to be restricted to designated administrators and support staff associated with the management and maintenance of their respective platforms. Privileged accounts should be restricted to be used only when required; under no circumstances should these be used for ‘day-to-day’ usage e.g., accessing email, downloading files from the internet. When an Individual discontinues his/her role at the school, Human Resources shall ensure that the person’s access to all accounts and information systems shall stop as of his/her last day in their role. Individual privileges are to be reviewed on a regular and frequent basis. Any accounts who have been granted elevated privileges but no longer warrant such access will have their privileges revoked. 

Physical access to the school premises and secure resource locations are restricted using a smart ID card.  Individuals are responsible for the security of the ID cards, or other physical assets.  If such an asset is lost or stolen or damaged, the Individual shall report the situation to the Facilities Office within 2 hours of discovering the loss/damage/theft in accordance with the school’s Data Incident and Breach Policy and Procedure.

All Individuals who are provided access to information systems will be allocated a form of controlled access (Read, Write, Execute or Full control)  in accordance with their roles and duties within the school.

Access to the school networks and network services will be controlled based solely on their business and security requirements. The access to these systems will be defined on a case by case basis. Physical and logical access to diagnostic and configuration ports on the school’s infrastructure will be controlled.

Passwords

Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential, school information. Note: The IT Team cannot view your current or previous passwords. Passwords should not be shared with the IT Team; if account access is required (e.g. for troubleshooting steps) a temporary password should be defined that is then subsequently changed. Passwords must not be inserted into email messages or any other forms of electronic communication, nor revealed over the phone to anyone. Passwords can only be stored in "password managers" that the school has approved. The "Remember Password" feature of applications (e.g in, web browsers) must not be used unless secured through multi factor authentication. Any Individual suspecting that their password may have been compromised must report the incident to the IT Office immediately and change the password.

The school will conduct an audit to identify weak passwords that do not comply with the school policy. Should an account's password be identified as weak, the Individual must change that account's password in line with the password format guidelines (below).

Specifically, passwords must:

1. Not contain the Individual's account name or parts of the Individual's full name that exceed two consecutive characters

2. Not be used in more than one account (i.e., do not re-use the same password for more than one information system or online account). 

3. Comply with the following password policy. The password must contain at least 10 characters from three of the four categories below:

1. Uppercase character;

2. Lowercase character;

3. At least one number 0 – 9; or

4. Non-alphanumeric characters: e.g., ~@#$%.

OR

An alternate way to craft a password that is very strong, but easier to remember is by combining 3 words and seen below.

1. Uppercase character; -> MouseHouseTractor - Good

2. At least one number 0-9; ->  MouseHouseTractor9 - Better

3. Non-alphanumeric characters: e.g. ~@#$%.  ->  Mouse9HouseTractor% - Great

4. Individuals must use a password unique for their school account so that if their personal accounts are compromised, their school account is not

5. To prevent the most hackable passwords, Individuals must not use:

   1. a word that can be found in any dictionary

   2. consecutive numbers or letters for more than 3 characters

   3. the phrase ‘qwerty’.

It is recommended that Individuals use a memorable phrase rather than one word for their passwords.

In the scenario of a forgotten password, temporary passwords are issued only after a positive validation of the Individual requesting a new password. Individuals are forced to change the password upon login with the temporary password. Temporary passwords can only be issued to the individual who owns the account and not a third party without prior written consent from the individual. 

Encryption

Encryption should be enabled in-line with the standards defined within this document. All devices that store or transfer personal data or classified information should be encrypted. 

Encryption products should be selected based on the type of encryption they offer and the technical details of the systems on which they will be installed, such as the operating system. Most encryption products are only available for one type of operating system, and they vary in applicability. Therefore, the optimal selection is beneficial. The school shall ensure;

• Strong cryptography and security protocols are used to safeguard confidential information or personal data during transmission over open public networks.

• Encryption or an encrypted channel is required when Individuals access the school’s Confidential information or personal data remotely from a shared network.

• Wireless transmissions used to access the school's computing devices or internal networks are encrypted using current wireless security standard protocols.

• Secure encrypted transfer of documents and confidential information or personal data over the internet uses current secure file transfer programs such as SFTP (Secure File Transfer Protocol).

Anti-Virus/ Anti-Malware

The anti-virus and anti-malware software is installed or is native on all computers as standard and is updated regularly via the network. Anti-virus software must not be uninstalled or deactivated. Files received by, or sent by, email are checked for viruses and malware automatically. However, Individuals must remain vigilant when reviewing emails, as this automated check is not fail proof. This includes remaining vigilant when releasing emails that have been quarantined. Individuals must not intentionally access or transmit computer viruses or similar software.

The anti-virus and anti-malware protection applications are configured to carry out regular virus scans and where possible on-access scanning. If you have a question about the tool, please contact IT.

Monitoring

In accordance with our Acceptable Use Policy, our systems enable us to monitor telephone (VOIP), email, voicemail, internet and other communications. For business reasons, and to carry out legal obligations in our role as an employer, use of our systems may be monitored by automated software or otherwise. This monitoring extends to the use of social media postings and activities, ensuring that all activities are undertaken in line and for legitimate business purposes. Monitoring is only carried out to the extent permitted or as required by local laws and as necessary and justifiable for business purposes.

The school CCTV system monitors locations in accordance with Our CCTV Policy, and this data is recorded and stored in-line with this policy.

We reserve the right to inspect the contents of email or chat messages or monitor internet activity (including pages viewed and searches performed) as we believe necessary in the interests of the business and child protection, including for the following purposes (this list is not exhaustive):

• to monitor whether the use of the email system or the internet is legitimate and in accordance with this policy;

• to find lost messages or to retrieve messages lost due to computer failure;

• to assist in the investigation of alleged wrongdoing; or

• to comply with any legal obligation. 

All event and action details on the school information systems will be logged and stored for thirty days for ordinary systems and up to ninety days for critical systems. All information systems and business applications are monitored and the results of monitoring are reviewed periodically. System clocks are synchronized and reviewed for accuracy and drift.

All unsuccessful login attempts to critical servers are recorded, investigated, and escalated to management. 

Software and Updates 

Only software properly purchased and approved by the IT Team before purchase may be installed on school devices. Non-standard or unauthorized software can cause problems with the stability of the school’s computing hardware, and the IT Team must provide approval before the installation of any software.

All software must undergo the necessary security, compliance, and safeguarding checks before being utilized. A software or service request should follow the internal SSIS EduCase process. The EduCase process outlines the requirements that need to be fulfilled before a proposal is approved and deployed - this includes web / online hosted applications.

A structured software update and operating system management process is in place. The software update management process clearly defines when software updates will be reviewed and applied. The process allows for the logging and monitoring of the completion of software updates. The process also outlines the services and downtime associated with software updates and the times when these can or cannot be applied. Moreover, the software update process defines clear testing procedures that will be followed relating to each area and outlines the notification and communication procedures for planning and applying software updates, including the communication of service downtime. 

Critical software updates are applied once identified and tested. System and service downtime may be required within working hours to accommodate for the installation of software updates. 

Planned downtime as a result of scheduled software updates are scheduled to consider key dates such as exams being undertaken and exam results days. Unplanned downtime as a result of a critical software update being released are communicated and agreed when necessary. Where possible, these will be scheduled to take place out-of-hours to limit Individual impact.

The client device software updates are managed and maintained centrally through the school's software deployment platform. Automatic software updates are scheduled to be deployed regularly. Updates will be installed to client devices automatically; Individuals are responsible for carrying out device reboots to complete installation of software updates. Individuals are given a seven-day grace period to apply software updates. After this time, software updates are automatically applied.

Remote Access and VPN

Individuals should not seek to circumvent the school’s security and safeguarding measures by independently installing VPN. As such, the use of VPNs by Individuals is strictly prohibited.

In any scenario where employees, third parties, students or any users affiliated with the school are required to work from a remote location. The school will provide access to the network through a school approved and validated mechanism, such as a Virtual Private Network (VPN). The school will install approved VPN software on devices.  

All network activity during a secure remote session is subject to monitoring and logging by the school.

Remote access will be provided through the provision of school-provided credentials and, where possible, to enhance security, two-factor authentication will be used. Devices used to connect remotely must not be left unattended while connected or logged onto the school's network. In public places, Individuals should take appropriate precautions to prevent unwanted viewing of computer screens.

Any external support/3rd party provider will only be provided access to the systems and services necessary for them to complete their contracted duties. Any system or service account provided to an external support/3rd party provided will follow the principles of least privilege (PoLP). Ensuring that the account only has the privileges necessary to perform the appointed tasks. The remote Individual is responsible for any action they take on systems and should always be aware of wider implications of these actions. Implications that would affect other Individuals should be raised with the IT Team and not taken without written consent.

Internet

Usage

All Internet usage from the school network is monitored and logged. Reporting on aggregate usage is undertaken regularly. When specific circumstances of abuse warrant it, they will be investigated and linked to the relevant user account. Such an investigation may result in action via the School’s Disciplinary Procedure and possibly a criminal investigation. Incidents involving incitement of terrorism, extremism, or radicalization are taken very seriously.

Internet Cookies, Tags, and Tracking

When a website is visited, devices such as cookies, tags, or other tracking mechanisms may be employed to enable the site owner to identify and monitor visitors. If the website were to hold unsuitable cookies, such a tracker could be a source of embarrassment to the visitor and the school, especially if inappropriate material had been accessed, downloaded, stored or forwarded from the website. Such actions may also, in certain circumstances, amount to a criminal offense if, for example, the material is pornographic in nature. 

Individuals shall not use school devices or school systems or Internet connections to access any web page or download any image, document or other file from the internet which could be regarded as illegal, offensive, in bad taste, immoral or not suitable in the school environment. Even web content which is legal may be in sufficiently bad taste to fall within this prohibition. As a general rule, if any person might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this policy.

Individuals shall not use school devices or school Systems to Internet connections to access or participate in any internet chat room, post messages on any internet message board unless this is part of a validated educational program of work, even in their own time. 

Data Incident & Breach Response

The reporting and handling of all reported/identified security events (i.e., possible security incidents or data breaches) are handled in accordance with our Data Incident and Breach Policy and Procedure. 

Incident Management Process

The management of all incidents is defined within our Data Incident and Breach Policy and Procedure.

Business Continuity and Disaster Recovery

SSIS has a Crisis Plan which details the business continuity and disaster recovery plan.

Training and Awareness

Information security and protection training is mandatory, and all Individuals are required to complete regular training. 

Information Security Risk Assessment

Information security risk assessments will be conducted if new or significantly modified IT systems are implemented and deemed to involve high-risk or confidential data, or are pervasive throughout the school. An assessment will be documented and include:

• Consideration of potential risks or hazards associated with installing or using the system.

• An evaluation of appropriate mitigation steps or controls to be used to reduce risk.

• A record of any risks that are accepted without additional controls.

• A formal review and approval of the findings, action items and intended next review date.

Data protection considerations will also be considered with an assessment of the risk to individuals’ personal data. This includes transfers of data to other jurisdictions, including the use of cloud technology, as well as an assessment of the categories of personal data processed and the categories of data subjects involved. 

Policy Compliance 

Non-Compliance

Any violation of this Policy may lead to appropriate disciplinary action, of which will be consistent with the school's disciplinary procedure applicable to the relevant individuals or departments. A sanction will be issued based on the associated violations of the policy.