Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Transcription

1 Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security and Compliance Manager Information and Library Services Issue th January th January 2017 Information Assurance and Security Committee 1

2 1.0 Introduction University of Greenwich Information Security and Assurance Policy University of Greenwich information assets are valuable to its objectives. The confidentiality, integrity and availability of University information assets are essential to the success of its operational and strategic activities. The University aims to secure its information assets by establishing an information security strategy that will enable the implementation of a robust information security risk management system and foster good security practices across its campuses. The Information Security Policy is a key component of the University s Information Security Strategy built on a framework of information security management standards and best practices. The Information Security Policy will serve as an overarching policy document to provide a high level overview of information security management within the University. The Information Security Policy will be supplemented by a suite of policies, processes, standards and procedures that will set out the expectations for information security within the University, and will provide clear guidelines to staff, students and other users of University information assets of their responsibilities for appropriate use and safety of these assets, and their legal obligations to comply with related statutory requirements. 2.0 Objectives The objectives of the Information Security Policy are: a) To ensure that University information assets are available when required to authorised users. b) To ensure that University information assets are adequately protected against unauthorised access, malicious or accidental loss, misuse or damage. c) To ensure that all users of University information assets are aware of and fully comply with this policy and supplementary policies, processes, standards, procedures and guidelines. d) To ensure that all users of University information assets understand their responsibilities for protecting the confidentiality and integrity of University information assets. e) To ensure that the risks to University information assets are appropriately managed. f) To ensure that information security incidents are resolved promptly and appropriately. g) To ensure that the University meets relevant audit and statutory requirements. h) To ensure there is an efficient disaster recovery plan in place. 2

3 i) To protect the University from any legal liability resulting from information security incidents. 3.0 Scope The Information Security Policy and supplementary policies, processes, standards and procedures apply to all forms of information stored, used or processed by the University including but not limited to all paper records and information held on electronic devices. The policy also applies to all information systems owned or leased by the University including information systems managed by third parties on behalf of the University. The policies apply to all staff, students, contractors and third party agents who access, use, handle or manage all University information assets. 4.0 Principles The following principles govern the University's information security approach: a) The University will adopt ISO Information Security Management Standard as a framework for its Information Security Strategy along with other supporting good practices from JISC and UCISA, and will ensure continuous assessment, development and maturity of the strategy. b) The University will adopt an information security risk management approach in line with the Institutional Risk Management Policy to ensure information security risk mitigation efforts reflect the University s risk appetite. c) The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be communicated to all users via training and awareness sessions, inductions, University intranet and internet, bulletins and other appropriate communication channels. d) University data (information) will be classified and provided with appropriate safeguards commensurate to their value, ensuring they are available when needed and protected against unauthorised or inappropriate access or use. e) User access to the University s information assets will be based on job requirements rather than job titles. Access rights will be reviewed at regular intervals and revoked if or where necessary. f) The University believes that information security is the responsibility of its information asset users, and will set out the responsibilities for the strategic leadership, management and coordination of the information security strategy, and use of its information assets via relevant policies, job descriptions and terms and conditions of employments. 3

4 g) The University will establish and promote an information security awareness culture amongst its information asset users through user awareness and training, publications on information security risks and incidents, and guidelines for managing them. h) Disaster recovery plans for mission critical information assets and related services will be established, tested and maintained. i) The University will implement an incident reporting and management system to enable prompt and appropriate incident resolution activities and inform risk assessments and management. j) The University will enforce and monitor compliance with the Information Security Policy, supplementary policies, processes, standards, procedures and guidelines. 5.0 Compliance The University has an obligation to comply with relevant legal and statutory requirements. The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines are to promote and enforce compliance with applicable laws by providing directions and guidelines on good information security practices to underpin the University s compliance with these laws. The applicable laws include but are not limited to: a) Data Protection Act (1998) b) Copyright, Designs and Patents Act (1988) c) Computer Misuse Act (1990) d) Counter- Terrorism and Security Act 2015 and Prevent Duty Guidance: for Higher Education Institutions in England and Wales e) Public Interest Disclosure Act f) Computer related legislation g) Other relevant legislations that may influence this policy 5.1 Relationship with other policies The Information Security Policy is related to the University s data privacy, risk and information management policies to facilitate the implementation of relevant requirements set out in the related policies in order to assure compliance with the statutory laws that govern these policies. These policies include: a) Data Protection Policy b) Information and Records management Policy 4

5 c) Archiving Policy d) Risk Management Policy All users of University information assets must comply with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines and must also keep abreast of updates to these policies. Failure to adhere to the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be addressed by necessary disciplinary actions in accordance to the University s Staff Disciplinary Procedures, Student Disciplinary Regulations and Procedures and relevant contractor and third party contractual clauses relating to non- conformance with the Information Security Policy and related policies. 6.0 Responsibilities for Information Security 6.1 Vice Chancellor s Group The Vice Chancellor s Group is ultimately responsible for information security management and compliance with related statutory laws in the University. The Vice Chancellor s Group is responsible for the strategic direction of information security within the University including: a) Ensuring the information security strategy aligns with University objectives. b) Endorsing the implementation of approved policies, processes, standards and procedures. c) Resourcing and supporting information security initiatives. d) Ensuring risks are mitigated to acceptable levels. 6.2 IT Strategy Board The IT Strategy Board will be responsible for: a) Ensuring that information security is properly managed across the University. b) Driving the allocation of resources and supporting the implementation of information security initiatives. c) Engaging with the Information Assurance and Security Committee (IASC) to facilitate an information security awareness culture in the University. d) In collaboration with the Information Assurance and Security Committee, advise the Vice Chancellor s Group on matters relating to information security management and compliance assurance. 6.3 Information Assurance and Security Committee (IASC) 5

6 The Information Assurance and Security Committee will provide leadership on the management of information security within the University and serve as an advisory body to the Vice Chancellor s Group (VCG) via the IT Strategy Board on information security matters. The committee s responsibilities are: a) To facilitate the establishment of the Information Security Management Strategy. b) To facilitate the development, implementation and evolvement of the strategy. c) To define the University s information security risks appetite and approach for mitigating related risks. d) To facilitate an information security awareness culture. e) To review, recommend and approve relevant policies, procedures, standards and processes. f) To ensure compliance with relevant policies, audit and statutory requirements. g) To facilitate the implementation of information security initiatives and provide governance oversight on progress and outcomes. h) To review information security requirements for major IT and data sharing/migration projects and recommend best practices. i) To review major information security incidents and lessons learned and make recommendations. j) To advise and recommend response plans to related internal and external audit findings. k) To engage and advise the VCG on information security management and compliance assurance via the IT Strategy Board. 6.4 Information Security Management (Information and Library Services) Information Security Management sits within the Information and Library Services (ILS) Directorate and is responsible for: a) Coordinating the implementation of the Information Security Strategy and Policy, and supplementary policies, processes, standards, procedures and guidelines across the University. b) Communicating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to all users of its information assets. c) Coordinating the implementation of the Information Security Awareness and Training Plan. d) Monitoring compliance with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines. e) Updating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to ensure they remain fit for purpose. f) Managing the implementation of information security risk assessments and relevant mitigation controls; monitoring and reporting on risks to the IASC. 6

7 g) Managing and monitoring incidents and reporting findings to the IASC. h) Monitoring the state of University information security and reporting on findings and key performance indicators to the IASC to inform the Statement of Internal Control. i) Monitoring and analysing external information security attack trends and advising the IASC of related risks to the University. 6.5 All Users (staff, students, contractors and third party agents) All individuals who access, use, handle and manage University information assets are responsible for: a) Familiarising themselves with the Information Security Policy, related policies, processes, standards, procedures and guidelines. b) Familiarising themselves and agreeing to comply with their legal responsibilities for appropriate use and safety of University information assets. c) Completing relevant information security awareness and training courses. d) Reporting information security incidents via the appropriate procedure promptly. 7.0 Risk Management The University s Risk Management Policy is a high level document that sets out the University s approach for managing and reducing risks to an acceptable level. In line with the Risk Management Policy, the University will develop an information security risk management system to support faculties and administrative offices in identifying internal and external risks to the security of the University s information assets they are responsible for. Relevant, appropriate and cost effective controls along with necessary training where applicable will be implemented in a timely manner to mitigate identified risks. In addition, the information security risk management system will be a tool for evaluating the effectiveness of risk mitigation controls, and will inform the recommendation and implementation of new or additional controls where necessary, and ensure continuous monitoring of risks. 8.0 Awareness and Training Information Security awareness and training will be a key component of the University s information security strategy designed to strengthen users compliance with University information security policies and the University s compliance with audit and statutory requirements. 7

8 Through information security awareness and training, the University aims to establish an information security conscious culture, providing basic knowledge and relevant skills that will enable users to carry out their information security responsibilities, and promoting good security practices amongst users of its information assets. University staff and students must complete relevant awareness and training courses made available by the University. Contractors and third parties will be responsible for providing necessary awareness and training to their staff. 9.0 Data Classification and Information Handling Data classification and appropriate information handling procedures will facilitate good information management within the University to ensure that University data (from creation to retention and/or destruction) is handled in a manner that safeguards the confidentiality, integrity and availability of the data. In order to achieve this, The University will establish a Data Classification Policy and Information Handling Procedures that will set out how University data should be accessed, used and handled, and the appropriate controls that should be implemented commensurate with the sensitivity and criticality of the data. All users of University data are required to familiarise themselves with the Data Classification Policy and information handling procedures in order to engage in suitable security practices to protect University data from unauthorised access, disclosure, modification, loss, theft or damage Disaster Recovery Plan The University has a responsibility to establish processes that will ensure essential business operations and services are sustained while recovering from a major information system failure or a disaster. There is a University Business Continuity Plan (BCP), covering all essential and critical business activities, and is supplemented by the IT Disaster Recovery Plan, which provides the procedures to be followed in order to optimise continuity of IT services, and then enable a return to normal operations in the event of a disaster. Information Security Management in consultation with relevant staff and parties across the University will undertake business impact analyses and risk assessments of critical systems and services within the University s IT infrastructure, identifying the levels of risks to the Institution as a result of a system 8

9 or service unavailability. This includes the risk to operations, teaching, research, legal obligations and reputation. The outcomes of the risk assessments will serve to indicate the criticality of each system and related service and therefore determine the appropriate recovery and continuity provision for each component Incident Management The management of information security incidents in a prompt and appropriate manner will enable the University to efficiently mitigate the risks and any legal implications that may be associated with information security incidents. The University s Data Security Breach Policy sets out the procedure and guidelines for reporting information security and data breach incidents. The Data Security Breach Policy is available to all users via the University s internet and intranet. All users are responsible for complying with the statements and steps detailed in the Policy. In addition, the University aims to implement a problem management system that will facilitate an optimised incident notification, escalation, response, and resolution process allowing efficient use of relevant resources in addressing information security incidents Policy Review and Maintenance This policy will be reviewed and updated regularly to ensure that it remains appropriate in light of changes to business requirements, statutory laws or contractual obligations Definitions Authorised Users (in the context of this policy and related documents) Availability Business Impact Analysis Confidentiality All users who access, handle, process, store, share or manage the University s information assets. These are University staff, students, contractors and third party agents. Information assets are accessible only to authorised users when required. A process for determining the impact of a loss or unavailability of an information asset or service to an organisation. Access to and sharing of sensitive or personal information is restricted only to authorised users. 9

10 Information Assets (in the context of this policy and related documents) Information Processing Facilities Information Systems Integrity Key information assets Risk Risk Assessment A collection of information (paper or digital format), hardware, software, infrastructure and services that support the implementation of University strategic and operational activities. IT system or service, location, building or infrastructure that houses information processing systems and services. Information processing computers or data communication systems. The preservation of the complete, accurate and validate state of information assets. Information assets that are highly essential to University critical activities and services. The probability of an exploited weakness and its resulting consequence leading to an adverse event. A process for identifying and evaluating risks Links Links to University related information security policies, processes, standards, procedures and guidelines. Links to the Data Protection policy and related documents. 10