WSC Information Technology

Policy and Procedure Manual

Page 1 of 30
 Table of Contents
WSC Information Technology Policy and Procedure Manual..........................................................1
Introduction...................................................................................................................................... 3
Technology Hardware Purchasing Policy.........................................................................................4
Policy for Getting Software............................................................................................................... 6
Policy for Use of Software................................................................................................................ 7
Information Technology Security Policy, Procedures and Plan.........................................................9
Authentication Policy...................................................................................................................... 11
Information Technology Administration Policy................................................................................15
Website Policy................................................................................................................................ 16
Electronic Transactions Policy........................................................................................................18
IT Service Agreements Policy........................................................................................................20
Emergency Management of Information Technology.....................................................................22
WHS Policy.................................................................................................................................... 24
Site Clean Up Procedure................................................................................................................27

Page 2 of 30
Introduction
The WSC IT Policy and Procedure Manual provides the policies and procedures for selection
and use of IT within the business which must be followed by all staff. It also provides guidelines
WSC will use to administer these policies, with the correct procedure to follow.

WSC will keep all IT policies current and relevant. Therefore, from time to time it will be
necessary to modify and amend some sections of the policies and procedures, or to add new
procedures.

Any suggestions, recommendations or feedback on the policies and procedures specified in this
manual are welcome.

These policies and procedures apply to all employees.

Page 3 of 30
Technology Hardware Purchasing Policy
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the purchase of hardware for the business to ensure that all
hardware technology for the business is appropriate, value for money and where applicable
integrates with other technology for the business. The objective of this policy is to ensure that
there is minimum diversity of hardware within the business.

Procedures
Purchase of Hardware

Purchasing desktop computer systems

The desktop computer systems purchased must run a Windows operating system and integrate
with existing hardware.

The desktop computer systems must be purchased as standard desktop system bundle and
must be Dell.

The desktop computer system bundle must include:

Desktop tower

Desktop screen of 24"

 Keyboard and mouse

 Windows 10

The minimum capacity of the desktop must be:

 3.40 GHz

 4.00 GB RAM

Any change from the above requirements must be authorised by the IT department.

All purchases of desktops must be compatible with the business’s server system.

Page 4 of 30
Purchasing server systems

Server systems can only be purchased by the IT department.

Server systems purchased must be compatible with all other computer hardware in the
business.

All purchases of server systems must be compatible with the business’s other server systems.

Any change from the above requirements must be authorised by the IT department.

Purchasing computer peripherals

Computer system peripherals include printers, scanners, external hard drives, mice, etc.

Computer peripherals can only be purchased where they are not included in any hardware
purchase or are considered to be an additional requirement to existing peripherals.

Computer peripherals purchased must be compatible with all other computer hardware and
software in the business.

The purchase of computer peripherals can only be authorised by the IT department.

All purchases of computer peripherals must be compatible with the business’s other hardware
and software systems.

Any change from the above requirements must be authorised by the IT department.

Page 5 of 30
Policy for Getting Software
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the purchase of software for the business to ensure that all
software used by the business is appropriate, value for money and where applicable integrates
with other technology for the business. This policy applies to software obtained as part of
hardware bundle or pre-loaded software.

Procedures
Request for Software

All software, including open source and freeware, must be approved by the IT department prior
to the use or download of such software.

Purchase of software

The purchase of all software must adhere to this policy.

All purchased software must be purchased by the IT department.

All purchased software must be purchased from reputable software sellers.

All purchases of software must be compatible with the business’s server and/or hardware
system.

Any changes from the above requirements must be authorised by the IT department.

Obtaining open source or freeware software

Open source or freeware software can be obtained without payment and usually downloaded
directly from the internet.

In the event that open source or freeware software is required, approval from the IT department
must be obtained prior to the download or use of such software.

All open source or freeware must be compatible with the business’s hardware and software
systems.

Any change from the above requirements must be authorised by the IT department.

Page 6 of 30
Policy for Use of Software
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the use of software for all employees within the business to
ensure that all software use is appropriate. Under this policy, the use of all open source and
freeware software will be conducted under the same procedures outlined for commercial
software.

Procedures
Software Licensing

All computer software copyrights and terms of all software licences will be followed by all
employees of the business.

Where licensing states limited usage (i.e. number of computers or users etc.), then it is the
responsibility of the IT department to ensure these terms are followed.

The IT department is responsible for completing a software audit of all hardware twice a year to
ensure that software copyrights and licence agreements are adhered to.

Software Installation

All software must be appropriately registered with the supplier where this is a requirement.

WSC is to be the registered owner of all software.

Only software obtained in accordance with the getting software policy is to be installed on the
business’s computers.

All software installation is to be carried out by the IT department.

A software upgrade shall not be installed on a computer that does not already have a copy of
the original version of the software loaded on it.

Software Usage

Only software purchased in accordance with the getting software policy is to be used within the
business.

Page 7 of 30
Prior to the use of any software, the employee must receive instructions on any licensing
agreements relating to the software, including any restrictions on use of the software.

All employees must receive training for all new software. This includes new employees to be
trained to use existing software appropriately. This will be the responsibility of the IT
department.

Employees are prohibited from bringing software from home and loading it onto the business’s
computer hardware.

Unless express approval from the IT department is obtained, software cannot be taken home
and loaded on an employees’ home computer.

Where an employee is required to use software at home, an evaluation of providing the

employee with a portable computer should be undertaken in the first instance. Where it is found
that software can be used on the employee’s home computer, authorisation from the IT
department is required to purchase separate software if licensing or copyright restrictions apply.
Where software is purchased in this circumstance, it remains the property of the business and
must be recorded on the software register by the IT department.

Unauthorised software is prohibited from being used in the business. This includes the use of
software owned by an employee and used within the business.

The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee
who makes, acquires, or uses unauthorised copies of software will be referred to WSC
management for disciplinary action. The illegal duplication of software or other copyrighted
works is not condoned within this business.

Breach of Policy

Where there is a breach of this policy by an employee, that employee will be referred to WSC
management for appropriate action.

Where an employee is aware of a breach of the use of software in accordance with this policy,
they are obliged to notify the IT department immediately. In the event that the breach is not
reported and it is determined that an employee failed to report the breach, then that employee
will be referred to WSC management for appropriate action.

Page 8 of 30
Information Technology Security Policy, Procedures
and Plan
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the protection and use of information technology assets and
resources within the business to ensure integrity, confidentiality and availability of data and
assets.

Procedures
Physical Security

For all servers, mainframes and other network assets, the area must be secured with adequate
ventilation and appropriate access.

It will be the responsibility of the IT department to ensure that this requirement is followed at all
times. Any employee becoming aware of a breach to this security requirement is obliged to
notify the IT department immediately.

All security and safety of all portable technology, such as laptops and tablets will be the
responsibility of the employee who has been issued with the device. Each employee is required
to use passwords and to ensure the asset is kept safely at all times to protect the security of the
asset issued to them.

In the event of loss or damage, WSC management will assess the security measures
undertaken to determine if the employee will be required to reimburse the business for the loss
or damage.

Information Security

All sensitive, valuable, or critical business data is to be backed-up.

It is the responsibility of the IT department to ensure that data back-ups are conducted every 24
hours and the backed up data is kept at an offsite venue.

Page 9 of 30
All technology that has internet access must have anti-virus software installed. It is the
responsibility of the IT department to install all anti-virus software and ensure that this software
remains up to date on all technology used by the business.

All information used within the business is to adhere to the privacy laws and the business’s
confidentiality requirements. Any employee breaching this will be referred to WSC management
for appropriate action to be taken.

Technology Access

Every employee will be issued with a unique identification code to access the business
technology and will be required to set a password for access every 3 months.

Each password is to be at least 10 characters long and to contain a mix of upper and lower
case letters, numbers and special characters. The password is not to be shared with any
employee within the business.

The IT department is responsible for the issuing of the identification code and initial password
for all employees.

Where an employee forgets the password or is ‘locked out’ after three attempts, then the IT
department is authorised to reissue a new initial password that will be required to be changed
when the employee logs in using the new initial password.

Employees are not authorised to use business computers for personal use unless approval of
management is sought.

For internet and social media usage, refer to the Human Resources Manual.

Page 10 of 30
Authentication Policy
Policy Date: 15 March 2019

1. Overview

Authentication is any process by which you verify that someone is who they claim they are. This
usually involves a username and a password, but can include any other method of
demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. It is
common to use only a single factor for authentication, but where additional security is required
two factors may be used. These are typically ‘something you have’ e.g. a smartcard and
‘something you know’ e.g. a PIN number. Nothing in this document should be taken to override
the WSC Information Security Policy.

2. Purpose

The information which WSC manages must be appropriately secured in order to protect the
college and its members from the consequences of breaches of confidentiality, failures of
integrity or interruptions to the availability of that information. A key requirement for this is to
ensure that only authorised persons can access college information and services. In order to do
this we first need to reliably authenticate the person requiring access. It is also necessary to be
able to hold individuals to account for their actions when accessing college Information systems
and services, in order to do this we need to reliably know who the person is. As authentication
data, e.g. passwords, are a critical component of ensuring the security of our information, we
must make certain that it is managed and protected appropriately.

3. Scope

All staff, students and other users of WSC Information Systems or devices connected to WSC
networks must abide by this policy. There are many different types of device connected to the
WSC networks. This policy applies to all devices connected to the college networks or providing
access to them. Services hosted by third parties on behalf of WSC must also abide by this
policy.

4. Policy

a. General

Page 11 of 30
 i. A suitable method of authentication must be used by all users and systems accessing
WSC Information Systems or Networks. In most cases this will be a WSC issued username
and password.

ii. Unauthenticated access will be permitted only in exceptional circumstances (e.g. kiosks)
and such systems must be explicitly configured for such use.

iii. For general computing devices (e.g. PCs) appropriate accounting information must be
kept.

iv. Unused accounts must be disabled and default or blank passwords must be changed.

b. Passwords

i. Passwords must be kept secure; they should never be divulged to anyone not authorised
to know them.

ii. Passwords should be changed at regular intervals.

iii. Passwords must be protected in use; in particular they should not be passed over
unsecure networks in clear text.

iv. The user’s identity must be clearly established before a password is issued to a user.

v. Passwords should not be overused.

 WSC usernames and passwords should not be used with non WSC systems.

 Separate usernames and passwords should be used for trusted and untrusted systems.

vi. Passwords should be complex and obscure, such that they are not easily guessed by
people or computer systems.

vii. See Information Technology Security Policy, Procedures and Plan for further guidelines
about passwords.

c. Personal Passwords

i. Personal passwords should not be shared; only in exceptional circumstances will

passwords be issued to groups of users.

ii. Personal passwords must be kept secure; they should never be divulged to anyone, not
even support staff.

Page 12 of 30
d. Device passwords

i. All devices connected to WSC networks will have a person responsible for that device.

ii. ‘Built in’ or default user accounts should not be used if possible. These accounts should
be disabled and personal user accounts used to administer the device.

iii. Where inbuilt accounts must be used, only those with a need to know should have
access to the password.

iv. Passwords for devices must be held securely with access restricted to only those who
have access specifically authorised.

v. A record of who knows device passwords will be kept.

vi. Device passwords will be changed whenever anyone who knows them has authorisation
to access them withdrawn e.g. someone leaves.

e. Authentication Data Storage

i. There is a need to process Authentication Data to manage user accounts and to allow
Information Systems to be able to authenticate users. Typically Authentication Data is held
electronically in directories (e.g. MS Active Directory) or in databases.

ii. The systems holding Authentication Data should be hardened to enhance their security
and should not be used for any additional purpose that might compromise their security.

iii. All electronic copies of Authentication data must be encrypted.

iv. Authentication Data must be protected from Brute Force Attacks (e.g. password
guessing).

v. Access to Authentication Data should be restricted such that only the data necessary is
available to each member of staff. Particular care is required to restrict access to password
files.

vi. Where Authentication Data is available in plain text (e.g. print outs) staff should be aware
of its sensitivity, ensuring its protection and secure disposal.

f. Responsibilities

i. It is the responsibility of the ‘Responsible Person’ to ensure that devices are configured in
compliance with this policy.

Page 13 of 30
 ii. It is the responsibility of users to ensure they keep their password (and any other
credentials) secure.

iii. It is the responsibility of IT Services to provide guidelines and advice on implementing

this policy.

5. Auditing

Periodic audits will be undertaken to ensure this policy is adhered to. When available system
features should be used to ensure this policy is compiled with, e.g. enforcing minimum
password lengths.

6. Enforcement

Where possible, systems will be configured to automatically enforce this policy, e.g. require
minimum password lengths. The IT department has the authority to refuse to provide a network
service to or restrict the service provided to any device or user it believes has or will breach this
policy.

Page 14 of 30
Information Technology Administration Policy
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the administration of information technology assets and
resources within the business.

Procedures
All software installed and the licence information must be registered on the software register. It
is the responsibility of the IT department to ensure that this register is maintained. The register
must record the following information:

 What software is installed on every machine

 What licence agreements are in place for each software package

 Renewal dates if applicable.

The IT department is responsible for the maintenance and management of all service
agreements for the business technology. Any service requirements must first be approved by
WSC management.

The IT department is responsible for maintaining adequate technology spare parts and other
requirements such as toners, printing paper etc.

A technology audit is to be conducted annually by the IT department to ensure that all

information technology policies are being adhered to.

Any unspecified technology administration requirements should be directed to the IT

department.

Page 15 of 30
Website Policy
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for the maintenance of all relevant technology issues related to
the business website.

Procedures
Website Register

The website register must record the following details:

• List of domain names registered to the business

• Dates of renewal for domain names

• List of hosting service providers

• Expiry dates of hosting

The keeping the register up to date will be the responsibility of the IT department.

The IT department will be responsible for any renewal of items listed in the register.

Website Content

All content on the business website is to be accurate, appropriate and current. This will be the
responsibility of the IT department and WSC management.

All content on the website must follow WSC plans, policies and procedures.

The content of the website is to be reviewed quarterly.

The following persons are authorised to make changes to the business website:

WSC CEO

IT department Manager

WSC Marketing Manager

Page 16 of 30
Basic branding guidelines must be followed on the website to ensure a consistent and cohesive
image for the business.

All data collected from the website is to adhere to the Privacy Act, 1988.

Page 17 of 30
Electronic Transactions Policy
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for all electronic transactions undertaken on behalf of the
business.

The objective of this policy is to ensure that use of electronic funds transfers and receipts are
started, carried out, and approved in a secure manner.

Procedures
Electronic Funds Transfer (EFT)

It is the policy of WSC that all payments and receipts should be made by EFT where
appropriate.

All EFT payments and receipts must adhere to all finance policies in the Financial policies and
procedures manual.

All EFT arrangements, including receipts and payments must be submitted to the accounting
department of the business.

EFT payments must have the appropriate authorisation for payment in line with the financial
transactions policy in the Financial policies and procedures manual.

EFT payments must be appropriately recorded in line with the finance policy in the Financial
policies and procedures manual.

EFT payments once authorised, will be entered into the WSC accounts documentation by the
accounts manager.

EFT payments can only be released for payment once pending payments have been authorised
by WSC CEO.

All EFT receipts must be reconciled to customer records once a week.

Where EFT receipt cannot be allocated to customer account, it is the responsibility of the
accounts department to investigate. In the event that the customer account cannot be identified

Page 18 of 30
within one month, the receipted funds must be allocated to the suspense account. The accounts
manager must authorise this transaction.

It is the responsibility of the accounts department to annually review EFT authorisations for
initial entry, alterations, or deletion of EFT records, including supplier payment records and
customer receipt records.

Electronic Purchases

All electronic purchases by any authorised employee must adhere to the purchasing policy in
the Financial policies and procedures manual.

Where an electronic purchase is being considered, the person authorising this transaction must
ensure that the internet sales site is secure and safe and be able to demonstrate that this has
been reviewed.

All electronic purchases must be undertaken using business credit cards only and therefore
adhere to the business credit card policy in the Financial policies and procedures manual.

Page 19 of 30
IT Service Agreements Policy
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for all IT service agreements entered into on behalf of the
business.

Procedures
The following IT service agreements can be entered into on behalf of the business:

 Provision of general IT services

 Provision of network hardware and software

 Repairs and maintenance of IT equipment

 Provision of business software

 Provision of mobile phones and relevant plans

 Website design, maintenance etc.

All IT service agreements must be reviewed by the designated WSC legal consultant before the
agreement is entered into. Once the agreement has been reviewed and recommendation for
execution received, then the agreement must be approved by WSC CEO.

All IT service agreements, obligations and renewals must be recorded in the relevant IT
department registers.

Where an IT service agreement renewal is required, in the event that the agreement is
substantially unchanged from the previous agreement, then this agreement renewal can be
authorised by the IT department.

Where an IT service agreement renewal is required, in the event that the agreement has
substantially changed from the previous agreement, it must be reviewed by the designated
WSC legal consultant before the renewal is entered into. Once the agreement has been
reviewed and recommendation for execution received, then the agreement must be approved
by WSC CEO.

Page 20 of 30
In the event that there is a dispute to the provision of IT services covered by an IT service
agreement, it must be referred to WSC CEO who will be responsible for the settlement of such
dispute.

Page 21 of 30
Emergency Management of Information Technology
Policy Date: 15 March 2019

Purpose of the Policy

This policy provides guidelines for emergency management of all information technology within
the business.

Procedures
IT Hardware Failure

Where there is failure of any of the business’s hardware, this must be referred to the IT
department immediately.

It is the responsibility of the IT department to implement emergency procedures in the event of

IT hardware failure.

It is the responsibility of the IT department to undertake tests on planned emergency

procedures quarterly to ensure that all planned emergency procedures are appropriate and
minimise disruption to business operations.

Point of Sale Disruptions

In the event that point of sale (POS) system is disrupted, the following actions must be
immediately undertaken:

 POS provider to be notified

 WSC accounts manager must be notified immediately

 All POS transactions to be taken using the manual machine located below the counter

 For all manual POS transactions, customer signatures must be verified

Virus or other security breach

In the event that the business’s information technology is compromised by software virus or any
other security breach, such breaches are to be reported to the IT department immediately.

Page 22 of 30
The IT department is responsible for ensuring that any security breach is dealt with within 24
hours to minimise disruption to business operations.

Website Disruption

In the event that the WSC website is disrupted, the following actions must be immediately
undertaken:

 Website host to be notified

 WSC IT manager must be notified immediately

Page 23 of 30
WHS Policy
Policy Date: 30 March 2019

Obligations
Management is firmly committed to a policy enabling all work activities to be carried out safely,
and with all possible measures taken to remove (or at least reduce) risks to the health, safety
and welfare of workers, contractors, authorised visitors, and anyone else who may be affected
by our operations.

We are committed to ensuring we comply with the Work Health and Safety Act 2012, the Work
Health and Safety Regulations 2012 and applicable Codes of Practice and Australian Standards
as far as possible.

Responsibilities
Management:

Will provide and maintain as far as possible:

 a safe working environment

 safe systems of work

 plant and substances in safe condition

 facilities for the welfare of workers

 information, instruction, training and supervision that is reasonably necessary to

ensure that each worker is safe from injury and risks to health

 a commitment to consult and co-operate with workers in all matters relating to health
and safety in the workplace

 a commitment to continually improve our performance through effective safety

management.

Workers:

Each worker has an obligation to:

Page 24 of 30
  comply with safe work practices, with the intent of avoiding injury to themselves and
others and damage to plant and equipment

 take reasonable care of the health and safety of themselves and others

 wear personal protective equipment and clothing where necessary

 comply with any direction given by management for health and safety

 not misuse or interfere with anything provided for health and safety

 report all accidents and incidents on the job immediately, no matter how trivial

 report all known or observed hazards to their supervisor or manager.

Application of this policy

We seek the co-operation of all workers, customers and other persons. We encourage
suggestions for realising our health and safety objectives to create a safe working environment
with a zero accident rate.

This policy applies to all business operations and functions, including those situations where
workers are required to work off-site.

Before any IT work is undertaken, an inspection must be undertaken and the checklist below must
be completed to identify and account for hazards.

Page 25 of 30
Page 26 of 30
Date checklist completed: / /
Date checklist to be reviewed (annually or when there is a change in electrical equipment or an
electrical incident): / /
Name(s) of person(s) who completed checklist: Initial:
Position title: Company:
Electrical switchboards and equipment
Are switchboards, electrical equipment in a safe condition? Yes No
Is portable electrical equipment protected by safety
switches? (This safety measure is mandatory for Yes No
construction work.)
Power points, light fittings and switches
Are all power points, light fittings and switches in a safe place and free of obvious defects? Yes No
Check if they are mounted securely, there are no loose covers or wires, broken or
damaged fittings, or signs of overheating. Yes No
Are main and isolating switches clearly labelled and accessible? Yes No
Power tools, flexible leads and power boards
Are power tools, extension leads and power boards maintained in a safe operating Yes No
condition?
Yes No
Check for damaged insulation, water leaks, burn marks, bent or loose pins and fittings.
Are extension leads and power boards located in a safe position to prevent mechanical or Yes No
other damage?
Inspection and maintenance of all electrical equipment
Are the electrical fittings and electrical equipment, including portable power tools, regularly
inspected and maintained? Yes No

Page 27 of 30
Page 28 of 30
Site Clean Up Procedure
Procedure Date: 30 March 2019

After completing an IT job, the following tasks must be undertaken to clean up and restore the
worksite:
 Remove any waste material
 Remove the unpacked server boxes and all other unnecessary boxes from sites.
 Clean up any dust
 Restore equipment to correct positions
 Tie up the cabling and organize them properly in the server room. (see image below)
 Label the cable and marked them, Update the infrastructure register for documentation.
(see image below)
 Delete all the temoprary folder during the processs of installtion and testing. (see
screenshot below)

Page 29 of 30
Page 30 of 30