Information Security Policy
1.1 Information plays a fundamental role in supporting all activities of the College. Properly securing all information that College processes is essential to the success of its academic and administrative activities. This is to be achieved through managing the three essential attributes of information security: Confidentiality, Integrity and Availability, which are the vital building blocks for safeguarding College’s information.
1.2 The objectives of this policy are to:
1.2.1 Enable adequate protection of all of the College's information assets against loss, misuse or abuse.
1.2.2 Make all users aware of this Policy Statement and all associated policies, and also make them aware of working in accordance with the relevant Guidelines and Codes of Practice.
1.2.3 Make all users aware of the relevant UK and European Community legislation, and their responsibilities in regards to these.
1.2.4 Create an awareness that appropriate security measures must be implemented across the College as part of the effective operation and support of Information Security (IS).
1.2.5 Make all users understand their own responsibilities for protecting the confidentiality, integrity and availability of the data they handle.
1.3 This Policy should be read in conjunction with the College’s Data Protection Policy and associated Codes of Practice, which provide more detailed guidance on protecting personal data and satisfy the Data Protection Act's requirement for a formal statement of the College's security arrangements for personal data.
2.1 All College staff, students and other authorised third parties including guests to College, who may have access to information held by or on behalf of the College, must adhere to the College’s Information Security Policy and its associated Codes of Practice. The scope of the policy covers their use of College-owned/leased/rented and on-loan facilities, and all non-College systems, owned/leased/rented/on-loan, when connected to the College network directly or indirectly, to all College-owned/licensed data/applications, be they on College or on non-College systems, and to all data/applications provided to College by sponsors or external agencies.
2.2 All guests using College IT facilities and/or the College internet connection must be known to a member of College as their sponsor. Sponsors must be able to identify and take responsibility for the actions of their individual guests. For further information regarding the setup of guest accounts, refer to ICT’s Guest Accounts page.
2.3 The policy applies throughout the lifecycle of the information from creation, storage, and use to disposal. It applies to all information including:
• Information stored electronically on databases or files and/or processed by applications, e.g. email.
• Information stored on computers, PDAs, mobile phones, printers, or removable media such as hard disks, CD rom, memory sticks, tapes and other similar media.
• Information transmitted on networks.
• Information sent by fax or other communications methods.
• All paper records.
• Microfiche, visual and photographic materials including slides and CCTV.
• Spoken, including face-to-face, voicemail and recorded conversation.
2.4 Although the use of social media resources by College members is unrestricted and not centrally moderated, the College requires its members to ensure they respect this policy and cause no damage to the College's reputation. For further information, refer to College’s web guides on Social Media and Collaboration Policy.
3.1 Information Governance Steering Group (IGSG)
The Group oversees the policies and management arrangements covering all aspects of Information Governance, commissioning assessments and audits as required. They are accountable to the Provost Board and responsible for receiving and considering reports of information security incidents, and where appropriate recommending or undertaking remedial action. They are also responsible for ratifying changes to Information Governance policies, including Information Security and Data Protection policies.
3.2 Information Security Steering Group (ISSG)
The group reports to IGSG and acts as a forum to provide advice and propose changes to policies and codes of practice, particularly on changes to Information Security and on reports of information security incidents, as well as on remedial actions.
3.3 Heads of Departments and Heads of Divisions
Head of Departments and Heads of Divisions (HoDs) are responsible that staff, students and other authorised individuals within their department or division are informed, and comply with the College’s Information Security Policy, particularly Section 11: Conditions of Use of IT Resources, and associated Codes of Practice. They are also responsible that all Information Assets held by their departments or divisions are included in the College’s Information Asset Register and an Information Owner is assigned for every Information Asset.
3.4 Information Asset Owners
Information asset owners are the assigned owners of College information assets as listed in the College’s Information Asset Register. They are responsible for assessing information security risks for their assets and placing appropriate measures accordingly. They are also known as Business Owners and Custodians.
3.5 Staff, students and authorised third parties
All College staff, students and authorised third parties must adhere to the College’s Information Security Policy and associated Codes of Practice. Compliance with the policy forms part of the Core Terms and Conditions of Service for College staff and forms part of the Regulations for Students. Section 11 of this policy, “Conditions of Use of IT Resources (Acceptable Use Policy)” is displayed and must be accepted by all staff and students before they can start using their College user name. Any actual, or suspected, information security incidents (such as accidental exposure or loss, unauthorised access, computer virus, malicious software) must be reported to the ICT’s Service Desk immediately. Concerned individuals may contact any senior members of ICT or College directly. (See section 7.1 for their contact details.)
3.6 Director of ICT
The Director of ICT is responsible for overseeing ICT’s resources to manage day-to-day information security activities. The Director of ICT may decide to audit systems to identify and mitigate risks, or to make inaccessible/remove any unsafe user/login names, data and/or programs on the system from the network.
4. COMPLIANCE WITH LEGISLATION
4.1 The College has an obligation to abide by all UK legislation and relevant legislation of the European Community. Of particular importance in this respect is the Computer Misuse Act 1990, The Regulation of Investigatory Powers Act 2000, the Data Protection Act 1998, and “Prevent Duty Guidance” as directed by the Counter-Terrorism and Security Act 2015.
4.2 The requirement for compliance devolves to all users, who may be held personally responsible for any breach of the legislation. Failure of an individual student or member of staff to comply with this policy, or with any legislation, may lead to the instigation of the relevant disciplinary procedures as set out in the College Statutes for staff and College Regulations for students. Failure of a contractor to comply could lead to the cancellation of a contract. In certain circumstances, legal action may be taken.
5. COLLEGE ASSET REGISTER AND RISK ASSESSMENTS
5.1 College maintain an Information Asset Register that contains the details of information assets used in College. It is the responsibility of Heads of Departments and Divisions to assign Information Asset Owners for every information asset kept by their departments and record these in the Information Asset Register. A risk assessment must be carried out for every information asset, and for the ones identified as containing sensitive data, measures to mitigate those risks must be agreed, implemented and also included in the asset register. The Heads of Departments and Divisions must review their Information Assets in the College’s Asset Register annually. For further information, refer to Guideline 1: Information Security Risk Assessment Guideline.
6. MONITORING ELECTRONIC COMMUNICATIONS
6.1 In accordance with the the “Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000”, made under the “Regulation of Investigatory Powers Act 2000” (RIPA) 2000, the College will exercise its right to intercept and monitor electronic communications received by and sent from the College for the purposes permitted under those Regulations. The purposes cover, but are not limited to, monitoring for criminal or unauthorised use, viruses, threats to the system, e.g. hacking and denial of service attacks, ensuring the effectiveness of its operations and compliance with College policies and regulations. The monitoring process will be carried out in accordance with “Code of Practice 4: Inspection of Electronic Communications and Data”.
7. INFORMATION SECURITY INCIDENTS
7.1 Anyone suspecting that there has been, or is likely to be an information security incident, such as a breach of confidentiality, availability, integrity of information, or misuse of an information asset, should inform the ICT’s Service Desk immediately. Concerned individuals may contact any senior members of ICT or College directly. The Provost or, if not available, the Director of ICT, has the authority to take whatever action is deemed necessary to protect the College against breaches of security.
7.2 In the event of a suspected or actual information security incident or an unacceptable network event, the Director of ICT may decide to make inaccessible/remove any unsafe user/login names, data and/or programs on the system from the network. Refer to Guideline 2: Connecting to College Network for more information.
7.3 Failure to report an information security incident may lead to disciplinary action being taken. If you are in any doubt regarding whether to report an incident, you should seek advice from ICT.
8. SECURITY EDUCATION AND TRAINING
8.1 New users of IT facilities, staff, students and approved third parties, should be instructed on the College policies and Codes of Practice relating to information security and given training on the procedures relating to the security requirements of the particular work they are to undertake and on the correct use of the College's IT assets in general before access to IT services is granted. They should be made aware in particular of this policy including the reporting procedures in section 7.
8.2 All existing staff and students of the College must attend IT security inductions when joining the College, must be aware of the latest security advice and complete College’s Security Awareness training.
9. SECURITY CONSIDERATIONS FOR EMPLOYMENT
9.1 Security roles and responsibilities, as laid down in this Policy and related Codes of Practice, should be included in job descriptions, where appropriate. These should include any general responsibilities for implementing the security policy as well as any specific responsibilities for the protection of particular assets, or for the execution of particular security processes or activities.
9.2 Applications for employment should be screened if the job involves access to College Information Systems for the handling of commercially or otherwise sensitive information. This is further explained in the Pre-employment Checks section of HR’s Recruitment and Selection Procedure.
9.3 Agency staff and approved third party users of College Information Systems will be required to sign a Confidentiality or Non-disclosure agreement as part of their contract. See Types of Research Contract page on Research Office pages for more information.
10. PROTECTING SENSITIVE DATA
10.1 It’s essential that the College protects sensitive data with enhanced security measures. Sensitive data can be defined as any information which is:
(a) Commercially sensitive administrative / planning data
(b) Commercially sensitive research data, and data which could bring harm if exposed to third parties
(c) Personal and Sensitive Personal data as defined in the Data Protection Act 1998 under Schedules 2 and 3.
(d) Patient Identifiable Data held for research purposes
(e) Data protected by confidentiality agreements with 3rd parties.
10.2 Sensitive data must not be stored on or communicated through services which are not provided by the College such as personal email (Gmail, Hotmail etc…) or web-based ‘cloud’ storage services (e.g. Google Apps).
10.3 For guidance on protecting sensitive personal data, refer to College’s Data Protection Policy.
10.4 Databases and computers containing sensitive data must be protected with a number of security controls. These must be encrypted and require users to input credentials to access the data. Where possible, data should be anonymised to remove personal identifiers, especially where patient identifiable data is considered.
10.5 Computers containing sensitive data must be disposed of properly to ensure all data has been wiped off properly. More information is available from ICT on how to dispose of hardware properly.
10.6 Data files must be encrypted both at rest and in transit. For more information, refer to ICT’s Encrypt Sensitive Information pages.