University of Brighton School and Departmental Information Security Policy



Similar documents
Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Rotherham CCG Network Security Policy V2.0

How To Protect Decd Information From Harm

Service Children s Education

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Policy Document. IT Infrastructure Security Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Version 1.0. Ratified By

Network Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Physical Security Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Governance Policy (incorporating IM&T Security)

Human Resources Policy documents. Data Protection Policy

UoB Risk Assessment Methodology

Mike Casey Director of IT

Supplier Security Assessment Questionnaire

EA-ISP-005-Personnel IT Policy. Technology & Information Services. Owner: Adrian Hollister Author: Paul Ferrier Date: 17/02/2015

Highland Council Information Security Policy

Information Security Management System (ISMS) Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

DATA PROTECTION AND DATA STORAGE POLICY

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

BUSINESS CONTINUITY PLAN

Remote Access and Home Working Policy London Borough of Barnet

ISO27001 Controls and Objectives

University of Sunderland Business Assurance Information Security Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

DATA SECURITY POLICY. Data Security Policy

Music Recording Studio Security Program Security Assessment Version 1.1

Working Practices for Protecting Electronic Information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

How To Protect School Data From Harm

Information Security Policy

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

An Approach to Records Management Audit

REMOTE WORKING POLICY

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Records Management Policy & Guidance

Information Security Team

Network & Information Security Policy

How To Manage A Business Continuity Strategy

ULH-IM&T-ISP06. Information Governance Board

CCG: IG06: Records Management Policy and Strategy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Protection of Computer Data and Software

HSCIC Audit of Data Sharing Activities:

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information Security Incident Management Policy September 2013

NETWORK SECURITY POLICY

IT SECURITY POLICY (ISMS 01)

Remote Access Policy

Supplier Information Security Addendum for GE Restricted Data

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

<COMPANY> P01 - Information Security Policy

Estate Agents Authority

Network Security Policy

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

How To Audit Health And Care Professions Council Security Arrangements

University of Liverpool

Third Party Security Requirements Policy

NHS Information Governance:

UK SBS Physical Security Policy

ABERDARE COMMUNITY SCHOOL

So the security measures you put in place should seek to ensure that:

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Records Management plan

TERMINAL CONTROL MEASURES

Newcastle University Information Security Procedures Version 3

Information Management Policy

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

NETWORK SECURITY POLICY

BANKING BUSINESS THEMED EXAMINATION PROGRAMME 2011: INFORMATION SECURITY SUMMARY FINDINGS

How To Write A Health Care Security Rule For A University

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

Adlib Hosting - Service Level Agreement

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

IT ACCESS CONTROL POLICY

Office 365 Data Processing Agreement with Model Clauses

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Caedmon College Whitby

University of Kent Information Services Information Technology Security Policy

06100 POLICY SECURITY AND INFORMATION ASSURANCE

ISO Controls and Objectives

University of Liverpool

HSCIC Audit of Data Sharing Activities:

HR Guide: Agile Working Version: 1.0

How To Ensure Network Security

28400 POLICY IT SECURITY MANAGEMENT

Information Services. The University of Kent Information Technology Security Policy

Information Security Policies. Version 6.1

Transcription:

University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the requirements imposed. Last updated Q North 16 th June 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

University of Brighton Information Services Contents 1 Summary... 4 2. Scope... 4 3. Roles and Responsibilities... 4 4. Information Security Programme... 5 4.1. Risk Management... 5 4.2. Internal Audits... 6 4.2.1 Audit Programme Support... 6 4.2.2. Corrective Action... 6 5. Information Security Controls... 7 5.1 Human Resources Security... 7 5.1.1. Prior to employment... 7 5.1.2. During employment... 7 5.1.3. Termination of Employment... 7 5.2. Asset Management... 7 5.2.1. Asset Register... 7 5.3. Physical Security... 8 5.3.1. Policy... 8 5.3.2. Building Security... 8 5.3.3. Secure Areas... 9 5.3.4. Visitors... 9 5.3.5. Data Centre and Server Room Environments... 9 5.3.6 Disposal of Equipment...10 5.4. System/Application Access Control...10 5.4.1. Policy...10 5.4.2. Controls...10 5.5. Protecting Information...10 5.5.1. Policy...10 5.5.2. Controls...11 5.5. Supplier Relationships...11 5.5.1. Policy...11 5.5.2. Controls...11 5.6. Incident and Weakness Management...12 5.6.1 Policy...12 5.6.2 Controls...12 5.7. Business Continuity Management...12 Page 2 16 th June 2015

5.7.1. Policy... 12 5.7.2. Controls... 12

University of Brighton Information Services Document Details Author Approver Creation Date Version Andy Whillance Quentin North 16 June 2015 1.0 Version History 0.1 Draft prepared by Andy Whillance (ECSC Ltd) 0.2 Amended after review by Lucy Sharp (ECSC Ltd) 0.3 Aligned to UoB by Quentin North 1.0 Final issue by Quentin North 1 Summary This policy guidance on the minimum standards expected for Information Security within schools and central departments. These policies define the University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information as well as compliance with the requirements imposed. 2. Scope This policy, and the Information Security Management System, applies to all departments, schools and functional areas of the University. Whenever the term department is used in this document it should be interpreted to mean to apply to a school, central department or functional area such as a campus or college. 3. Roles and Responsibilities Each department is expected to assign the following roles. One person may hold more than one role, while the duties could be split across multiple people. Department Information Security Representatives are responsible for monitoring the University's implemented security programmes. Within the department they will ensure that all University information security policies are understood and applied, will be the main information security point of contact, and will assist in keeping departmental risk registers up to date. Where policy is not met, they will report this in to the University information security management representative. Information Asset Owners are assigned for each key system, application or data store. They are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of information technology resources and data they own. They are also responsible for periodically reviewing that only those Page 4 16 th June 2015

University of Brighton School and Departmental Information Security Policy who require access to perform their job responsibilities have access to the data they own. This must be done at least annually. Departmental IT security practitioners Where departments, schools or functions have their own IT function, this role must be assigned. These persons must be aware of the University technical policies and procedures, and must be aware of the UoB Application Standards. They should be expected to provide technical input into any departmental risk management processes. 4. Information Security Programme Departments must support the wider University security programme through proactive adherence to the approved policies and procedures, and pro-active understanding of the potential issues that could be faced. Two practices in particular must be addressed at a departmental level; these are Risk Assessments and Internal Audits. 4.1. Risk Management The University of Brighton is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. This will be done by identifying potential threats to the assets held, where assets can be physical, electronic, informational or people. Each department will be asked to complete and maintain a Risk Register. A suitable methodology that can be used is documented in the UoB Information Security Risk Assessment Methodology document. On at least an annual basis, all current open risks on departmental registers will be discussed with the departmental senior management and where appropriate reported upwards to the Risk Management Steering Group as part of the annual University risk assessment process. Where risk is thought to be unacceptable, treatment should be identified. Where risk can be treated at a departmental level, a responsible person and action date must be assigned for any treatment action. If a department is unable to take action themselves, the school/department will raise the risk at a Senior Management Team level. Printed Thursday, 06 August 2015 Page 5

University of Brighton Information Services 4.2. Internal Audits 4.2.1 Audit Programme Support Each department must support the Internal Audit programme that operates across the University. Departments must make resources available for the auditor when audits are scheduled. A representative from senior management within the department should be available for opening and closing meetings. 4.2.2. Corrective Action For any actions arising from the audit, senior management within the department shall ensure that an action plan is agreed, resources are assigned to completing the agreed action and supporting evidence is sent to the auditor to allow closure of the identified shortcoming. Page 6 16 th June 2015

University of Brighton School and Departmental Information Security Policy 5. Information Security Controls 5.1 Human Resources Security 5.1.1. Prior to employment It is important that all employees and relevant contractors receive appropriate checks and vetting prior to employment, depending on the level of access to information they will have, and the sensitivity of the role to be filled. The screening ensures that employees are checked for their eligibility to work in the UK, their suitability for the role, and any potential concerns are addressed prior to them taking up a permanent or temporary role. For this reason, all departments are required to follow the University recruitment procedures, as described on the HR SharePoint site. 5.1.2. During employment All employees will be provided with Information Security e-learning soon after joining the organisation, reinforcing the content of the contract and UoB IT Regulations. Departmental managers should reinforce this message, with appropriate guidance and training given to new starters on any department specific requirements. 5.1.3. Termination of Employment On termination or change of employment, the HR and IT functions must be informed in a timely manner that employees, contractors or third parties are leaving so that all physical and logical access is revoked, and all assets are returned. 5.2. Asset Management 5.2.1. Asset Register Where physical assets are given out by the department, a register should be maintained. Items to be recorded include: User Devices (Laptops, Desktops, Phones, USB keys) IT Assets (Servers, Networking Equipment, Supporting Utilities) Authentication/Entry controls (keys, key-codes, access cards etc.) The format of asset registers can take many forms, from a simple spreadsheet to a comprehensive software application. The most appropriate method should be chosen to allow control of the items recorded. The minimum information that should be kept include: Owner / user A unique identifier for each item A description or other identifier (e.g. Make and model) Location or main user Printed Thursday, 06 August 2015 Page 7

University of Brighton Information Services Status (e.g. Active, spare, disposed) Information on assets that have been disposed of should not be removed from the register, but the asset should be identified as no longer held. Unique identifiers should not be reused. The Department Information Security Representative should review the register periodically. Asset disposal should follow the appropriate IS, Finance and Estates procedures. Note: Only assets directly under the control of the department need to be recorded. If items are issued and controlled by a central function, that function will maintain the register. Examples include IT equipment issued through the IS Computer Store and Service Desk. However, if you then pass an asset on to a third party, you should keep a record of that asset. 5.3. Physical Security 5.3.1. Policy Physical security controls and secure areas are used to minimise unauthorised access, damage, and interference to information and information systems. Physical Security includes providing environmental safeguards for controlling physical access to equipment and data in order to protect information technology resources from unauthorised use, in terms of both physical hardware and information perspectives. 5.3.2. Building Security Because of the open nature of the University buildings, it is not possible to implement a great deal of perimeter security at the building level. However, the following minimum standards should be applied: External doors should only be open for as long as necessary to allow normal daytime usage. Normal hours vary by building and time of year, but are not less than 8.30 to 5pm. Outside of normal operating hours, access through external doors shall be provided via the Unicard system. CCTV shall cover all entrances/exits to the building. CCTV Shall cover any room with servers hosting protected information. Where offices contain protected information (as defined in the UoB IT Regulations document), those rooms must be restricted to those needing to enter for work purposes. A record of people authorised access to rooms containing protected information should be maintained. This shall be reviewed periodically. There shall be an access control system in place to ensure that only authorised individuals may access locations where protected information is handled. The Unicard system is preferred. Page 8 16 th June 2015

University of Brighton School and Departmental Information Security Policy Buildings should be protected by fire and intruder alarms, linked either to emergency services or to the Estates and Facilities Management functions 5.3.3. Secure Areas Within the University of Brighton offices, all computers containing protected information (as defined in the UoB IT Regulations document) and all important network equipment should be situated in an area restricted only to authorised personnel (e.g. IT security practitioners). No other personnel should permitted to access unless explicit authorisation has been given unless they are accompanied by someone authorised to be in that area. Any sensitive information in physical format, for example material such as exam scripts, should be kept in a secure area (this could be a lockable room, a safe, a locked cabinet). Any secure areas must be locked when not occupied or in use, either by physical key or Unicard. If the authentication system retains a record of accesses, these should be reviewed as appropriate to identify any unauthorised accesses. 5.3.4. Visitors The following principles have been adopted to ensure that risks from visitors are controlled: Access badges, key codes or other access will only be provided to any visitor if their identity and the purpose of their visit is known by the issuing person. A record will be kept of which card, key etc. was provided to any visitor or third party. This register will be retained for not less than six months. Visitor access will be set to expire at the end of the last day their visit. If not known passes shall expire at the end of the day. Unallocated visitor or contractor passes providing access to protected information, or to secure areas, shall be de-activated until the time that they are required. All visitors accessing any secure area, or accessing any sensitive information, will be accompanied for the duration of their visit. 5.3.5. Data Centre and Server Room Environments In order to preserve the availability of important information, it is vital that sufficient redundancy is in place, and that supporting utilities are in place to ensure that systems and applications can continue to function properly. The preferred solution is to base all operational servers supporting important applications in the two dedicated data centres (Watts Building and Mithras House Annexe). This ensures the following: N+1 configuration for all important plant equipment Fully operated and maintained planned maintenance schedule Resilient data networking to all University sites. Printed Thursday, 06 August 2015 Page 9

University of Brighton Information Services 1. Key systems, as defined in the UoB Applications Standards document, should reside in the main datacentres and should not be held in individual departmental areas. 5.3.6 Disposal of Equipment The University of Brighton recognise the need to ensure that all data and licensed software has been removed from data storage devices prior to disposal. To ensure that this is done you must use the service available from the Estates and Facilities Management that will provide you with a certificate of destruction. The following controls must apply when undertaking disposal: A list of equipment being disposed of must be compiled prior to pick-up A destruction certificate must be obtained from the disposal contractor This list of equipment must be reconciled against the destruction certificate to account for all devices taken. 5.4. System/Application Access Control 5.4.1. Policy Authorisation and control of access to facilities and information systems is a crucial tool in ensuring Information security. The protection of information assets from unauthorised access is an important business requirement. It is the policy of the University of Brighton that only authorised personnel have access to facilities and information systems and that such access is limited dependent on the role of the individual concerned. For this reason, it is expected that all key applications must have been assessed against the UoB Application Standards document. 5.4.2. Controls In order to ensure that the risks associated with any applications are recorded and assessed, the following process must be followed: Departments should identify important key applications as defined in the UoB Application Standards. These should be included on the departmental Asset Register Each application must be assessed against the standards documented in the UoB Applications Standards Any deviation from the guidelines must be added to the Departmental Risk Register. All new applications implemented should meet the minimum standards documented in the UoB Applications Standards. 5.5. Protecting Information 5.5.1. Policy The University of Brighton has standards for protecting information to ensure that sensitive information is not unintentionally disclosed. These are documented both in the UoB IT Regulations document for data movement, and in the UoB Application Page 10 16 th June 2015

University of Brighton School and Departmental Information Security Policy Standards for the guidelines for protection in application, databases or systems. Suitably strong protection measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage. 5.5.2. Controls A summary of the protection standards is that the following principles have been adopted: It is a fundamental policy of the University of Brighton that all sensitive information will be protected while passing over public networks. Encryption is only permitted when authorised, using permitted technologies and methods. No unauthorised encrypted containers are permitted on the University of Brighton network. Systems that contain sensitive client, personnel and financial data will only be available for off-site remote access through a centrally managed secure access method that provides encryption and secure authentication. Departments should review data transfer within their control, and ensure that the required controls have been met. 5.5. Supplier Relationships 5.5.1. Policy The University of Brighton requires that the services provided by external suppliers meet expectations, both in terms of Information Security and agreed service levels. The risk posed by suppliers will be understood, and controls implemented to ensure that all parties are satisfied that security will be maintained. This is particularly important for any third party who holds, or has unaccompanied access to, protected information as defined in the University of Brighton UoB IT Regulations document. 5.5.2. Controls The following controls must be implemented: As part of a Risk Assessment, suppliers, contractors and other third parties have been considered and recorded in the Departmental Risk Register where there is thought to be a potential risk and reviewed periodically. The right to audit suppliers on aspects of information security will be considered and applied in contracts where practical and where thought necessary. Where applicable, suppliers will be required to demonstrate that their security controls are aligned with those of the University of Brighton, either by completing questionnaires, supplying certificates or by allowing University of Brighton staff or representatives to audit systems or premises. Appropriate non-disclosure or confidentiality agreements may be drawn up and signed by suppliers and the University of Brighton. Access to premises will be carefully controlled, as described in the Physical Security section of this document. Printed Thursday, 06 August 2015 Page 11

University of Brighton Information Services Any access to systems by third parties will be provided only after authorisation from information asset owners and IT Security Practitioners. Appropriate technical means will be implemented to ensure access is restricted to the minimum possible level. Accounts must be disabled when not in use. Where the supplier provides a service, the service provided will be monitored, reviewed and audited as necessary. 5.6. Incident and Weakness Management 5.6.1 Policy While the Information Security Management System (ISMS) has been planned and implemented in order to minimise the likelihood that an incident will occur, it is recognised that there may be occasions where policies and procedures are not followed, either by staff, contractors, visitors, suppliers or any other third party. The University of Brighton is committed to responding to any breach of confidentiality, integrity or availability of any assets either of the organisation or of its clients. 5.6.2 Controls The following controls have been implemented to ensure that any incidents arising are quickly reported, receive an appropriate response, and are used to improve the information security management system. Incident management procedures have been written and are communicated to all members of the University in the UoB IT Regulations document. All staff will receive training which includes specific instruction on the requirement to report any incidents or potential incidents that are noted. Departmental Information Security Representatives must ensure that they are known as the local point of contact. Departmental Information Security Representatives will report on how many events, incidents or weaknesses have been reported (even if this is a nil return) as part of the annual departmental risk review. 5.7. Business Continuity Management 5.7.1. Policy The University of Brighton provides a safe, secure IT environment to serve its requirements in order to ensure stability and continuity of the business. It is recognised that incidents can occur which can interrupt normal business practices. The University of Brighton are committed to minimising the impact of any such incident that might affect the organisation s premises, staff or equipment. 5.7.2. Controls Each department must maintain either a plan or a set of plans that describe how it will react to an incident that affects normal business operations. The plans should address the following aspects: Notification of an incident, and plan invocation Internal communications (to staff, students etc.) Page 12 16 th June 2015

University of Brighton School and Departmental Information Security Policy External communications (to Estates, SMT, customers and suppliers) Recovery of important operations to a 'stable' state. The following scenarios should be covered in the pan or plans: The unavailability of a building (with no damage) The loss of a building The unavailability of a key application, system or IT The loss of key resources (e.g. staff, a key supplier) 2. A scenario based walk-through of the plan or plans should take place at least once per year, taking into account one or more scenarios listed above. 3. A summary of the test shall be retained, and any actions arising from the test shall be tracked and closed as appropriate. 4. Other activities (communications cascade, testing involving other departments) should be considered to support the activities stated above. Printed Thursday, 06 August 2015 Page 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information