Information Technology and Governance Committee

Transcription

1 Information Technology and Governance Committee Paper Title: Enhancing Information Governance at Loughborough University Author: Information Governance Sub-Committee 1. Specific Decision Required by Committee ITGC is asked to note: The overall progress made in the three key strands of activity that have been identified as priority areas following work previously undertaken by the Sub- Committee. And comment on: Progress made to date on specific draft policies (Appendix 1 and Appendix 2). These policies are not yet complete and further work is required to ensure that they meet the requirements of the revised framework previously approved by ITGC. 2. Relevance to University Strategy Contributes to Para 4.1 of the strategic implementation plan: Ensure that our governance and infrastructure are: - efficient - able to support change effectively - able to support collaborative initiatives - valued by staff and students Also contributes to risk management and effective legal compliance. 3. Executive Summary This paper presents an update on recent work undertaken to improve the University s approach to Information Governance and security. An action plan has been developed to address gaps in policy, training and procedures in the area of information governance in order to reduce risk, provide reassurance to partners, individuals and Council that data is held and used appropriately and securely and that the institution is compliant with relevant legislation and good practice. 4. Essential Background Information ITGC15-P19 5. Risks, Risk Mitigation and Governance/ Accountability 6. Implications for other activities This is a potential area of major risk for the institution. A recent incident involving personal data highlighted some of the issues. The CUC governance code expects the governing body to manage risk and ensure legal compliance across the institutions activities. The implementation of the wider Information Governance action plan will require input from various key stakeholders from across the campus and commitment from the majority of staff. If approved, mandatory training will need to be incorporated into the staff probationary period and staff development portfolio. 7. Resource and Cost 16k for initial training package for staff and research students over three years. Page 1 of 12

2 8. Alternative Options considered 9. Other Groups/Individuals consulted. 10. Future Actions, Timescales & Frequency of Review by this Committee. Other resource implications may emerge as work proceeds. ITGC15-P27 Do nothing significant risk and potential that some research partners would refuse to work with us. A wide range of professional staff representing all of the key services within the University have been involved in this work to date. Greater academic staff input will be sought in the next stages of the action plan. Further information provided with the main body of the paper. 11. Success Criteria (KPIs) No negative information related incidents, increased speed of handling of Data Protection and Freedom of Information requests. Straightforward responses to requirements of research funders and partners. 12. University Executive comment (required for Council papers only) Page 2 of 12

3 1. Background ITGC15-P27 Following initial work undertaken by the Information Governance Sub-Committee and IT and Governance Committee, an overarching policy for Information Governance was approved by Senate and Council in March The following three strands of core activity have been identified as priority areas for action to enabling the University to identify and address gaps in policy, training and procedures in the area of information governance. (a) (b) (c) Plan and deliver effective staff communications and training. Develop and implement a comprehensive set of Information Governance and Security subpolicies. Conduct an initial University-wide Data Review, to be undertaken via self-assessment, by each of the Schools and Professional Services. Work has commenced in each of these areas and progress has been detailed below. 2. All-Staff and Research Student Training Embedded within the high level Information Governance Policy is a commitment to delivering compulsory training to all staff and research students. Following a review of materials available, two online training packages were considered in detail and a proposed option proposed to Operations Committee. Approval has now been given to purchase the module provided by LEO Learning Ltd at a total cost of around 16,000 for a three year licence covering 4,000 users. Following successful procurement of the training module (currently in process), an IT development project will be undertaken to enable a) the module to be incorporated into the LEARN environment and b) for completion data to be imported into itrent to allow for accurate monitoring and reporting on engagement by staff. It is anticipated that this work will be completed to enable launch of the training in the autumn term The training module will be mandatory for all-staff and probationary sign off for new staff will be subject to it being completed. Further work will now be undertaken with Human Resources and Staff Development to agree how this will be implemented. An effective communications strategy will also be agreed to ensure that staff are aware of the importance of completing the module and the context within which they are being required to undertake it. Arrangements are being discussed to incorporate the training into the Graduate School programme for research students. 3. Information Governance and Security Sub Policies: Following approval of the revised policy framework by ITGC (ITGC15-P19), further work has been undertaken on a number of the draft Sub Policies. The main focus of this work is to ensure that the policies are; Policies must have a clear audience and be accessible to that audience. Page 3 of 12

4 Roles and responsibilities identified within policies should be explicit (as far as possible by naming job roles, and/or making reference to whether the School/Professional Service or IT Services are responsible) Policies should be as short as is consistent with being fit for purpose. New policies should incorporate/supercede all existing information related policies and ensure proper cross referencing/updating to other policies (e.g. HR policies) to avoid duplication and inconsistency and minimise the updating burden. In the less technical policies (i.e. the ones not specifically about IT), the wording must be inclusive and/or address all formats in which information might be held (e.g. electronic or hardcopy) Policies should address both corporate systems (managed by IT Services) and local systems throughout (mainly or wholly managed by Schools and Professional Services), as determined by the outcomes of the upcoming Data Review. As has been specified in previous papers; IGSC recognises the importance of consultation with relevant stakeholders to ensure that the policies remain workable in practise (e.g. a Research Data Management group is being convened to review specific draft policies within the context of the research activities undertaken by the University). Work will continue on each policy and final drafts will be submitted to ITGC for further comment and approval, before formal approval is sought from Senate/Council in the autumn term. ITGC is asked to review the initial drafts of the Information Sharing Policy (Appendix 1) and the Bring Your Own Device Policy (Appendix 2) and comment upon their future development in the context of the principles outlined above. 4. Data Review A Data Review pro-forma, requesting details of information types held and the formats in which it is held, was circulated for completion by all Schools and Professional Services in May To date we have received 14 returns. The initial findings of the returns received thus far suggest that a significant amount of the data held by the University is stored securely in systems that are monitored and maintained by IT Services. However, it also clear that in some cases data may be being stored in less secure environments, which do not have oversight by IT Services and may lack appropriate security arrangements. Once all returns have been received, more detailed analysis of the data will be undertaken in order to identify further areas of good practise as well as those areas that might be identified as areas of concern. A report will be prepared and circulated to Schools and Services providing detailed analysis of the findings of the Review and planned follow up work to be undertaken as a result. Further updates will be provided to Senate and Council in the autumn term. Page 4 of 12

5 APPENDIX 1 ITGC15-P27 Information Sharing Policy NOTE: This draft remains at an early stage, and further work is required to ensure that the technical aspects of the policy are balanced by the relevant context and guidance. Most importantly, whilst ensuring compliance with legislation; the policy must also remain applicable to activity being undertaken by users within the University. Policy Overview The sharing of information is an integral part of many of the core processes that are undertaken on a daily basis by individuals within the University. In many cases, information is shared internally and can be done so via University maintained systems (shared workspaces, networked databases etc.). In other cases, there may be a requirement to share information externally with a third party (e.g. for reporting purposes.) PROVIDE MORE DETAILED EXAMPLES/CONTEXT In all cases, information sharing should only be undertaken in a manner that reference the following; Data integrity/accuracy Securely protect against loss Complies with FOI/DP legislation where relevant Provide examples of the above? The University handles a large amount of data classified at different levels. This policy section looks to minimize the loss, unauthorized disclosure, modification or removal of sensitive information maintained by the University while trying to maintain the open nature of the organisation. Policy Audience This policy applies to all members of staff, research students and third parties (third parties will be covered by Information Sharing Agreements) who have access to and share Loughborough University information as part of their job role or studies. Policy Introduction This policy covers the sharing of information, which has been classified at different levels, and the mechanisms used to share such data. This policy covers the following sharing mechanisms: Networked storage systems (workspaces, databases) Removable Electronic media; Cloud Services. Prior to being shared, it is important that the information is correctly classified. [FURTHER CONTEXT RE: HOW THE CLASSIFICATION OF INFORMATION SHOULD DETERMINE HOW IT IS SHARED Page 5 of 12

6 RECOMMENDATIONS] The following information classifications are covered under this section (cross reference to the Information Classification Policy and ensure that there is consistency across both policies): Highly sensitive (medical records etc); Sensitive (commercially sensitive, PPI); Restricted (research data, teaching and learning information). Before classified information is copied, transported or shared, consent must be obtained from the data owner. Networked storage systems [GIVE EXAMPLES OF WHERE SHARING INFORMATION VIA THIS MEDIUM IS APPROPRIATE RECOMMENDED] Networked storage systems refer to maintained spaces that [FILL] Shared workspaces Networked databases Removable Electronic Media [GIVE EXAMPLES OF WHERE SHARING INFORMATION VIA THIS MEDIUM IS APPROPRIATE/RECOMMENDED] Electronic media refers to all types of computer storage which are not physically fixed inside a computer and includes the following: Memory cards (like those used in cameras), USB pen drives etc; Removable or external hard disk drives; Newer Solid State (SSD) drives Mobile devices (ipod, iphone, ipad, MP3 player); Optical disks i.e. DVD and CD; Floppy disks; Backup Tapes. The use of electronic media is not prohibited and is an essential part of everyday business within some parts of the University. All users of electronic media must ensure: That anti virus software is present and up to date on machines which data is taken from and machines which data is transferred to; Only information, which has been classified, as not classified and/or published is transported on standard devices. Users wishing to transport and/or share classified information using electronic media MUST ensure: When electronic media is used to transport classified information, the data on the device is encrypted to the highest recommended encryption standard (AES-256) IT Services Recommended devices; Research grants may require a certified level of encryption to a standard such as FIPS If this is stipulated by the research contract, please contact IT Services for further assistance; Page 6 of 12

7 Mobile devices and/or electronic storage devices containing classified information should not be sent off site without prior agreements. IT Services should be consulted to ensure the level of security is appropriate for the type of data being transferred; Electronic media used to store classified information shall only be used by authorised individuals and where there is a clear business need; Data sorted on the electronic media is the responsibility of the individual who operates the device. That should the encryption password is forgotten, the information held on the electronic media will be rendered unreadable. Therefore electronic media should not be used to store information which is not securely backed-up in a central location. That the electronic media is physically protected against loss, damage, abuse or misuse when in use, storage and transmit. That electronic media, which may have become damaged, should had the media back to local IT Support or IT Services to guarantee it is disposed of securely to avoid any data leakage. That when the business purpose has been satisfied, the content of the media used is securely removed through a destruction method that makes the recovery of data impossible. Where electronic media containing classified information needs to be posted to third parties, services that provide tracking and audited should be favored. Decrypting password should not be in the same package as the media in question. Passwords should be provided to third parties either in person or via a telephone call. Cloud Services The use of cloud-based storage makes collaboration and sharing of information very easy and convenient [PROVIDE EXAMPLES]. The University does not prohibit the use of cloud services. [NEED TO GIVE EXAMPLES OF WHERE SUCH USE WOULD BE RECOMMENDED] This policy refers to but is not limited to the following cloud-based storage: Dropbox; Google Drive; Microsoft OneDrive. Where possible classified information should not be stored or shared via cloud-based storage services. Cloud-based storage should only be used with the approval of the data owner. IT Services should also be consulted to evaluate the sensitivity of the information and to investigate alternate options. Where cloud-based storage is the only viable option, users of such services MUST ensure: All classified information is encrypted prior to being stored, transmitted or shared; No encryption password are stored within the same storage provider; Decryption of encrypted information must never take place within the cloud environment; For research data, research grant contracts should be consulted, as many organisations prohibit the use of cloud-based storage for the research data; When sharing classified information, passwords should not be shared via unsecure means such as ; The encrypted version of the information is not the sole source and that secure back-ups are stored on a central location; Classified information stored on cloud-based storage is the responsibly of the individual [LINK TO ROLES AND RESPONSIBILITIES RESPONSIBILITIY OF MANAGER TO ENSURE THAT ADEQUATE TRAINING/GUIDANCE IS PROVIDED]. Page 7 of 12

8 Once the classified information is no longer required, that it be removed from cloud-based storage. Document Control Version Author Date Version Detail V0.1 Niraj Kacha 22 nd May 2015 First draft Review/Approval History Organisation Action Date Page 8 of 12

9 APPENDIX 2 ITGC15-P27 Bring Your Own Device NOTE: This draft remains at an early stage, and further work is required to ensure that the technical aspects of the policy are balanced by the relevant context and guidance. Most importantly, whilst ensuring compliance with legislation; the policy must also remain applicable to activity being undertaken by users within the University. Policy Overview The University recognises the benefits bought by the use of personal devices in work and welcomes it. [EXAMPLES OF BENEFITS AND SCENARIOS] The purpose of this section is to reduce the risk in using BYOD (Bring Your Own Device). Such risks may come from devices being lost or stolen, exploited or used in such a way to take advantage of the user or the University [EXAMPLES OF HOW DEVICES MIGHT BE COMPROMISED]. Policy Audience This policy applies to all members of staff, students and external contractors using personally owned devices to store, access, carry, transmit, receive or use Loughborough University information systems. The following types of devices are covered, but not limited to in this section: Laptops; Notebooks; Tablet computers; Smart phones; Smart watches. Policy Introduction This policy covers the use of non-university (personally) owned electronic devices to access corporate systems and store University information, alongside their own data. If you wish to BYOD to access University systems, data and information you may do so, provided that you follow the provisions of this policy. [GIVE EXAMPLES OF WHEN DEVICES MIGHT BE USED] It is the University s intention to place as few technical and policy restrictions as possible on BYOD subject to the University meeting its legal and duty of care obligations. [RE-WORD AND ADD CONTEXT] Responsibilities of BYOD Users The University takes Information and Systems Security very seriously and invests significant resources to protect data and information in its care. Page 9 of 12

10 Individuals who make use of BYOD must take responsibility for their own devices and how they use them [ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT SHOULD ENSURE THAT USE OF BYOD IS APPROPRIATE AND THAT USERS ARE AWARE OF POLICY]. They must: Familiarise themselves with their device and its security features so they and ensure the safety of University information (as well as their own); Invoke the relevant security features; Maintain the device themselves ensuring it is regularly patched and upgraded. Individuals using BYOD must take all responsible steps to: Prevent the theft and loss of data; Keep information confidential where appropriate; Maintain the integrity of data and information; Take responsibility for any software that is downloaded onto the device. Individuals using BYOD must: Set up passwords, passcodes, passkeys or biometric equivalents. These must be sufficient length and complexity for the particular type of device; Set up location tracking services and remote wipe facilities where available and implement a remote wipe if the devices is lost or stolen; Devices must be encrypted where possible; Not hold any information that is sensitive, personal, confidential or of commercial value on personally owned devices. Where access to such data is required, staff should make use of the VPN service; Ensure relevant information is copied back to central University information systems and managing any potential data integrity issues with existing information; Be aware of any Data Protection issues to ensure personal data is handled correctly; Report any security breach immediately to IT Servicedesk in accordance with the Information Security Policy; Ensure that no University information is left on any personal device indefinitely. Particular care must be taken if a device is disposed of/sold/transferred to a third party. Monitoring and access The University will not monitor the content of your personal devices, however the University has the right to monitor and log data traffic transferred between your device and University systems, both over internal networks and entering the University via the Internet. The University also reserves the right to: Prevent access to a particular device from either wired or wireless networks or both; Prevent access to a particular system; Disable user accounts if deemed to have been compromised; Take all necessary and appropriate steps to retrieve information owned by the University. From time to time, the University may require that you install or update University-approved device management software on your own device. Page 10 of 12

11 Public Cloud Services Cloud-based storage facilities, such as Dropbox or Google Drive, allow individuals to access and share files. Any information owned by the University that is confidential, sensitive, personal or of commercial value must not be stored on public cloud-based storage facilities. Private secure storage From time to time, staff will be required to store information on private secure storage owned by partner organisations e.g. when collaborating with another University or industry partner. Individuals using such facilities are responsible for ensuring that they meet a suitable level of security to comply with all legal and commercial needs of the University and that all Data Protection Legislation is complied with prior to using the facility. Social Networking Sites No information of confidential, sensitive, personal or commercially valuable nature belonging to the University should ever be posted on to a social networking site. Loss, Theft or Damage of Device If a device is lost of stolen that holds confidential, sensitive or commercially valuable information belonging to the University, this should be reported to the IT Servicedesk, regardless of who owns the device. Staff should also make appropriate enquiries in attempts to locate the device and report to the appropriate authorities. The University takes no responsibility for supporting, maintaining, repairing, insuring or otherwise funding employee-owned devices, or for any loss or damage resulting from support and advice provided. Data Protection and BYOD The University must process personal data i.e. data about identifiable living individuals in accordance with the Data Protection Act (1998). Sensitive personal data is information that relates to race/ethnic origin, political opinions, religious beliefs, trade union membership, health (mental or physical) or details of criminal offences. This category of information should be handled with a higher degree of protection at all times. The University recognises that there are inherent risk with using personal devices to hold personal data. Therefore, staff must follow the guidance provided in this section when considering using BYOD to process personal data. A breach of the Data Protection Act can lead to the University being fined up to 500,000. Any member of staff found to have deliberately breached the act may be subject to disciplinary measures, having access to the University s facilities being withdrawn or even criminal prosecution. Page 11 of 12

12 Document Control ITGC15-P27 Version Author Date Version Detail V0.1 Niraj Kacha 22 nd May 2015 First draft Review/Approval History Organisation Action Date Page 12 of 12