EA-ISP-001 Information Security Policy

Similar documents
INFORMATION SECURITY POLICY

Corporate Information Security Management Policy

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

EA-ISP Architecture Service Planning Policy

EA-ISP-012-Network Management Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

EA-ISP-011-System Management Policy

Information security policy

Information Management and Security Policy

NHS Business Services Authority Information Security Policy

Information Governance Policy

INFORMATION SECURITY MANAGEMENT POLICY

EA-ISP-002-Business Continuity Management and Planning Policy

University of Sunderland Business Assurance Information Security Policy

Information Governance Policy (incorporating IM&T Security)

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

FINAL May Guideline on Security Systems for Safeguarding Customer Information

How To Ensure Information Security In Nhs.Org.Uk

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Council Policy. Records & Information Management

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Information Governance Policy

Information Governance Strategy & Policy

Caedmon College Whitby

So the security measures you put in place should seek to ensure that:

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Information Governance Framework. June 2015

Information Security Management System Policy

Data Protection Policy

Corporate Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Scotland s Commissioner for Children and Young People Records Management Policy

Network Security Policy

Data Governance. Policy FINAL (Approved)

Third Party Security Requirements Policy

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

INFORMATION SECURITY POLICY

Information & ICT Security Policy Framework

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

Working Practices for Protecting Electronic Information

Information Security Policy

Information Governance Policy

Records Management Policy & Guidance

Summary Electronic Information Security Policy

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Guideline for Roles & Responsibilities in Information Asset Management

University of Liverpool

Information Security Management System Information Security Policy

Data Protection Policy June 2014

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

How To Ensure Network Security

Highland Council Information Security Policy

ULH-IM&T-ISP06. Information Governance Board

Information Security Policies. Version 6.1

INFORMATION GOVERNANCE POLICY

Information Security

Data and Information Security Policy

Policy Document Control Page

Mike Casey Director of IT

INFORMATION SECURITY PROCEDURES

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ENTERPRISE RISK M A NAGEMENT POLICY

INFORMATION GOVERNANCE POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Service Children s Education

University of Aberdeen Information Security Policy

Merthyr Tydfil County Borough Council. Information Security Policy

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

Information Governance Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

INFORMATION GOVERNANCE POLICY

Newcastle University Information Security Procedures Version 3

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Incident Management Policy September 2013

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Rotherham CCG Network Security Policy V2.0

IT SECURITY POLICY (ISMS 01)

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Privacy Policy Draft

Transcription:

Technology & Information Services EA-ISP-001 Information Security Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 13/03/2015 Document Security Level: PUBLIC Document Version: 2.41 Document Ref: EA-ISP-001 Document Link: http://blogs.plymouth.ac.uk/strategyandarchitecture/wp- content/uploads/sites/4/2015/06/ea-isp-001-information-security- Policy.pdf Review Date: March 2016

Document Control Version Author Position Details Date/Time Approved by Position Date/Time 1.0 Paul Leonard Initial version 12/03/2012 1.1 PL, SF, PD, DF, Update 16/05/2012 1.2 PL, SF, PD, DF, Minor updates and amendments 18/05/2012 2.0 PL, SF, PD, DF, 2.1 PL, SF, PD, DF,, NW Major updates and amendments Cloud computing considerations Document approval 2.2 PL, SF, PD, DF,, NW 2.3 PF ESA Updated document in new format and refreshed old elements 2.4 PW,, GB, CD, PF IT Director Approved policy 2.41 PF ESA Altered document naming for a couple of subpolicies 20/07/2012 02/10/2012 28/11/2012 Academic Board 19/02/2015 13/03/2015 14:45 26/06/2015 15:15 Paul Westmore IT Director 28/11/2012 13/03/2015 11:10 Page 2 of 5

1. Introduction 1.1 Plymouth University recognises that information and information systems are valuable assets which play a major role in supporting the University s strategic objectives. Information security is important to the protection of the University s reputation and the success of academic and administrative activities. The management of personal data has important implications for individuals and is subject to legal obligations. The consequences of information security failures can be costly and timeconsuming. 1.2 The University wishes to support its staff and students in using IT systems safely and securely, and recognises that the ability to protect systems and data is a fundamental enabler for the University s wider Digital Strategy. Promoting an effective security culture will therefore be beneficial to both the institution and the individuals within it. 1.3 The Information Security Policy sets out appropriate measures through which the University will facilitate the secure and reliable flow of information, both within the University and in external communications. The approach is based on recommendations contained in ISO 27002 - A Code of Practice for Information Security Management, and relevant legislation including, but not limited to: The Data Protection Act (1998) Freedom of Information Act (2000) Copyright, Designs and Patents Act (1988) Computer Misuse Act (1990) Regulation of Investigatory Powers Act (2000) Human Rights Act (2000) 2. Aims and Objectives 2.1 The principal aim of the Policy is to ensure that all information and information systems within the University are protected to the appropriate level. There are several specific objectives and these are set out below: To ensure all staff, students, contractors and their employees have a proper awareness and concern for computer systems security and an adequate appreciation of their responsibility for information security. To provide a framework giving guidance for the establishment of standards, procedures and computer facilities for implementing computer systems security. To support the general objectives of ISO 27002 Code of Practice for Information Security Management. To ensure all staff have an awareness of information security related legislation and their responsibilities under it. 3. Scope 3.1 The Information Security Policy applies to information in all its forms. It may be on paper, stored electronically or other media. It includes text, pictures, audio and video. It covers information transmitted by post, by electronic means and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. 3.2 For the purposes of this document, information security is defined as the preservation of: Confidentiality: protecting information from unauthorised access and disclosure; Integrity: safeguarding the accuracy and completeness of information and processing methods; and Page 3 of 5

Availability: ensuring that information and associated services are available to authorised users when required. 3.3 The level of security required in a particular system will depend upon the risks associated with the system, the data held on the system and the working environment of the system. 3.4 The policy applies to all staff within the University, contractors and consultants working on behalf of the University and all other individuals and groups who have been granted access to University information systems. 3.5 This policy includes the use of Public Cloud Storage such as DropBox, icloud, Box, Google and OneDrive, and staff using these services must be aware of the related Terms and Conditions. Note that: Staff must use caution when storing documents and data in Public Cloud Storage. Reference to the Data Classification Policy for which type of data can be stored where and the associated security requirements that must be present to assure the integrity and confidentiality remain consistent. Public Cloud Storage must not be used to store files containing sensitive information. This includes, but is not limited to, sensitive personal information as defined by the Data Protection Act (DPA) 1998. The terms of service for public cloud storage services are between the account owner and the service provider. The personal licensing for these products has not been approved by the University for official University use. 4. Responsibilities and Reporting 4.1 The University believes that information security is the responsibility of all staff, contractors, and students. Every person handling information or using information systems is expected to observe the information security policy and procedures both during and, where appropriate, after leaving the University. 4.2 Any observed or suspected security incidents should be reported immediately where a breach of the University s security policies has occurred. Reports should be made to the appropriate Head of Department, the owner of the information, or in relation to certain information systems, Technology and Information Services. 4.3 Failure to comply with the Information Security Policy will be considered in the context of the University s disciplinary procedures. 5. Implementation 5.1 The University recognises the need for all users of University systems to be aware of information security threats and concerns, and to be equipped to support the University s Information Security Policies in the course of their normal work. The University shall implement an awareness programme for all users. Online support can also be accessed via TIS Self Help (http://ilsselfhelp.plymouth.ac.uk). Additionally, for general information about online threats and related safeguards, readers are referred to advice for individuals available at www.getsafeonline.org. 6. Relationship with Existing Policies 6.1 This Policy has been devised within the context of the following University documents: Data Classification Policy (EIM-POL-001) Information Handling Policy (EA-ISP-007) Secure Working Policy (EA-ISP-014) Data Protection and Freedom of Information Guidance 6.2 The complete Information Security policy document set comprises of: Page 4 of 5

Name Business Continuity Management and Planning Policy Compliance Policy Outsourcing and Third Party Access Policy Personnel IT Policy Operations Policy Information Handling Policy User Management Policy Use of Computers Policy Architecture Service Planning Policy System Management Policy Network Management Policy Software Management Policy Secure Working Policy Encryption Policy ID EA-ISP-002 EA-ISP-003 EA-ISP-004 EA-ISP-005 EA-ISP-006 EA-ISP-007 EA-ISP-008 EA-ISP-009 EA-ISP-010 EA-ISP-011 EA-ISP-012 EA-ISP-013 EA-ISP-014 EA-ISP-016 7. Review and Amendment 7.1 This Policy Statement, and all materials and procedures which emerge as a result of its implementation, will be reviewed at least once a year and, if necessary, amended to maintain its relevance within the University and to ensure continued compliance with relevant legislation. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information