Aberystwyth University - Information Security Policy Statement

1. Introduction

Information is a key resource for Aberystwyth University [1], without which virtually all of our activities would cease. Because of its importance it is recognised that the University must do all it can to protect its information assets. We will do this in ways that are appropriate and cost effective.

This will help enable us to fulfil our responsibilities and to ensure that a high quality service can continue to be offered to our staff, students and other clients. Our ability to exploit and gain advantage from information will enable us to maintain and improve our reputation and ensure that we meet our strategic business and professional goals. In addition it will ensure that we do not lose opportunities for funding through a poor reputation for security.

2. Objective

The aim of AU Information Security Policy is to protect AU from security problems that might have an adverse impact on our operations and our professional standing.

Security problems can include questions of confidentiality (the wrong people obtaining information), integrity (information being altered without permission, whether deliberate or accidental) and availability (information not being available when it is required). For the purpose of this policy statement the widest possible definition of security will be used to include all types of incident that might have an impact on the effective use of information, including performance, consistency, reliability, accuracy and timeliness.

The scope of this policy document covers use of information both upon paper and via access to electronic records.

3. General Approach

AU will:

  1. Use all reasonable, appropriate, practical and effective security measures to protect its business processes and information assets from inappropriate use.
  2. Utilise the ISO17799: Code of Practice for Information Security Management as a framework for guiding its approach to managing security.
  3. Continually examine ways in which it can improve the use of security measures to protect and enhance its business interests.
  4. Protect and manage its information assets in such a way as to comply with its contractual, legislative, privacy and ethical responsibilities.

4. Responsibilities

AU Information Users[2]

  1. Have an obligation to protect the University’s information assets, systems and infrastructure. They must, at all times, act in a responsible, professional and security-aware way, maintaining an awareness of and conformance to this Policy.
  2. Must protect the information assets of third parties whether such protection is required contractually, legally, ethically or just out of respect for other individuals or organisations.
  3. If intending to access Information via electronic means, must register with Information Services and give their informed agreement to comply with AU Information Services regulations and the JANET acceptable use policy.
  4. Are responsible for identifying security shortfalls in existing security practices and/or improvements that could be made. Shortfalls involving ICT[3] issues should be reported to the Deputy Director of Information Services, other issues should be reported to heads of departments.

AU

  1. Will respect the concept of academic and individual freedom, but will expect its Information Users to ensure that colleagues and the University are not disadvantaged or penalized by inappropriate information security actions.
  2. Will charge the Information Strategy Committee [4] with responsibility for developing and implementing this Information Security Policy through a Security Sub-Committee which will report on information security issues, monitor progress and recommend appropriate actions.
  3. Will endeavour to ensure that sufficient resources are made available for the achievement of the objectives of the Information Security Policy.

5. Good Practice Principles

  1. Using risk analysis techniques AU will identify its security risks and their relative priorities, responding to them promptly and confidently, implementing safeguards that are appropriate, effective, culturally acceptable and practical.
  2. To promote better sharing and exploitation of information, all AU Information Users will have access to appropriate internal information, including overall guidelines to the security measures employed, wherever possible.
  3. All AU Information Users will be accountable for their actions and all actions will be attributable to an identified individual.
  4. All information (including third party information) will be protected by safeguards and handling rules appropriate to its sensitivity and criticality.
  5. Information owners will generally be responsible for identifying to whom their information may be released. On occasions, current legislation or contractual obligations may require its disclosure to authorised external bodies such as the police or JANET Computer Emergency Response Team (CERT).
  6. AU will seek to ensure that its activities can continue with minimal disruption, or other adverse impact, should it or any of its locations or services suffer any form of disruption or security incident.
  7. Actual or suspected security incidents must be reported promptly to the Information Services Computer Emergency Response Team[5] who will manage the incident to closure, and arrange for an analysis of lessons to be learnt.
  8. Documented procedures and standards, along with education and training, will supplement this Policy.
  9. Compliance with the Policy will be monitored on a regular basis by the Security Sub-committee, which will review this policy annually for completeness, effectiveness and usability together with identification and approval of planned improvements during the following twelve months.
  10. Effectiveness will be measured by AU ’s ability to avoid security incidents and minimise resulting impacts, together with a process for benchmarking security maturity with other similar establishments.
  11. The ISC will sign off all new versions of the Information Security Policy. All AU Information Users are responsible for identifying ways in which the Information Security Policy might be improved. Suggestions for improvement should be sent to the Deputy Director of Information Services. Unless immediate changes are required, suggestions will be discussed at the annual review of the Policy.

6. Policy Awareness

A copy of this Policy will be made available to all staff and students currently at AU, or when they join AU. Individual sections of the Policy will be updated as required and will be available on the University's web site. All AU Information Users are expected to be familiar with, and to comply with, the Information Security Policy at all times. Further information or clarification on any aspects of this Policy may be obtained from the Director of Information Services.

7. Applicability and Enforcement

This Policy applies to all AU Information Users and those who use its facilities and information. Compliance with the Policy will be part of the contract of employment, a condition of Student Registration and part of the process granting others access to the facilities.

Failure to comply with the Information Security Policy could harm AU ’s ability to achieve its mission, security objectives and damage the professional reputation of the establishment. It will, in the ultimate sanction, be treated as a disciplinary matter. The chair of the ISC will have overall responsibility for all decisions regarding the enforcement of this policy, utilising the legal sanctions or existing staff or student disciplinary procedures as appropriate.

--------------------------------------------------------------------------------

  1. Hereafter referred to as “AU”.
  2. All staff, students and other parties who have been granted access rights to facilities at AU.
  3. Information and Communications Technologies.
  4. Hereafter referred to as the “ISC”.
  5. See http://www.aber.ac.uk/en/is/about/sirp/.