Return to index

IT Systems Policies

1. Introduction

The IT systems policies are designed to achieve best value and to reduce risk. There are two key sites relevant to the Awarding Organisation function, the certification site and the community site.  The certification site is the most significant as this is where awards are made and stored.

The following two strategies underpin these aims

1. Use of Linux based and open source systems
2. Use of the cloud and out-source of data hosting to reduce risk associated with physical threats to buildings and benefit from the economies of scale of using the web.

2. Strategy

3. Security

All critical systems are patched regularly by the hosting companies, United Hosting and Arvixe. Internal systems are patched as soon as security updates are notified as being available.  United Hosting host over 25,000 businesses and has a good reputation for reliability and security.   TLM has its own dedicated server with United Hosting and this is the location of theingots.org domain containing the main data associated with the awarding function.

This leaves the main potential security vulnerability as the password. Password strength is metered and only secure passwords are allowed. These require the use of letters, numerals, characters, upper and lower case and reasonable length. Users that have insufficiently strong passwords will not be able to set up accounts. The most significant risk is in user error either leaving themselves logged in and leaving the system unattended or allowing others to find their password. The risk assessment shows that this is almost certain to happen at some time and is by far the greatest security vulnerability. The following actions have been taken to reduce possible damage.

Timed automatic log out so that the system will auto log out if in active for longer than a set period. Permissions that limit most users to editing a single account.
Facilities for data recovery should an account be compromised.

Education through training and aspects inherent to TLM qualifications.
 

Example scenarios

• If an intruder gets into the system and deletes records in the certification site they are not actually deleted, rather they are simply rendered invisible. The system manager can restore such damage very quickly.
• An intruder awarding grades to their own or someone else's account is likely to be noticed by the assessor. Data stamping of records enables us to determine when such an intervention took place.
• No awards can be made without authorisation by the Account Manager so while additional marks could be inserted it would not be possible to make an award.
• On the community site, a learner or assessor leaving themselves logged is could have their pages deleted or altered. However their is a versioning systems so all new pages are date stamped and the system can be reverted to earlier versions of pages. Should this be ineffective backups are available from which to retrieve work. This is certainly a better situation that a candidate losing a paper based file which would have no back up and no possible way of being restored. 

Security testing

• Periodically we will test the security of the hosted systems with typical attacks such as dictionary for passwords.
• Service outage
• United Hosting servers have an average of 99.999% uptime, based on an independent review service (HyperSpin)

There is a weekly backup from UH to Avixe to further minimise risk of data loss.  In any case,  a short outage would be inconvenient rather than catastrophic and the worst case scenario of losing the UH service entirely and permanently is to be back on line within 24 hour.  None of TLM's qualifications is tied to a specific time point therefore there are no key deadlines that if missed by 24 hours would lead a candidate to miss the opportunity to get the qualification.   In terms of risk assessment, the fundamental risk to delivering a qualification is having a specific critical time where the candidate has to participate with no scope to find an alternative. An example would be a terminal examination at a specific date and time that could not be repeated.  A key mitigation against such risk is to adopt a more flexible style of assessment.
 

4. Choice of platforms

It is clear that the IT platform most vulnerable to virus and malware attacks is MS Windows. This is partly because it has the biggest user base but also due to a past history of lax security in the design specification. For these reasons the company has adopted the Ubuntu GNU/Linux platform for all desktop use except one machine which is used for testing the web sites with Internet Explorer. The legacy Windows server is still used for the company accounts but all other critical data is stored on hosted servers with web access.  The accounts are backed up on tapes that are taken off site. The longer term intention is to move entirely to web hosted services. With web based archives backed up across at least two independent service providers.

In summary the formal policy is to move entirely to open systems delivered from hosted servers using the web. The economies of scale mean that out-sourcing the infrastructural provision has  significant cost-benefit. Control of the development is, however, maintained in-house with specific elements contracted out to low risk suppliers with whom we have long term established relationships.

5. Maintenance

There are two aspects to maintenance. The fundamental infrastructure maintenance; provision of servers, server side software and its maintenance and the maintenance of TLM specific systems such as the on-line mark book and the community site.

The on-line mark book is maintained and developed using a LAMP stack approach and the code is managed using DARCs. The community site is maintained through a combination of administrators and users since the whole point of the community is to encourage user generated learning resources.

6. Monitoring

The Open Source principle "Many eyes make bugs shallow" is employed with user feedback encouraged to enable improvements, fault finding and bug fixes. All TLM members monitor the use of systems and discussions related to improvements are discussed regularly both informally and in formal evaluation reports. Monitoring of mailing lists and forums will alert technical support staff to any need to review the malware policy. Local systems are patched routinely from monitoring alerts for security updates. At present this together with training in sound user practice reduces thee need for anti-virus and anti-spyware software.
Configuration, and change management

7. The certification site

The certification site is managed using software applications provided by United Hosting.  The code developed by TLM is managed through the DARCs distributed revision control system.  Any changes resulting in code development that will affect end users must be agreed with the Chief Assessor or Senior Account Manager before implementation. The password systems built into the certification site mean that weak user passwords are not allowed. The  Technical Support Manager is responsible for the configuration and general technical management of the Certification Site including issues of security and ensuring software is appropriately up dated.

8. The community site

The community site is an optional resource made freely available to the community. It is not as critical as the certification site but it does contain learner work. (They are advised to keep their own back ups of important files)  The software environment of the community site is Drupal. When a significant upgrade is to be performed, it will take place during the summer vacation period when there is lowest usage. The procedure is to check that current modules needed for current operation are available. If they are, a test site is created to test migrating current data to the new version. Testing of the data migrated to the new environment is then undertaken over a two week period with TLM staff performing typical user operations. Any problems are rectified. Once the test period is ended a meeting is held of all staff to confirm that the migration should be continued. If there are any objections these must be resolved before implementing the change.
Minor changes to the configuration of the community site eg to the Primary Links menu, must be notified to the Chief Assessor before implementation. Changes to news items and general information can be made by the Office Administration team as appropriate.

9. Workstations and mobile technologies

The configuration of individual workstations and mobile technologies is left to the individual but must as a minimum include the default firewall settings. Windows systems must be protected by up to date anti-malware software.

10. General information strategy

Some information needs to be secure, other information is intended to be spread widely. The strategy is to provide systems that treat information appropriately for its intended use and is not bound into proprietary and closed technologies. This is an inherent part of the TLM qualifications development. There are a collection of policies related to these issues from the Creative Common Share Alike licensing of much of the information on the community site to secure private web pages for management meeting minutes to the complete separation of the certification site from general use. TLM is registered with the Data Protection registrar and provides information to educate users about safe and secure use of digital information. There is an inevitable balance to be struck between making information available to promote learning and sharing and restricting information for privacy and safety.  Achieving this balance is a significant feature in the overall information strategy. In the world of global digital communications we are trying to move away from business practices based on file attachments and technologies that were designed for a world where digital information systems relied on replicating and moving information rather than holding information centrally and making it available to relevant parties on demand. This does depend on the business processes of other people since communicating information is bi-directional. It is in the interest of all who want to reduce the costs associated with the awarding process to maximise the use of internet based technologies and move away from proprietary desktop applications. In the World of HTML 5 and beyond, the standards complaint web browser can replace most expensive and cumbersome desktop office applications.

Procedures for dealing with technical issues

Technical issues fall into 2 categories
 

1. Urgent
2. Important

Any issue that affects users ability to log in and use the system should be treated as Urgent and important and reported in the first instance to the Director of Administration. The DoA will assess the situation and take such action as is necessary to resolve the issue as soon as possible. Progress should be made public by posting a message on the front page of the web site explaining the situation and estimated time of resolution.

If notified by the DoA the Technical Manager will make resolution of the problem the first priority and will draw up on such support from other members of the team or externally as deemed appropriate.

Issues that are important but do not have an immediate effect on users will be triaged by notifying the DoA. She will decide on the urgency of the issue and allocate time and expertise to it determining the priority against other issues and the general business of the organisation.

Procedure for dealing with physical issues related to the building

Any defects or problems with the fabric of the building should be notified to the DoA as soon as they become apparent. The building should be maintained securely with external doors shut and requiring a key for entry. Any local data that is critical to the business will be backed up to tape with copies taken off site and held in a secure place by a designated member of staff. This policy is to ensure security of company assets. The DoA will decide on the urgency and importance of the issue and allocate the appropriate time and resources to them. In a case where the building becomes uninhabitable we will set up a temporary base in a room next door. Should damage to the internet connection be terminal, use cellphone 3G internet access from netbooks and laptops will keep workflow and telphone numbers will be diverted to cell 'phones.

In any such case, where there is likely to be any prolonged degradation of the service provided, the DoA will inform Ofqual, DAS, Bathdata and post a notice on the web site front page for customers.

Disaster recovery policy

A disaster is a specific case of technical, human or physical failures that if unaddressed will halt or seriously impair the function of the business.  The key risks are:

People

Incapacity of key personnel. No single person is so critical that the general business could not operate. However, if all personnel were to be incapacitated at the same time there would be a significant problem. Since there are no times when all are in the same place at the same time this is not very likely but it is the most serious risk to cessation of the business. The only way to recover from such an extreme disaster would be to co-operate with another Awarding Organisation to maintain continuity. There is sufficient documentation to enable a professional to take over and manage the TLM business.

Destruction of the buildings

Destruction of the place of work would be traumatic and the greatest impact would most likely be the emotional effect on the people. In physical terms the business could be run in the short term from any location as all the critical information is on-line. The disaster recovery policy is to target all possible resources to maintaining continuity of service while alternative premises are acquired.

Loss of IT systems

Should there be a total loss of all IT systems and data, (unlikely given the hosting and backup strategies) the policy is to contact all customers and explain the situation. The regulators would be informed and proposals to accept data collected by the centres as a normal part of their business used to minimise the impact on learners and their certification. The data recording structures can be restored from backups and repopulated should the customers have their own data backups. It is impossible to gauge the extent to which evidence of attainment against the assessment criteria would be available but the first priority is to protect learners from losing credit.

Disposal of assets and data security

Any computer hardware which has hosted sensitive or confidential data will be treated appropriately to make the data inaccessible to third parties. As a minimum, drives will be low level formatted and filled with new random data before disposal. In cases where the hardware is to be scrapped, or in cases where the data is judged to be critically confidential the hard drives will be physically destroyed to make data retrieval impossible. To dispose of sensitive data assets held on-line, a file of the same size and name as the original, filled with random data will be uploaded to replace the file containing the sensitive data thus destroying the sensitive data. Backups are recycled every 2 weeks and therefore back up data will be destroyed on a 2 week cycle. In general, sensitive data should not be stored or transferred on USB keys, CDs, discs and other removable media. Using a secure network connection and strong passwords is generally a more appropriate approach than copying data as the policy is to keep copies of sensitive media to a  minimum.
Audit and review

Systems will be under constant scrutiny and review with evidence gathered from customers and the community as well as staff. The great majority of staff are IT literate at graduate level or above. Nevertheless systems and methods are discussed with independent external colleagues to ensure that good and affordable practice is in place. A formal independent audit will be invoked if there is evidence of need.