Professional Documents
Culture Documents
WSC IT Policies and Procedures
WSC IT Policies and Procedures
Page 1 of 30
Table of Contents
WSC Information Technology Policy and Procedure Manual..........................................................1
Introduction...................................................................................................................................... 3
Technology Hardware Purchasing Policy.........................................................................................4
Policy for Getting Software............................................................................................................... 6
Policy for Use of Software................................................................................................................ 7
Information Technology Security Policy, Procedures and Plan.........................................................9
Authentication Policy...................................................................................................................... 11
Information Technology Administration Policy................................................................................15
Website Policy................................................................................................................................ 16
Electronic Transactions Policy........................................................................................................18
IT Service Agreements Policy........................................................................................................20
Emergency Management of Information Technology.....................................................................22
WHS Policy.................................................................................................................................... 24
Site Clean Up Procedure................................................................................................................27
Page 2 of 30
Introduction
The WSC IT Policy and Procedure Manual provides the policies and procedures for selection
and use of IT within the business which must be followed by all staff. It also provides guidelines
WSC will use to administer these policies, with the correct procedure to follow.
WSC will keep all IT policies current and relevant. Therefore, from time to time it will be
necessary to modify and amend some sections of the policies and procedures, or to add new
procedures.
Any suggestions, recommendations or feedback on the policies and procedures specified in this
manual are welcome.
Page 3 of 30
Technology Hardware Purchasing Policy
Policy Date: 15 March 2019
Procedures
Purchase of Hardware
The desktop computer systems purchased must run a Windows operating system and integrate
with existing hardware.
The desktop computer systems must be purchased as standard desktop system bundle and
must be Dell.
Desktop tower
Windows 10
3.40 GHz
4.00 GB RAM
Any change from the above requirements must be authorised by the IT department.
All purchases of desktops must be compatible with the business’s server system.
Page 4 of 30
Purchasing server systems
Server systems purchased must be compatible with all other computer hardware in the
business.
All purchases of server systems must be compatible with the business’s other server systems.
Any change from the above requirements must be authorised by the IT department.
Computer system peripherals include printers, scanners, external hard drives, mice, etc.
Computer peripherals can only be purchased where they are not included in any hardware
purchase or are considered to be an additional requirement to existing peripherals.
Computer peripherals purchased must be compatible with all other computer hardware and
software in the business.
All purchases of computer peripherals must be compatible with the business’s other hardware
and software systems.
Any change from the above requirements must be authorised by the IT department.
Page 5 of 30
Policy for Getting Software
Policy Date: 15 March 2019
Procedures
Request for Software
All software, including open source and freeware, must be approved by the IT department prior
to the use or download of such software.
Purchase of software
All purchases of software must be compatible with the business’s server and/or hardware
system.
Any changes from the above requirements must be authorised by the IT department.
Open source or freeware software can be obtained without payment and usually downloaded
directly from the internet.
In the event that open source or freeware software is required, approval from the IT department
must be obtained prior to the download or use of such software.
All open source or freeware must be compatible with the business’s hardware and software
systems.
Any change from the above requirements must be authorised by the IT department.
Page 6 of 30
Policy for Use of Software
Policy Date: 15 March 2019
Procedures
Software Licensing
All computer software copyrights and terms of all software licences will be followed by all
employees of the business.
Where licensing states limited usage (i.e. number of computers or users etc.), then it is the
responsibility of the IT department to ensure these terms are followed.
The IT department is responsible for completing a software audit of all hardware twice a year to
ensure that software copyrights and licence agreements are adhered to.
Software Installation
All software must be appropriately registered with the supplier where this is a requirement.
Only software obtained in accordance with the getting software policy is to be installed on the
business’s computers.
A software upgrade shall not be installed on a computer that does not already have a copy of
the original version of the software loaded on it.
Software Usage
Only software purchased in accordance with the getting software policy is to be used within the
business.
Page 7 of 30
Prior to the use of any software, the employee must receive instructions on any licensing
agreements relating to the software, including any restrictions on use of the software.
All employees must receive training for all new software. This includes new employees to be
trained to use existing software appropriately. This will be the responsibility of the IT
department.
Employees are prohibited from bringing software from home and loading it onto the business’s
computer hardware.
Unless express approval from the IT department is obtained, software cannot be taken home
and loaded on an employees’ home computer.
Unauthorised software is prohibited from being used in the business. This includes the use of
software owned by an employee and used within the business.
The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee
who makes, acquires, or uses unauthorised copies of software will be referred to WSC
management for disciplinary action. The illegal duplication of software or other copyrighted
works is not condoned within this business.
Breach of Policy
Where there is a breach of this policy by an employee, that employee will be referred to WSC
management for appropriate action.
Where an employee is aware of a breach of the use of software in accordance with this policy,
they are obliged to notify the IT department immediately. In the event that the breach is not
reported and it is determined that an employee failed to report the breach, then that employee
will be referred to WSC management for appropriate action.
Page 8 of 30
Information Technology Security Policy, Procedures
and Plan
Policy Date: 15 March 2019
Procedures
Physical Security
For all servers, mainframes and other network assets, the area must be secured with adequate
ventilation and appropriate access.
It will be the responsibility of the IT department to ensure that this requirement is followed at all
times. Any employee becoming aware of a breach to this security requirement is obliged to
notify the IT department immediately.
All security and safety of all portable technology, such as laptops and tablets will be the
responsibility of the employee who has been issued with the device. Each employee is required
to use passwords and to ensure the asset is kept safely at all times to protect the security of the
asset issued to them.
In the event of loss or damage, WSC management will assess the security measures
undertaken to determine if the employee will be required to reimburse the business for the loss
or damage.
Information Security
It is the responsibility of the IT department to ensure that data back-ups are conducted every 24
hours and the backed up data is kept at an offsite venue.
Page 9 of 30
All technology that has internet access must have anti-virus software installed. It is the
responsibility of the IT department to install all anti-virus software and ensure that this software
remains up to date on all technology used by the business.
All information used within the business is to adhere to the privacy laws and the business’s
confidentiality requirements. Any employee breaching this will be referred to WSC management
for appropriate action to be taken.
Technology Access
Every employee will be issued with a unique identification code to access the business
technology and will be required to set a password for access every 3 months.
Each password is to be at least 10 characters long and to contain a mix of upper and lower
case letters, numbers and special characters. The password is not to be shared with any
employee within the business.
The IT department is responsible for the issuing of the identification code and initial password
for all employees.
Where an employee forgets the password or is ‘locked out’ after three attempts, then the IT
department is authorised to reissue a new initial password that will be required to be changed
when the employee logs in using the new initial password.
Employees are not authorised to use business computers for personal use unless approval of
management is sought.
For internet and social media usage, refer to the Human Resources Manual.
Page 10 of 30
Authentication Policy
Policy Date: 15 March 2019
1. Overview
Authentication is any process by which you verify that someone is who they claim they are. This
usually involves a username and a password, but can include any other method of
demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. It is
common to use only a single factor for authentication, but where additional security is required
two factors may be used. These are typically ‘something you have’ e.g. a smartcard and
‘something you know’ e.g. a PIN number. Nothing in this document should be taken to override
the WSC Information Security Policy.
2. Purpose
The information which WSC manages must be appropriately secured in order to protect the
college and its members from the consequences of breaches of confidentiality, failures of
integrity or interruptions to the availability of that information. A key requirement for this is to
ensure that only authorised persons can access college information and services. In order to do
this we first need to reliably authenticate the person requiring access. It is also necessary to be
able to hold individuals to account for their actions when accessing college Information systems
and services, in order to do this we need to reliably know who the person is. As authentication
data, e.g. passwords, are a critical component of ensuring the security of our information, we
must make certain that it is managed and protected appropriately.
3. Scope
All staff, students and other users of WSC Information Systems or devices connected to WSC
networks must abide by this policy. There are many different types of device connected to the
WSC networks. This policy applies to all devices connected to the college networks or providing
access to them. Services hosted by third parties on behalf of WSC must also abide by this
policy.
4. Policy
a. General
Page 11 of 30
i. A suitable method of authentication must be used by all users and systems accessing
WSC Information Systems or Networks. In most cases this will be a WSC issued username
and password.
ii. Unauthenticated access will be permitted only in exceptional circumstances (e.g. kiosks)
and such systems must be explicitly configured for such use.
iii. For general computing devices (e.g. PCs) appropriate accounting information must be
kept.
iv. Unused accounts must be disabled and default or blank passwords must be changed.
b. Passwords
i. Passwords must be kept secure; they should never be divulged to anyone not authorised
to know them.
iii. Passwords must be protected in use; in particular they should not be passed over
unsecure networks in clear text.
iv. The user’s identity must be clearly established before a password is issued to a user.
WSC usernames and passwords should not be used with non WSC systems.
Separate usernames and passwords should be used for trusted and untrusted systems.
vi. Passwords should be complex and obscure, such that they are not easily guessed by
people or computer systems.
vii. See Information Technology Security Policy, Procedures and Plan for further guidelines
about passwords.
c. Personal Passwords
ii. Personal passwords must be kept secure; they should never be divulged to anyone, not
even support staff.
Page 12 of 30
d. Device passwords
i. All devices connected to WSC networks will have a person responsible for that device.
ii. ‘Built in’ or default user accounts should not be used if possible. These accounts should
be disabled and personal user accounts used to administer the device.
iii. Where inbuilt accounts must be used, only those with a need to know should have
access to the password.
iv. Passwords for devices must be held securely with access restricted to only those who
have access specifically authorised.
vi. Device passwords will be changed whenever anyone who knows them has authorisation
to access them withdrawn e.g. someone leaves.
i. There is a need to process Authentication Data to manage user accounts and to allow
Information Systems to be able to authenticate users. Typically Authentication Data is held
electronically in directories (e.g. MS Active Directory) or in databases.
ii. The systems holding Authentication Data should be hardened to enhance their security
and should not be used for any additional purpose that might compromise their security.
iv. Authentication Data must be protected from Brute Force Attacks (e.g. password
guessing).
v. Access to Authentication Data should be restricted such that only the data necessary is
available to each member of staff. Particular care is required to restrict access to password
files.
vi. Where Authentication Data is available in plain text (e.g. print outs) staff should be aware
of its sensitivity, ensuring its protection and secure disposal.
f. Responsibilities
i. It is the responsibility of the ‘Responsible Person’ to ensure that devices are configured in
compliance with this policy.
Page 13 of 30
ii. It is the responsibility of users to ensure they keep their password (and any other
credentials) secure.
5. Auditing
Periodic audits will be undertaken to ensure this policy is adhered to. When available system
features should be used to ensure this policy is compiled with, e.g. enforcing minimum
password lengths.
6. Enforcement
Where possible, systems will be configured to automatically enforce this policy, e.g. require
minimum password lengths. The IT department has the authority to refuse to provide a network
service to or restrict the service provided to any device or user it believes has or will breach this
policy.
Page 14 of 30
Information Technology Administration Policy
Policy Date: 15 March 2019
Procedures
All software installed and the licence information must be registered on the software register. It
is the responsibility of the IT department to ensure that this register is maintained. The register
must record the following information:
The IT department is responsible for the maintenance and management of all service
agreements for the business technology. Any service requirements must first be approved by
WSC management.
The IT department is responsible for maintaining adequate technology spare parts and other
requirements such as toners, printing paper etc.
Page 15 of 30
Website Policy
Policy Date: 15 March 2019
Procedures
Website Register
The keeping the register up to date will be the responsibility of the IT department.
The IT department will be responsible for any renewal of items listed in the register.
Website Content
All content on the business website is to be accurate, appropriate and current. This will be the
responsibility of the IT department and WSC management.
All content on the website must follow WSC plans, policies and procedures.
The following persons are authorised to make changes to the business website:
WSC CEO
IT department Manager
Page 16 of 30
Basic branding guidelines must be followed on the website to ensure a consistent and cohesive
image for the business.
All data collected from the website is to adhere to the Privacy Act, 1988.
Page 17 of 30
Electronic Transactions Policy
Policy Date: 15 March 2019
The objective of this policy is to ensure that use of electronic funds transfers and receipts are
started, carried out, and approved in a secure manner.
Procedures
Electronic Funds Transfer (EFT)
It is the policy of WSC that all payments and receipts should be made by EFT where
appropriate.
All EFT payments and receipts must adhere to all finance policies in the Financial policies and
procedures manual.
All EFT arrangements, including receipts and payments must be submitted to the accounting
department of the business.
EFT payments must have the appropriate authorisation for payment in line with the financial
transactions policy in the Financial policies and procedures manual.
EFT payments must be appropriately recorded in line with the finance policy in the Financial
policies and procedures manual.
EFT payments once authorised, will be entered into the WSC accounts documentation by the
accounts manager.
EFT payments can only be released for payment once pending payments have been authorised
by WSC CEO.
Where EFT receipt cannot be allocated to customer account, it is the responsibility of the
accounts department to investigate. In the event that the customer account cannot be identified
Page 18 of 30
within one month, the receipted funds must be allocated to the suspense account. The accounts
manager must authorise this transaction.
It is the responsibility of the accounts department to annually review EFT authorisations for
initial entry, alterations, or deletion of EFT records, including supplier payment records and
customer receipt records.
Electronic Purchases
All electronic purchases by any authorised employee must adhere to the purchasing policy in
the Financial policies and procedures manual.
Where an electronic purchase is being considered, the person authorising this transaction must
ensure that the internet sales site is secure and safe and be able to demonstrate that this has
been reviewed.
All electronic purchases must be undertaken using business credit cards only and therefore
adhere to the business credit card policy in the Financial policies and procedures manual.
Page 19 of 30
IT Service Agreements Policy
Policy Date: 15 March 2019
Procedures
The following IT service agreements can be entered into on behalf of the business:
All IT service agreements must be reviewed by the designated WSC legal consultant before the
agreement is entered into. Once the agreement has been reviewed and recommendation for
execution received, then the agreement must be approved by WSC CEO.
All IT service agreements, obligations and renewals must be recorded in the relevant IT
department registers.
Where an IT service agreement renewal is required, in the event that the agreement is
substantially unchanged from the previous agreement, then this agreement renewal can be
authorised by the IT department.
Where an IT service agreement renewal is required, in the event that the agreement has
substantially changed from the previous agreement, it must be reviewed by the designated
WSC legal consultant before the renewal is entered into. Once the agreement has been
reviewed and recommendation for execution received, then the agreement must be approved
by WSC CEO.
Page 20 of 30
In the event that there is a dispute to the provision of IT services covered by an IT service
agreement, it must be referred to WSC CEO who will be responsible for the settlement of such
dispute.
Page 21 of 30
Emergency Management of Information Technology
Policy Date: 15 March 2019
Procedures
IT Hardware Failure
Where there is failure of any of the business’s hardware, this must be referred to the IT
department immediately.
In the event that point of sale (POS) system is disrupted, the following actions must be
immediately undertaken:
All POS transactions to be taken using the manual machine located below the counter
In the event that the business’s information technology is compromised by software virus or any
other security breach, such breaches are to be reported to the IT department immediately.
Page 22 of 30
The IT department is responsible for ensuring that any security breach is dealt with within 24
hours to minimise disruption to business operations.
Website Disruption
In the event that the WSC website is disrupted, the following actions must be immediately
undertaken:
Page 23 of 30
WHS Policy
Policy Date: 30 March 2019
Obligations
Management is firmly committed to a policy enabling all work activities to be carried out safely,
and with all possible measures taken to remove (or at least reduce) risks to the health, safety
and welfare of workers, contractors, authorised visitors, and anyone else who may be affected
by our operations.
We are committed to ensuring we comply with the Work Health and Safety Act 2012, the Work
Health and Safety Regulations 2012 and applicable Codes of Practice and Australian Standards
as far as possible.
Responsibilities
Management:
a commitment to consult and co-operate with workers in all matters relating to health
and safety in the workplace
Workers:
Page 24 of 30
comply with safe work practices, with the intent of avoiding injury to themselves and
others and damage to plant and equipment
take reasonable care of the health and safety of themselves and others
comply with any direction given by management for health and safety
not misuse or interfere with anything provided for health and safety
report all accidents and incidents on the job immediately, no matter how trivial
This policy applies to all business operations and functions, including those situations where
workers are required to work off-site.
Before any IT work is undertaken, an inspection must be undertaken and the checklist below must
be completed to identify and account for hazards.
Page 25 of 30
Page 26 of 30
Date checklist completed: / /
Date checklist to be reviewed (annually or when there is a change in electrical equipment or an
electrical incident): / /
Name(s) of person(s) who completed checklist: Initial:
Position title: Company:
Electrical switchboards and equipment
Are switchboards, electrical equipment in a safe condition? Yes No
Is portable electrical equipment protected by safety
switches? (This safety measure is mandatory for Yes No
construction work.)
Power points, light fittings and switches
Are all power points, light fittings and switches in a safe place and free of obvious defects? Yes No
Check if they are mounted securely, there are no loose covers or wires, broken or
damaged fittings, or signs of overheating. Yes No
Are main and isolating switches clearly labelled and accessible? Yes No
Power tools, flexible leads and power boards
Are power tools, extension leads and power boards maintained in a safe operating Yes No
condition?
Yes No
Check for damaged insulation, water leaks, burn marks, bent or loose pins and fittings.
Are extension leads and power boards located in a safe position to prevent mechanical or Yes No
other damage?
Inspection and maintenance of all electrical equipment
Are the electrical fittings and electrical equipment, including portable power tools, regularly
inspected and maintained? Yes No
Page 27 of 30
Page 28 of 30
Site Clean Up Procedure
Procedure Date: 30 March 2019
After completing an IT job, the following tasks must be undertaken to clean up and restore the
worksite:
Remove any waste material
Remove the unpacked server boxes and all other unnecessary boxes from sites.
Clean up any dust
Restore equipment to correct positions
Tie up the cabling and organize them properly in the server room. (see image below)
Label the cable and marked them, Update the infrastructure register for documentation.
(see image below)
Delete all the temoprary folder during the processs of installtion and testing. (see
screenshot below)
Page 29 of 30
Page 30 of 30