Information Security Policy

Contents

Purpose of policy

Scope/Applicability

Responsibilities

Detailed policy

Related legislation

List of Sub-policies and related policies and procedures

1. Purpose

1.1 Information is a vital asset to any organisation and this is especially so in a knowledge-driven environment such as Aberystwyth University, where information will relate to learning and teaching, research, administration and management. This policy is concerned with the management and security of the University’s information assets (an information asset is defined to be an item or body of information, an information storage system or an information processing system which is of value to the University) and the use made of these assets by its members and others who may legitimately process University information on behalf of the University.

1.2 This overarching policy document provides an overview of information security and lists a set of policy documents (sub-policies) which, taken together, constitute the University’s Information Security Policy.

1.3 An effective Information Security Policy provides a sound basis for defining and regulating the management of information systems and other information assets. This is necessary to ensure that information is appropriately secured against the adverse effects of failures in confidentiality, integrity, availability and compliance which would otherwise occur.

2. Scope/Applicability

2.1 The documents in the Information Security Policy set apply to all information assets which are owned by the University, used by the University for its purposes, or which are connected to any networks managed by the University.

2.2 The documents in the Information Security Policy set apply to all information which the University processes, irrespective of ownership or form.

2.3 The documents in the Information Security Policy set apply to all current staff, current students, Council and committee members, visiting staff and any others who may process information on behalf of the University or who have legitimate access to University systems.

2.4 Compliance with the Policy will be part of the contract of employment, a condition of Student Registration and part of the process granting others access to the facilities.

2.5 The Information Security Policy and sub-policies take precedence over other Information Services policies and procedures should there be any contradictions or lack of clarity.

3. Policy Governance

3.1 Responsibility for the production, maintenance and communication of this top-level policy document and all sub-policy documents lies with the Director of Information Services.

3.2 This overarching Information Security Policy document has been approved by the University, Digital Strategy Advisory Group. Any substantive changes may only be made with the further approval of the Digital Strategy Advisory Group. Responsibility for the approval of all sub-policy documents is delegated to the Information Security Working Group (InfoSec).

3.3 Each of the documents constituting the Information Security Policy will be reviewed annually. It is the responsibility of the Director of Information Services to ensure that these reviews take place. It is also the responsibility of the Director of Information Services to ensure that the policy set is, and remains, internally consistent.

3.4 Changes or additions to the Information Security Policy may be proposed by any member of staff, via their Head of Department, to the Director of Information Services.

3.5 Any substantive changes made to any of the documents in the set will be communicated to all relevant staff, students or other users..

4. Detailed Policy

4.1 Structure

4.1.1 The Information Security Policy document set is, where practicable, structured in accordance with the recommendations set out in the “UCISA Information Security Toolkit” (March 2015) which, in turn, reflects guidelines set out in the industry standard ISO 27001.

4.1.2 This overarching Information Security Policy document lists a set of other sub-policy documents which, together, constitute the Information Security Policy of the University. All of these documents are of equal standing. Although this policy set should be internally consistent, for the removal of any doubt, if any inconsistency is found between this overarching policy and any of the sub-policies, this overarching policy will take precedence.

4.1.3 Each of the sub-policy documents contains descriptions of requirements and principles. They do not, in every case, include detailed descriptions of policy implementation. Such details will, where necessary, be supplied in the form of separate procedural documents.

4.2 Information Security Principles

4.2.1 The following principles underpin this policy:

i. Information will be protected in line with all relevant University policies and legislation, notably those relating to data protection, human rights and freedom of information.

ii. It is the responsibility of all individuals to be mindful of the need for information security across the institution and to be aware of relevant policies and procedures.

iii. Where appropriate, each information asset will have a nominated owner who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.

iv. Information will be made available solely to those who have a legitimate need for access.

v. Where necessary and appropriate, information will be classified according to a level of security.

vi. The integrity of information will be maintained.

vii. It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.

viii. Information will be protected against unauthorised access.

ix. Compliance with the Information Security Policy will be enforced.

5. Related legislation

General Data Protection Regulation (UK GDPR)

Data Protection Act 2018

Freedom of Information Act 2000

Regulation of Investigatory Powers Act (RIPA) 2000

Computer Misuse Act 1990

Human Rights Act 1998

Equality Act 2010

Terrorism Act 2006

Limitation Act 1980