Royal Holloway University London Information Security Policy, Study notes of Business

The information security policy of Royal Holloway University London (RHUL), which includes objectives, responsibilities, procedures, and codes of practice for protecting computing facilities, programs, data, network, and equipment against loss, misuse, or abuse. It also covers paper records and relates to personal data and UK/EU legislation.

Typology: Study notes

2021/2022

Uploaded on 09/27/2022

kianx
kianx 🇬🇧

4

(10)

219 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Information Security Policy
Document Summary
Document ID
Information Security Policy
Status
Approved
Information Classification
Public
Document Version
1.0 May 2017
pf3
pf4
pf5
pf8

Partial preview of the text

Download Royal Holloway University London Information Security Policy and more Study notes Business in PDF only on Docsity!

Information Security Policy

Document Summary

Document ID Information Security Policy Status Approved Information Classification Public Document Version 1.0 – May 2017

Information Security Policy Page 1 of 8

  1. Introduction

1.1. As a centre of knowledge and training, Royal Holloway University London (RHUL) focuses on exploiting information. Next to people, information is RHUL’s most important asset. The information we use exists in many forms: printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Regardless of the form it takes, or means by which it is shared or stored, information should always be protected appropriately. 1.2. Information security is characterized here as being concerned with guaranteeing availability (ensuring that authorized users always have access to information when they need it), integrity (safeguarding its accuracy and completeness), confidentiality (ensuring that sensitive information is accessible only to those authorized to use it), and authenticity. It must also address proper methods of disposal of information that is no longer required. Security is essential to the success of almost every academic and administrative activity. Effective security is achieved by working within a proper framework, in compliance with legislation and RHUL’s policies, and by adherence to approved procedures and codes of practice. 1.3. The objectives of this information security policy are to: 1.3.1 ensure that all of RHUL’s computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse, and that this protection is cost-effective; 1.3.2 ensure that all users are aware of and fully comply with this policy statement and all associated policies, and are aware of and work in accordance with the relevant procedures and codes of practice; 1.3.3 ensure that paper records are kept securely and managed effectively; 1.3.4 ensure that all users are aware of and fully comply with the relevant UK and European Union legislation; 1.3.5 create across RHUL an awareness that appropriate security measures must be implemented as part of the effective operation and support of information management systems; 1.3.6 ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle; 1.3.7 ensure that information is disposed of in an appropriately secure manner when it is no longer relevant or required. 1.4. The policy applies to all staff and students of RHUL and all other computer, network or information users authorized by RHUL or any department or faculty

Information Security Policy Page 3 of 8

Security, will from time to time make available supplementary procedures and codes of practice, and promote them throughout RHUL; once approved by the IRGG these will also become RHUL policy and will be binding on departments. The ISAG will also arrange for analysis of security assessments received from departments, and report on these to the SIB. 2.5. The RHUL Head of Information Security, in addition to their involvement in policy making, provides relevant operational services. These include incident response and coordination, dissemination of security information, training, consultancy, and liaison with other external security teams and law enforcement agencies. 2.6. It is the responsibility of each individual to ensure his/her understanding of and compliance with this policy and any associated procedures or codes of practice. 2.7. Staff with supervisory responsibility should make their supervised staff or students aware of best practice. 2.8. Staff and students who process or who are responsible for the processing of personal data, as defined in RHUL’s Data Protection Policy, are additionally required to understand and comply with all obligations placed upon them under agreements with external parties, including but not limited to information security, integrity and perpetual confidentiality.

  1. Compliance with Legislation

3.1. RHUL, each member of staff, and its students have an obligation to abide by all UK legislation and the relevant legislation of the European Union. Of particular importance in this respect are the Computer Misuse Act 1990, the Data Protection Act 1998, the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000, the Terrorism Act 2006 and the Counter Terrorism and Security Act 2015. The Seventh Principle of the Data Protection Act 1998 requires that organisations take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Organisations are also required to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and the nature of the data to be protected.

3.2. Relevant legislation is referenced in supporting polices and guidelines. Full texts are available from The Stationery Office and at: http://www.legislation.gov.uk/ukpga/1998/29/contents

  1. Risk Assessment and Security Review by Departments

Information Security Policy Page 4 of 8

4.1. Information should be suitably classified according to the guidance given in “Data Management Policy”. Stewards should adopt a risk-based approach to assessing the value of information handled, its sensitivity, the potential damage or distress caused by a loss of the information and the appropriateness of technological, organisational and physical security controls in place or planned. Without proper assessment of the value of information assets, and the consequences (financial, reputational and otherwise) of loss of data or disruption to service, efforts to improve security are likely to be poorly targeted and ineffective. Reviews should be conducted on an annual basis, to take into account changes to technology, legislation, business requirements and priorities and at the point of new data being assigned to the Data Steward. Security arrangements should be revised accordingly.

  1. Breaches of Security

5.1. Any individual suspecting that the security of a computer system has been, or is likely to be, breached should inform the RHUL Head of Information Security immediately. RHUL ISG will advise RHUL on what steps should be taken to avoid incidents or minimize their impact, and identify action plans to reduce the likelihood of recurrence. 5.2. In the event of a suspected or actual breach of security, RHUL Head of Information Security may, after consultation with the relevant Steward or Head of Department, require that any unsafe systems, user/login names, data and/or programs be removed or made inaccessible. 5.3. Where a breach of security involving either electronic or paper records relates to personal data, the RHUL Data Protection Officer must be informed, as there may be an infringement of the Data Protection Act 1998 which could lead to intervention by the Information Commissioner’s Office and potentially civil or criminal proceedings. It is vital, therefore, that users of RHUL’s information systems comply, not only with this policy, but also with RHUL’s Data Protection Policy and associated codes of practice, details of which may be found on the RHUL website. 5.4. All physical security breaches should be reported to RHUL Security. 5.5. IT may monitor network activity, receive reports from the RHUL Head of Information Security and other security agencies, and take action or make recommendations consistent with maintaining the security of RHUL information assets.

  1. Policy Awareness and Disciplinary Procedure

Information Security Policy Page 6 of 8

regulations and policies made by RHUL. Likewise, these latter are an integral part of the regulations for students.

The policy sub documents that make up this document are:

 Credentials Policy  Data Access Control Policy  Physical Access Policy – Data Centre and Communications Cabinet Rooms  Removable Media Policy  Secure Build Policy  Cloud / 3rd^ Party Code of Practice  College Acceptable Use Policy  Change Management Policy  Incident Management Policy  Penetration Testing Policy  Vulnerability Management Policy  3 rd^ Party Data Policy  Asset Ownership Policy  Data Quality and Consistency Policy  Data Management Policy  Data Retention Policy  IT Patch/Upgrade Policy  Logging and Monitoring Policy  Connecting to Campus Network Policy  Firewall Policy  IP Allocation and Management Policy  Remote Access Policy  RIPA and FOI Policy for IT Services  Wireless Access Policy  Mobile Working Policy  Removable Media Policy

Information Security Policy Page 7 of 8

Document Control Sheet Revision History Date of this revision: May 2017

Date of next revision: May 2018 Revision date Summary of Changes Changes marked 5.12.2016 Initial Draft N February 2017 Updated post workshops and comments from DPO (CC) N May 2017 Version for SIB ratification N

Approvals Ratified by PRC Yes

Approved by the Strategic IT Board Yes