Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Information Security

What are our Policies?

The University's information security policies, standards and procedures underpin and inform all of the advice on these web pages. It is your responsibility to ensure that you understand and comply with all the policies that are relevant to you.

Overarching Information Security Policies:

  • Information Security: Sets out the University's overarching objectives and approach to protecting information. Defines key roles and responsibilities for information security.
    Applies to: All staff and any other individuals (including students) who handle University information.
  • Information Systems Security: Sets out the overarching requirements for the use and management of IT to ensure that University information is appropriately protected.
    Applies to: All staff, all students and any other individuals who access University IT facilities.

Data Protection and Information Management Policies:

  • Data Protection: What you need to do to comply with the law if you are handling personal data or receive a request for personal data.
    Applies to: Staff and students who handle personal data.
  • Records Management Policy and Records Retention Schedule: Sets out the University's standards for good records management, the recommended advice on the length of time records should be retained and provides advice on the appropriate means of disposal.
    Applies to: All staff.

Standards for secure information management:

  • Information Security Classification Scheme: Sets out how the University classifies information to help ensure that an appropriate level of security is applied.
    Applies to: All staff, and any other individuals (including students) handling University information.
  • Information Transfer: Sets out the permissions needed and the steps you need to take to secure CONFIDENTIAL and SECRET University Information when transferring it between individuals or systems within the University, or transferring it outside of the University.
    Applies to: All staff, and any other individuals (including students) handling restricted access University information.
  • Mobile and Off-Campus Working: What you need to do to protect information if you are using a mobile device for work either on or off campus, or travelling or working off-campus with University Information in any form.
    Applies to: Anyone handling University information in the context of mobile working (e.g. using a laptop, tablet or smartphone around campus) or off-campus working (e.g. working from home, travelling, on field trips).
  • Physical Access Control: Sets out the required physical security controls for areas where University information is processed or stored.
    Applies to: All staff, and any other individuals responsible for a) collecting, storing or processing University information, b) managing University property, third party storage providers and / or spaces hosting core computer and network systems.
  • Work Space Standard: Sets out how you should manage your immediate working area, to ensure that the University Information you work with is kept secure. This includes working with a clear desk, locking screens, and handling post or confidential waste securely.
    Applies to: All staff and any other individuals (including students) who handle University Information.

IT Regulations and Policies:

  • Student IT Regulations: Sets out acceptable use of University IT facilities, and your responsibilities when accessing and using them.
    Applies to: All Students.
  • Staff IT Regulations: Sets out acceptable use of University IT facilities, and your responsibilities when accessing and using them.
    Applies to: All Staff, and any other individuals who access University IT Facilities (e.g. visitors or contractors).
  • Monitoring and Interception: Sets out the University’s approach to monitoring and interception and the circumstances and procedures under which the University may monitor activity, or grant access to information in an individual’s IT account.
    Applies to: All staff, all students, and any other individuals who use University IT facilities.

Standards for security of IT systems and equipment:

  • Anti-Malware Standard: Requirements for anti-malware software for any equipment used to connect to University networks, or to access, process or store University information.
    Applies to: All staff, all students, and any other individuals who use University IT facilities.
  • Backup Standard: Sets out the requirements for backup of electronic University information, software and systems.
    Applies to: All staff and any other individuals (including students) who handle University Information.
  • Encryption Standard: Requirements for encryption when using mobile devices (e.g. laptops, smartphones) or removable media (e.g. USB drives), or when transferring restricted information between systems (e.g. via email).
    Applies to: All staff, and any other individuals (including students) handling restricted access University information.
  • Hardware Asset Management: Sets out the requirements governing purchase and management of University hardware, and what your responsibilities are if you are issued with a University device.
    Applies to: All staff and any other individuals issued with or responsible for University hardware.
  • Management of Technical Vulnerabilities: To understand the requirements for managing the risks posed by technical vulnerabilities in hardware or software.
    Applies to: Anyone managing or maintaining any University hardware or any software connected to the University network and / or used to store University information.
  • Network Security: Sets out a) acceptable use of the network, and b) minimum standards and controls that need to be implemented for network security.
    Applies to: Acceptable use of the network (section 4) applies to everyone who accesses the University network. Management and control of the network (section 5) applies to those implementing, managing or supporting the network or services delivered across it.
  • Password Standard: What you need to do to keep your password secure.
    Applies to: All staff, all students and any other individuals with access to University IT facilities.
  • Software Asset Management: Sets out the requirements governing purchase and management of University software.
    Applies to: Anyone responsible for managing software assets, managing or supporting hardware on which University software is installed, or involved in purchasing software on behalf of the University.
  • Software Installation and Use: What you need to comply with if you are using software provided by the University, or installing software on University equipment.
    Applies to: All staff, students, and any other individuals who use software installed on University equipment, or provided by the University.
  • Staff IT Accounts: Sets out who gets a Staff IT Account, and when this access should be changed or removed. This includes when IT access is given to unpaid workers within the University.
    Applies to: All staff, unpaid workers
  • Student IT Accounts: Sets out who gets a Student IT Account, and when access should be changed or removed.
    Applies to: All students
  • System Access Control: Sets out the access control requirements for managing access to University systems.
    Applies to: Information Owners and staff responsible for administering University systems.
  • System Acquisition, Development and Maintenance: Sets out the University's approach to acquistion, development and maintenance of systems.
    Applies to: Anyone acquiring, developing or maintaining systems processing University information or connected to University networks.
  • Use of Non-University-Owned Devices: Sets out the requirements you need to meet if you are using your own private device (or any other device not owned by the University) to connect to the University network, whether on-site or remotely, or to work with University Information.
    Applies to: All staff, all students and any other individuals with access to University IT facilities.

Procedures:

  • Information Security Incidents and Weaknesses Reporting: Sets out the University's procedure for reporting incidents, weaknesses and breaches.
    Applies to: All staff and any other individuals (including students) who handle University information.
  • Lost and Found USBs: Sets out the University's approach to lost and found USB storage devices.
    Applies to: All staff, all students and any other individuals who access University IT facilities.
  • Re-use, Recycling and Disposal of Equipment: Sets out the University's procedures for secure re-use, recycling or disposal of equipment.
    Applies to: All staff, and any other individuals issued with or responsible for University equipment.