LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Similar documents
Newcastle University Information Security Procedures Version 3

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policies. Version 6.1

University of Aberdeen Information Security Policy

INFORMATION SECURITY MANAGEMENT POLICY

Caedmon College Whitby

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

University of Sunderland Business Assurance Information Security Policy

INFORMATION SECURITY POLICY

Service Children s Education

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Ulster University Standard Cover Sheet

How To Protect Decd Information From Harm

NHS Business Services Authority Information Security Policy

Information security policy

Information Governance Strategy & Policy

University of Liverpool

Outsourcing and third party access

Information Governance Policy (incorporating IM&T Security)

How To Protect School Data From Harm

FINAL May Guideline on Security Systems for Safeguarding Customer Information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

Data Protection Policy June 2014

Corporate Information Security Policy

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Mike Casey Director of IT

Privacy and Electronic Communications Regulations

Network Security Policy

Rotherham CCG Network Security Policy V2.0

How To Ensure Network Security

Highland Council Information Security Policy

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

Information Governance Framework

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Security Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Regulation 8.3.R2 COMPUTING AND NETWORK FACILITIES RULES. 1. Definitions. In this regulation unless a contrary intention appears.

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Information Security Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Information Resources Security Guidelines

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

Cloud Software Services for Schools

INFORMATION SECURITY PROCEDURES

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

EA-ISP-001 Information Security Policy

ISO27001 Controls and Objectives

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Network Security Policy

Corporate Policy and Strategy Committee

Information Security: Business Assurance Guidelines

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Strategy :

Operational Risk Publication Date: May Operational Risk... 3

The potential legal consequences of a personal data breach

Information security controls. Briefing for clients on Experian information security controls

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

How To Ensure Health Information Is Protected

Information Security Incident Management Policy September 2013

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

INFORMATION GOVERNANCE POLICY

Corporate Information Security Management Policy

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

Information Security Management System (ISMS) Policy

TELEFÓNICA UK LTD. Introduction to Security Policy

Data Protection Breach Management Policy

Conditions of Use. Communications and IT Facilities

Estate Agents Authority

Information Governance Strategy

Information Security Policy

INFORMATION SECURITY POLICY

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Information Technology Services

Data Security Breach Incident Management Policy

Information Governance Management Framework

An Approach to Records Management Audit

R345, Information Technology Resource Security 1

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

ISO Controls and Objectives

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Small businesses: What you need to know about cyber security

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Transcription:

LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed to efficient and effective information security management in ensuring that all the information and information systems on which the University depends are adequately protected. 1.2 Information can be stored on computers, printed out, written down, transmitted across networks and spoken in conversations. Our University s information and the IT systems and networks that they support are important institutional assets. 1.3 All organisations are facing increased security threats from a number of sources. Systems and networks may be the target of serious threats including computer based fraud, computer viruses and computer hackers which are becoming more widespread, more ambitious and increasingly sophisticated. At the same time our increasing dependence on IT services and systems makes us more vulnerable to these threats and the growth of networking, in all its forms, presents new opportunities for unauthorised access to information and reduces the scope for central control of IT facilities. 1 2.0 Legal and regulatory framework 2.1 The University has a statutory duty to ensure to that the information it holds complies with the law and the regulations to which it is accountable. 2.2 The Model Financial Memorandum between HEFCE and higher education institutions (July 2010/19) requires our University to have effective arrangements for the management and quality assurance of data submitted to HEFCE, HESA and other funding bodies. This includes student, staff, financial and estates data. 2.3 The loss or unauthorised disclosure of information has the potential to damage our reputation and cause financial loss. The Information Commissioner s Office (ICO) has the power to fine organisations up to 500,000 for breaches of the Data Protection Act. 2.4 The Freedom of Information Act 2000 also provides a general right of public access to all types of recorded information held by public authorities in order to promote a culture of openness and transparency. 1 University and Colleges Information Systems Association (UCISA), Information Security Toolkit, Edition 3.0, page 12. 1

2.5 In addition we are also subject to the terms of the contractual obligations we enter into and are required to abide by all UK and EU legislation relating to the management of information, including but not limited to the following statutes: Computer Misuse Act 1990 Copyright Designs and Patents Act 1988 Data Protection Act 1988 Human Rights Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 3.0 Policy Aims and approach 3.1 This Policy sets out the framework through which the information we manage shall be appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of that information. 3.2 The University is committed to protecting the security of its information and information systems and our approach shall reflect the relevant University values which guide the way we do things in delivering the following commitments: Professional (a) Ensuring we have the right policies, procedures, training, support and guidance in place for our staff, students and partners who create, access, use and distribute our information. (b) Managing information in the most efficient and effective ways which deliver value for money. Purposeful (c) Ensuring that information is always available to those who need it and there is no disruption to the business of the University (d) Maintaining the integrity of our information so that it is accurate, up to date and fit for purpose. (e) Safeguarding the reputation of the University. Respectful (f) Taking account of the wider professional, regulatory and statutory context in which the University operates (g) Being appropriately accountable, open and transparent as a recipient of public funding in a way that meets our legal requirements, including those applicable to personal data under the Data Protection Act. (h) Ensuring that confidentiality is not breached and information is accessed only by those authorised to do so. 2

Enterprising (i) Protecting and exploiting our information resources wisely as appropriate depending on the nature of the information concerned and the different stages of its lifecycle. 3.3 This approach to information security management is a key part of our risk management framework in both mitigating threats and exploiting opportunities in the achievement of our strategic objectives. 3.4 To determine the appropriate levels of security measures applied to information systems, a process of risk assessment shall be carried out for each system to identify the probability and impact of security failures. 4.0 Policy Structure 4.1 The Information Security Policy sets out the wider framework of policies and procedures that will deliver our commitment to this important agenda, which is essential to the whole University in its teaching, research, enterprise and administrative functions. 4.2 The structure and content of this policy framework is based on the approach set out in the Universities and Colleges Information Systems Association (UCISA) Toolkit. The toolkit is based on British Standard BS 7799 which is a code of practice and comprehensive guide to good information security practice. 4.4 This overarching Policy is underpinned by other policy commitments and procedures which can be grouped under three main headings, namely: Business continuity (section A) Governance, risk and compliance (section B) IT Security (section C) which seek to clarify management actions as well as the individual and collective responsibilities of staff, students and partners to enable them to use information securely and in appropriate and informed ways in carrying out all their activities across the University. 4.5 This subsidiary information, policy and guidance shall be considered part of this Policy and shall have equal standing. 4.6 This Information Security Policy forms part of the University s wider policy and procedural framework, including its General Regulations for students and the contractual terms and conditions of staff. It is applicable to and will be communicated to staff, students and other relevant parties. 3

4.8 This policy shall be reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. 5.0 Scope of the Policy 5.1 The Information Security Policy applies to: (a) all those with access to University information systems, including staff, students, visitors and contractors (b) any systems attached to the University computer or telephone networks and any systems supplied by the University (c) all information (data) processed by the University pursuant to its operational activities, regardless of whether it is processed electronically or in paper (hard copy) form, any communications sent to or from the University and any University information (data) held on systems external to the University s network (d) all external parties that provide services to the University in respect of information processing facilities and business activities (e) principal information assets including the physical locations from which the University operates. 6.0 Responsibilities for Information Security Policy 6.1 This policy forms part of the University s risk management framework which is overseen by the Board of Governors through its Audit Committee and reviewed on a regular basis. 6.2 The Board of Governors has ultimate responsibility for information security within the University. More specifically, it is legally responsible for ensuring that the University complies with relevant external requirements, including legislation. 6.3 The Information Governance Steering Group has responsibility for overseeing the approach, development and review of the information security policy framework across the University and reports to the Secretary and Registrar and Corporate Management Team as necessary. 6.4 The Information Governance Steering Group is chaired by a senior manager, nominated by the Secretary and Registrar, and comprises managers from across the institution as information governance champions. 4

6.5 One of the objectives of the Information Governance Steering Group shall be to ensure that there is clear direction and visible management support, appropriate commitment and adequate resourcing for information security initiatives. 6.6 A Data Protection Steering Group is responsible for co-ordinating the implementation, review and development of the University s Data Protection Policy and in particular issues arising from any reported breaches of the data security. This Group reports to the Information Governance Steering Group as a standing item of business at each of its meetings. 6.7 The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the Dean of each Faculty and Director of each Service managing that information system. 6.8 However, achieving our policy commitments largely depends on staff, students and partners working within the University s policies, regulations and best practice guidelines. 7.0 Reporting breaches of information security 7.1 If any staff, students or partners become aware of an information security incident they should report it to their Dean or Director of Service in the first instance who shall then report it to the Secretary and Registrar for monitoring purposes. 7.2 The Secretary and Registrar will consider the nature of the incident and actions required by the University which may include reporting it to the Information Commissioner and/or the Police or taking legal advice as necessary. 7.3 Financial Services should also be notified of any incidents where there may be insurance implications to the University. 7.4 The University will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its information security. 7.5 Should a member of staff, student or partner feel it necessary and appropriate, the University also has a Whistleblowing (Public Interest Disclosure) Complaints Policy 7.6 The Board of Governors has designated the Secretary and Registrar, as Clerk to the Board of Governors, as the Designated Officer to whom a whistleblowing complaint should normally be made in the first instance. 7.7 However, if the complainant prefers, or if the complaint is about or implicates the Designated Officer, then it should be made to the Vice-Chancellor, Chair of the Board of Governors or Chair of Audit Committee. 5

7.8 The implementation of the information security policy shall be reviewed independently of those charged with its implementation, predominantly through the University s programme of internal audit reviews and will be reported to the Board of Governors through its Audit Committee. Document History Policy Owner: Secretary & Registrar Author: Deputy Secretary Date created: 31 January 2014 Next Review Date: January 2016 Approved by: Information Governance Steering Group 6 March 2014 Secretary & Registrar 14 March 2014 Version control Date Version Author Comments/amendments 31/1/14 01 Caroline Thomas Policy created. 6

LEEDS BECKETT UNIVERSITY Business Continuity Planning & Information Security SECTION A Policy Statement 1. The Corporate Management Team shall assess business continuity requirements and identify appropriate areas for further action through its periodic review of the University s business continuity arrangements. 2. A formal risk assessment exercise will be conducted to classify all information systems according to their level of criticality to the University and to determine where business continuity planning is needed. 3. A business continuity plan will be developed for each information system or activity. The nature of the plan and the actions it contains will be commensurate with the criticality of the information system or activity to which it relates. 4. All business continuity plans will be periodically tested. The frequency of testing will be as defined for the appropriate criticality level and will include tests to verify whether management and staff are able to put the plan into operation. 5. All relevant staff will receive appropriate training to be able to carry out their roles with respect to business continuity plans. 6. Each business continuity plan will be reviewed, and if necessary updated. The frequency of reviews will be as defined for the appropriate criticality level. Related policies: Risk Management Policy Crisis Management Plan (including Crisis Response and Business Recovery Plans) 7

LEEDS BECKETT UNIVERSITY SECTION B Governance, Risk & Compliance & Information Security Policy Statement 1. The Terms and Conditions of Employment set out all employees responsibilities with respect to their use of computer based information systems and data. Line managers must provide specific guidance on legal compliance to any member of staff whose duties require it. 2. The General Regulations set out all students responsibilities with respect to their use of computer based information systems and data. 3. All members of the University will comply with the Information Security Policy and, where appropriate, their compliance will be monitored. 4. Before any new systems are introduced, a risk assessment process will be carried out which will include an assessment of the legal obligations that may arise from the use of the system. These legal obligations will be documented and a named system controller, with responsibility for updating that information, will be identified. 5. Guidance documents will be made available to all computer users covering the key aspects of the law of copyright, in so far as they relate to the use of information systems. Guidance is also available on the key aspects of computer misuse legislation. 6. The institution s policies forbid the use of information systems to send or publish derogatory remarks about people or organisations. 7. The University s data retention policy defines the appropriate length of time for different types of information to be held. Data will not be destroyed prior to the expiry of the relevant retention period and will not be retained beyond that period. During the retention period appropriate technical systems will be maintained to ensure that the data can be accessed. 8. The University will only process personal data in accordance with the requirements of the data protection legislation. Personal or confidential information will only be disclosed or shared where an employee has been authorised to do so. 9. Where it is necessary to collect evidence from the information systems, it shall be collected and presented to conform to the relevant rules of evidence. Expert guidance will normally be sought. 8

10. All of the organisation s information systems will be operated and administered in accordance with documented procedures. Third Party Access Policy & Information Security 11. All third parties who are given access to the University s information systems, whether suppliers, customers or otherwise, must agree to follow the University s information security policies. A summary of the information security policies and the third party s role in ensuring compliance will be provided to any such third party, prior to their being granted access. 12. The University will assess the risk to its information and, where deemed appropriate because of the confidentiality, sensitivity or value of the information being disclosed or made accessible, the University will require external suppliers of services to sign a confidentiality agreement to protect its information assets. 13. Those responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the content and spirit of the University s information security policies. 14. All contracts with external suppliers for the supply of services to the University must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriated provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. 15. Any facilities management, outsourcing or similar company with which this University may do business must be able to demonstrate compliance with the University s information security policies and enter into binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. Human Resource Policy & Information Security 16. All employees must comply with the information security policies of the University. 17. Any information security incidents resulting from non-compliance should result in appropriate disciplinary action. 18. If, after investigation, a user is found to have violated the University s information security policy and/or procedures, they may be disciplined in line with the University s formal disciplinary process. 19. The Terms and Conditions of Employment of the University include requirements to comply with information security policies. 9

20. All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after their employment with the University. 21. Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is important. 22. New employees references must be verified appropriately, and the employees must undertake to abide by the University s information security policies. 23. All external suppliers who are contracted to supply services to the University must agree to follow the information security policies of the University. 24. All staff are to be provided with information security awareness tools to enhance awareness and educate them regarding the range of threats, the appropriate safeguards, and the need for reporting suspected problems. 25. An appropriate summary of the information security policies must be formally delivered to, and accepted by, all temporary staff, prior to their starting any work for the University. 26. The University is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise information security. 27. Periodic training for those predominantly responsible for information security on a day-to-day basis is to be prioritised to educate and train in the latest threats and information security techniques. 28. All new staff are to receive mandatory information security awareness training, including Data Protection training, as part of induction. 29. Where staff change jobs, their information security needs must be reassessed and any new training provided as a priority. 30. Training in information security threats and safeguards for technical staff is mandatory, with the extent of technical training to reflect the job holder s individual responsibility for configuring and maintaining information security safeguards. 31. Where IT staff change jobs, their information security needs must be reassessed and any new training provided as a priority. 32. Upon notification of staff resignations, the Human Resources team must consider in consultation with the appropriate Faculty or Service whether the member of staff s continued system access rights constitute an unacceptable risk to the University and, if so, revoke all access rights. 10

33. Departing staff are to be treated sensitively, particularly with regard to the termination of their access privileges. 34. Departing staff must return all information assets and equipment belonging to the University, unless agreed otherwise with the designated owner responsible for the information asset. Related polices: Terms and Conditions of Employment Data Protection Policy Data Retention Policy Information Handling Policy Information Asset Register Intellectual Property Policy (subject to approval) Data Quality Policy Accuracy of Published Information Procedures General Regulations Social Media Policy (in development) Research Ethics Policy and Procedures Code of Good Practice and Regulations relating to Misconduct in Academic Research Student Code of Discipline Policy, Regulations, and Procedures Relating to Professional Suitability or Professional Misconduct Whistleblowing (Public Interest Disclosure) Complaints Procedure Regulations for the Use of Institutional IT, Library and Media Facilities Policy and Procedures on the Appropriate Use of University Electronic Information and Communications Facilities and Services Code of Practice on the Freedom of Speech and Expression 11

LEEDS BECKETT UNIVERSITY SECTION C IT Security Policy Policy Statement Measures will be taken by the University to implement information technology and security policies including: 1. Ensuring that all individuals who use information technology systems, or otherwise handle information, understand the policies that are relevant to them and any consequences for noncompliance. 2. Using physical security measures when deemed necessary. 3. Applying technology where considered appropriate and feasible. For example, to control and log access to systems, data and functionality. 4. Using various lawful forms of monitoring activities, data and network traffic to detect policy infringements. 5. Taking into account relevant information security policy requirements when planning and undertaking activities involving IT-based information technology systems. 6. Formal or informal risk assessment, to identify the probability and impact that various hazards could have on information technology systems. 7. Monitoring effectiveness of its information security policy implementation. This may involve review independent from those charged with its implementation. 8. The Director of IMTS is responsible for the implementation and management of Information Technology Security Policies at the University. 9. It is the responsibility of the University to sufficiently resource and direct implementation of these policies. 10. Individuals must understand and agree to abide by University IT policies and Regulations before being authorised for access to any information technology systems for which the University has responsibility. Related policies: Information Handling Policy The purpose of the Information Handling Policy sets out Leeds Beckett University s definition of, commitment to, and requirements for Information Handling. It sets out the 12

need to define classes of information handled by the organisation and the requirements for the storage, transmission, processing and disposal of each. Cryptography Policy The purpose of the Cryptography Policy is to set out when and how encryption should (or should not) be used. It includes protection of personal, confidential and commercially sensitive information and communications. System Planning and Management Policy The purpose of the System Planning and Management Policy is to define how Leeds Beckett University information technology systems are specified, designed and managed. It includes processes for identifying requirements and risks, and designing appropriately configured systems to meet them. Use of Computers Policy The purpose of the Use of Computers Policy is to define the acceptable actions of any individual who interacts with Leeds Beckett University s information technology systems. User Management Policy The purpose of the User Management Policy governs the creation, management and deletion of user accounts. It also sets out the principles for the granting and revocation of privileges associated with user accounts. Computer Protection Policy The Computer Protection Policy defines how university-controlled end-point devices servers and user devices - are protected from security vulnerabilities. It includes appropriate technical and procedural controls to reduce risk and meet the requirements of other university IT Security Policies. Computer Password Policy The Computer Password Policy defines how the University utilises and manages passwords to ensure the security of devices and systems. It includes the appropriate technical and procedural controls to reduce risk and meet the requirements of other related IT security policies. Network Management Policy The purpose of the Network Management Policy is to define how the Leeds Beckett University networks are designed and how systems are connected to them. It includes appropriate technical and procedural controls to reduce risk and meet the requirements of the Information Handling Policy. Software Management Policy The Software Management Policy sets out how the software which runs on the Leeds Beckett University s information technology systems is managed. It includes controls on the installation, maintenance and use of software, with appropriate procedures for upgrades to minimise the risk to information and information technology systems. 13

Mobile Computing Policy The purpose of the Mobile Computing Policy is to maintain the security of the Leeds Beckett University s information assets when they are used from mobile devices (such as PDA s, mobile phones, laptops, tablets). These devices need not be owned by Leeds Beckett University but are being used to access its information technology systems. Bring Your Own Device Policy The purpose of the BYOD Policy is to maintain the security of the Leeds Beckett University s information assets when they are being accessed from devices personally owned by users (such as PDA s, mobile phones, laptops, tablets). Wireless Communications Policy The Wireless Communication policy establishes standards that must be met when wireless communications equipment is connected to Leeds Beckett University s networks. Only wireless systems that meet the criteria of this policy are approved for connectivity to Leeds Beckett University s networks. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information