The University's information security policies are intended to highlight, address, and mitigate for risks associated with information loss, theft or corruption. Specific policies highlight the approach to handling risks, whereas other policies enable risks to be exposed.
Aims and objectives
The General Information Security Policy has been developed to address security concerns regarding all electronic information within the University. Information Security is considered to comprise the following three aspects:
Confidentiality: To ensure that information assets and services are only accessed by authorised parties.
Integrity: To ensure that information assets can only be modified by authorised parties and only in authorised ways. The definition of ‘modified’ includes, created, written to, changed, have its status changed and deleted.
Availability: To ensure that information assets and services are accessible to authorised parties at appropriate times.
As part of the implementation of this Policy with respect to all assets and services, an assessment is to be carried out to ensure that the above objectives are considered during the design, creation, development, deployment, modification, maintenance and disposal of assets and services.
The General Information Security Policy is a collection of statements addressing the aims and aspirations for information security at the University. Where an implemented solution or service is unable to achieve the standard set in these policies, a risk assessment should be conducted to confirm that the risk is acceptable and if so the non-compliance should be recorded as a risk against that service. GISP1 describes policy on risk assessment and management.
The General Information Security Policy comprises the following twenty-four sections:
GISP1. Risk assessment and risk management
GISP2. Conditions of Computer Use
GISP3. Physical and environmental security
GISP4. Identification, authentication and authorisation
GISP5. Use of passwords
GISP6. Use of email
GISP7. Onsite access control
GISP8. Offsite access control
GISP9. Change management
GISP10. Protection against malicious software
GISP11. Information classification
GISP12. Secure areas
GISP13. Business continuity and disaster recovery
GISP14. Incident reporting and handling
GISP15. Network monitoring
GISP16. Legal and regulatory compliance
GISP17. IT and information asset management
GISP18. Encryption use and key material handling
GISP19. Personnel security
GISP20. Personally-owned equipment terms and conditions
GISP21. Liability of own systems and content brought to University
GISP22. Working with third parties
GISP23. Mobile devices
GISP24. Systems management and development
All twenty-four sections are available for download in a single document.
Organisation of the Policy
These security policies apply to the University’s network, telecommunication systems, IT and computing systems and the information stored on these. All members of the University and visitors using the University’s IT and computing facilities and associated telecommunication systems are expected to be aware of and comply with those policies which apply to their area of use. It is the responsibility of heads of Faculties, Schools and Units to ensure their staff and students are aware of and comply with these policies.
Governance and implementation
The Information Strategy and Services Committee (ISSC) has oversight of the University’s information security policies. Information Services will work with individuals and departments to deliver solutions compliant with these policies. It will also provide advice, guidance and training to the University community to raise awareness, develop understanding and good practices and minimise risk. Where resources allow, Information Services will work with the internal auditor and engage third party services to provide assurance of compliance with these policies.
Policy review and monitoring
Information Services is responsible for the review and monitoring of this Policy which will be checked on a regular basis in order to ensure compliance with legislation, and that recognised best practice is followed.