Imperial College’s Information Security Policy and related Codes of Practice have been substantially rewritten and simplified so they describe our key information management and security responsibilities. Staff, students, partners and suppliers need to be confident that information is handled and stored in accordance with the three essential elements of information governance: security, confidentiality and integrity of data.
- The Information Governance Steering Group (IGSG) oversees the policies and management arrangements covering all aspects of Information Governance and Security, and is accountable to the Provost Board. IGSG is responsible for receiving and considering reports of information security incidents, and where appropriate recommending or undertaking remedial action.
- Heads of Departments (HoDs) are responsible for their staff and students being informed about and complying with the College’s Information Security Policy. Guidance is being provided to HoDs on how Information Assets specific to their department should be included in the College’s Information Asset Register, and an Information Owner assigned for every information asset. Training is being offered to individuals in each department who will advise staff and students on how this is done.
- Information Asset Owners are the assigned owners of College information assets as listed in the College’s Information Asset Register, responsible for assessing information security risks for their assets and placing appropriate measures accordingly.
- Staff, students and authorised third parties must at all times adhere to the College’s Information Security Policy and associated Codes of Practice. Compliance with the policy forms part of the Core Terms and Conditions of Service for College staff and forms part of the Regulations for Students. In particular, Section 11 of Information Security Policy, (Conditions of Use of IT Resources (Acceptable Use Policy) sets out specific responsibilities that must be accepted and adhered to by all.
- From 2017, all staff will be asked to confirm their understanding of their information and data protection obligations on an annual basis through the declaration of interests.