DOCUMENT CONTROL AND INDEX

TABLE OF CONTENTS

INTRODUCTION, PURPOSE AND SCOPE

1. INTRODUCTION

Vel Tech High Tech Dr.Rangarajan Dr.Sakunthala Engineering College recognises that it is essential to institutional quality, accountability and stakeholder confidence. This policy establishes a structured framework to ensure secure, reliable, lawful and productive use of institutional information systems, networks, devices, applications, data and digital identities.

2. PURPOSE

To ensure secure, reliable, lawful and productive use of institutional information systems, networks, devices, applications, data and digital identities.

3. SCOPE

All users, devices, networks, servers, cloud services, websites, software, email accounts, LMS/ERP systems and institutional data.

OBJECTIVES

4. OBJECTIVES

• Protect confidentiality, integrity and availability of information.
• Define acceptable use and user responsibilities.
• Reduce cyber, privacy, operational and legal risks.
• Ensure backup, recovery and continuity of critical systems.
• Support secure digital teaching, administration and communication.

POLICY FRAMEWORK

5. GUIDING PRINCIPLES

1. Access shall be based on role, least privilege and need-to-know.
2. Institutional credentials are personal and shall not be shared.
3. Only licensed, approved and maintained software/services may be used for institutional work.
4. Security events shall be reported immediately without concealment.
5. Monitoring shall be proportionate, authorized and used for security, compliance and service reliability.

6. GENERAL POLICY COMMITMENT

The Institution shall implement this policy through approved roles, adequate resources, documented procedures, transparent communication and measurable review. Decisions and exceptions shall be recorded and authorized by the competent authority.

POLICY PROVISIONS

7.1 IMPLEMENTATION REQUIREMENTS

1. Every user shall use strong authentication and protect passwords, OTPs and recovery information.
2. Administrative access shall be restricted, logged and reviewed.
3. Sensitive data shall be stored only in approved systems and transmitted through secure channels.
4. Institutional devices shall receive security updates, anti-malware controls and configuration management.
5. Unauthorized scanning, hacking, bypassing controls, illegal downloading, harassment and misuse of resources are prohibited.

POLICY PROVISIONS — CONTINUED

7.2 IMPLEMENTATION REQUIREMENTS

6. Email and messaging shall be used professionally; suspicious links, attachments and payment requests shall be verified.
7. Critical systems shall have documented backup, restoration testing and disaster-recovery arrangements.
8. Third-party software, cloud services and vendors shall undergo risk and approval checks before use.
9. User access shall be created, modified and disabled promptly based on joining, role change and exit.
10. Cyber incidents shall be contained, investigated, documented and reported to competent authorities where required.

ROLES AND RESPONSIBILITIES

8. ROLES AND RESPONSIBILITIES

• Management approves risk appetite and resources for critical systems.
• IT Services administers controls, backups, monitoring, incident response and user support.
• System/data owners approve access and ensure data quality and retention.
• Users follow acceptable-use rules and report incidents promptly.
• Vendors comply with contractual security, confidentiality and access conditions.

IMPLEMENTATION PROCEDURE

9. IMPLEMENTATION PROCEDURE

1. Submit approved access/service request.
2. Verify identity, role and authorization.
3. Provision access with appropriate controls.
4. Monitor logs, vulnerabilities, backups and service health.
5. Report and manage incidents through the escalation matrix.
6. Review access and retire systems/data at end of life.

RECORDS AND COMPLIANCE

10. RECORDS AND EVIDENCE

• Asset and software inventory
• User access approvals and review logs
• Backup and restoration records
• Security incident register
• Vendor, license and system-change records

11. MONITORING INDICATORS

• System uptime and backup success
• Patch/vulnerability closure time
• Incident response and recovery time
• Access review completion
• User security-awareness completion

12. CONFIDENTIALITY, RETENTION AND ACCESS

Records shall be accurate, retrievable and protected against unauthorized alteration, disclosure or destruction. Access shall be role-based and limited to legitimate institutional need. Retention and disposal shall follow the approved schedule and applicable requirements.

13. NON-COMPLIANCE

Non-compliance may result in corrective action, withdrawal of access or benefit, recovery of loss, disciplinary action, referral to a statutory body or other proportionate action after due process.

REVIEW AND APPROVAL

14. REVIEW AND AMENDMENT

The policy owner shall review this document at the stated cycle or earlier due to changes in law, regulation, institutional structure, technology, risk, audit findings or stakeholder requirements. Amendments shall take effect only after approval and version control.

15. REFERENCES

• Applicable information technology, cyber-security, privacy and data-protection requirements
• Approved institutional data-retention and e-governance procedures

16. APPROVAL AND SIGNATURES

This is a controlled institutional document. Printed copies are uncontrolled unless specifically stamped and issued by the authorized office.