




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The information security policy of Royal Holloway University London (RHUL), which includes objectives, responsibilities, procedures, and codes of practice for protecting computing facilities, programs, data, network, and equipment against loss, misuse, or abuse. It also covers paper records and relates to personal data and UK/EU legislation.
Typology: Study notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





Document ID Information Security Policy Status Approved Information Classification Public Document Version 1.0 – May 2017
Information Security Policy Page 1 of 8
1.1. As a centre of knowledge and training, Royal Holloway University London (RHUL) focuses on exploiting information. Next to people, information is RHUL’s most important asset. The information we use exists in many forms: printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Regardless of the form it takes, or means by which it is shared or stored, information should always be protected appropriately. 1.2. Information security is characterized here as being concerned with guaranteeing availability (ensuring that authorized users always have access to information when they need it), integrity (safeguarding its accuracy and completeness), confidentiality (ensuring that sensitive information is accessible only to those authorized to use it), and authenticity. It must also address proper methods of disposal of information that is no longer required. Security is essential to the success of almost every academic and administrative activity. Effective security is achieved by working within a proper framework, in compliance with legislation and RHUL’s policies, and by adherence to approved procedures and codes of practice. 1.3. The objectives of this information security policy are to: 1.3.1 ensure that all of RHUL’s computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse, and that this protection is cost-effective; 1.3.2 ensure that all users are aware of and fully comply with this policy statement and all associated policies, and are aware of and work in accordance with the relevant procedures and codes of practice; 1.3.3 ensure that paper records are kept securely and managed effectively; 1.3.4 ensure that all users are aware of and fully comply with the relevant UK and European Union legislation; 1.3.5 create across RHUL an awareness that appropriate security measures must be implemented as part of the effective operation and support of information management systems; 1.3.6 ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle; 1.3.7 ensure that information is disposed of in an appropriately secure manner when it is no longer relevant or required. 1.4. The policy applies to all staff and students of RHUL and all other computer, network or information users authorized by RHUL or any department or faculty
Information Security Policy Page 3 of 8
Security, will from time to time make available supplementary procedures and codes of practice, and promote them throughout RHUL; once approved by the IRGG these will also become RHUL policy and will be binding on departments. The ISAG will also arrange for analysis of security assessments received from departments, and report on these to the SIB. 2.5. The RHUL Head of Information Security, in addition to their involvement in policy making, provides relevant operational services. These include incident response and coordination, dissemination of security information, training, consultancy, and liaison with other external security teams and law enforcement agencies. 2.6. It is the responsibility of each individual to ensure his/her understanding of and compliance with this policy and any associated procedures or codes of practice. 2.7. Staff with supervisory responsibility should make their supervised staff or students aware of best practice. 2.8. Staff and students who process or who are responsible for the processing of personal data, as defined in RHUL’s Data Protection Policy, are additionally required to understand and comply with all obligations placed upon them under agreements with external parties, including but not limited to information security, integrity and perpetual confidentiality.
3.1. RHUL, each member of staff, and its students have an obligation to abide by all UK legislation and the relevant legislation of the European Union. Of particular importance in this respect are the Computer Misuse Act 1990, the Data Protection Act 1998, the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000, the Terrorism Act 2006 and the Counter Terrorism and Security Act 2015. The Seventh Principle of the Data Protection Act 1998 requires that organisations take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Organisations are also required to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and the nature of the data to be protected.
3.2. Relevant legislation is referenced in supporting polices and guidelines. Full texts are available from The Stationery Office and at: http://www.legislation.gov.uk/ukpga/1998/29/contents
Information Security Policy Page 4 of 8
4.1. Information should be suitably classified according to the guidance given in “Data Management Policy”. Stewards should adopt a risk-based approach to assessing the value of information handled, its sensitivity, the potential damage or distress caused by a loss of the information and the appropriateness of technological, organisational and physical security controls in place or planned. Without proper assessment of the value of information assets, and the consequences (financial, reputational and otherwise) of loss of data or disruption to service, efforts to improve security are likely to be poorly targeted and ineffective. Reviews should be conducted on an annual basis, to take into account changes to technology, legislation, business requirements and priorities and at the point of new data being assigned to the Data Steward. Security arrangements should be revised accordingly.
5.1. Any individual suspecting that the security of a computer system has been, or is likely to be, breached should inform the RHUL Head of Information Security immediately. RHUL ISG will advise RHUL on what steps should be taken to avoid incidents or minimize their impact, and identify action plans to reduce the likelihood of recurrence. 5.2. In the event of a suspected or actual breach of security, RHUL Head of Information Security may, after consultation with the relevant Steward or Head of Department, require that any unsafe systems, user/login names, data and/or programs be removed or made inaccessible. 5.3. Where a breach of security involving either electronic or paper records relates to personal data, the RHUL Data Protection Officer must be informed, as there may be an infringement of the Data Protection Act 1998 which could lead to intervention by the Information Commissioner’s Office and potentially civil or criminal proceedings. It is vital, therefore, that users of RHUL’s information systems comply, not only with this policy, but also with RHUL’s Data Protection Policy and associated codes of practice, details of which may be found on the RHUL website. 5.4. All physical security breaches should be reported to RHUL Security. 5.5. IT may monitor network activity, receive reports from the RHUL Head of Information Security and other security agencies, and take action or make recommendations consistent with maintaining the security of RHUL information assets.
Information Security Policy Page 6 of 8
regulations and policies made by RHUL. Likewise, these latter are an integral part of the regulations for students.
The policy sub documents that make up this document are:
Credentials Policy Data Access Control Policy Physical Access Policy – Data Centre and Communications Cabinet Rooms Removable Media Policy Secure Build Policy Cloud / 3rd^ Party Code of Practice College Acceptable Use Policy Change Management Policy Incident Management Policy Penetration Testing Policy Vulnerability Management Policy 3 rd^ Party Data Policy Asset Ownership Policy Data Quality and Consistency Policy Data Management Policy Data Retention Policy IT Patch/Upgrade Policy Logging and Monitoring Policy Connecting to Campus Network Policy Firewall Policy IP Allocation and Management Policy Remote Access Policy RIPA and FOI Policy for IT Services Wireless Access Policy Mobile Working Policy Removable Media Policy
Information Security Policy Page 7 of 8
Document Control Sheet Revision History Date of this revision: May 2017
Date of next revision: May 2018 Revision date Summary of Changes Changes marked 5.12.2016 Initial Draft N February 2017 Updated post workshops and comments from DPO (CC) N May 2017 Version for SIB ratification N
Approvals Ratified by PRC Yes
Approved by the Strategic IT Board Yes