1. Covering Letter to Policy, draft v.1
This brief report is intended to accompany the first draft of an information security policy compiled by OxCERT and reviewed by the ICTF's information security advisory group (IS-AG) for the ISBP project. The policy is very much a draft and is open to further comment and guidance as appropriate. This report outlines the objectives of the policy and the reasons for its contents and covers the main action points that need to be approved by PICT. The executive summary below outlines the key proposals made:
- This information security policy has been agreed by the ICTF's information security advisory group (IS-AG).
- The information security policy will form the basis of a set of subsidiary policies.
- The information security policy should be signed off by the Registrar and become approved University policy through the procedure laid out by Council.
- Once approved, the policies should not need to be updated on a regular basis.
- A separate 'toolkit' of resources for ITSS will be developed and will be updated on a regular basis.
- There should be a review of the existing Regulations Relating to the use of Information Technology Facilities and the work done by the ISBP project will be able to feed into that.
- The scope of the policy is intended, initially, to include only ICT systems and electronic information.
- Whilst the scope of the policy includes all units (including colleges), this is a policy that applies to University owned data.
The creation of the information security policy document lies at the heart of the ISBP project. This draft policy is written in accordance with the UCISA information security toolkit (http://www.ucisa.ac.uk/en/publications/toolkit.aspx) and, consequently, in line with the ISO 27002:2005 code of practice for information security management. Its contents are based on a number of key factors which are described below.
The policy should define information security and the University's objectives for information security in line with its operational requirements and strategic plan. It should also express a statement of management intent towards supporting the goals and principles of information security and include a framework for setting objectives and targets. In addition the scope of the policy should be defined and roles and responsibilities for security should be identified.
This policy is intended to be a brief, high level document that is available and communicated to all parties and states what the University is trying to achieve. However, particularly in a devolved environment such as a collegiate university, the policy should not go into detail about how those objectives should be met. Each unit within the University will have their own methods, practices and controls in order to achieve the objectives, depending on local influences. It is intended that the policy will be extended to include separate subsidiary policies which will focus on particular areas in line with the ISBP best practice guidelines that formed the basis of the self-assessment questionnaire. Currently those areas include:
- IT Management Structure
- Personnel, Recruitment and Training
- Network Management
- Access Control
- User Management
- Information Handling
- Physical Security
- Incident Response
- Business Continuity Planning
A separate information security toolkit will be then be compiled which is intended to include useful resources for IT support staff in order to assist them with implementing the policies locally. Where the policies should not need to be updated regularly the toolkit will be done so frequently.
As mentioned in the ISBP 2010 project plan, one of the critical success factors for any information security policy/programme is that it is approved and signed off at a high level. The advantages of doing so are to a) demonstrate the support of high- level management for information security and b) in order to give the policy some 'weight'. The IS-AG therefore recommend that the Registrar be ultimately responsible for this policy in line with the new ICT governance structure being implemented within the University. The advisory group also recommends that the policy become approved University policy through the procedure laid out by Council and so given the same 'weight' as the Regulations Relating to the use of Information Technology Facilities.
As mentioned above it is intended that the information security policy document will lie at the root of a set of subsidiary policies that will focus on specific control areas as appropriate. We also recognise that this activity is part of a wider set of regulations and policies, and there has been considerable progress in clarifying these at http://www.ict.ox.ac.uk/oxford/rules/index.xml. In addition, we also recognise that there are plans to update the Regulations Relating to the use of Information Technology Facilities and suggest that the work carried out under this project will be able to feed into this process.
It is intended that this policy applies to ICT systems and electronic information (in storage and in transfer). However the scope is left deliberately open so that it may be easily extended to apply to non-electronic information in the future should this become appropriate as part of a wider information strategy.
Attention should also be drawn to the use of the term "University" and "collegiate University" respectively. Whilst this policy is applicable to the collegiate University it is a policy specifically on University owned data and not on data owned by, for example, a college. It therefore refers largely to the "University" in accordance with the other policy documents listed at http://www.ict.ox.ac.uk/oxford/rules/index.xml . This is not intended to exclude the Colleges from the scope of the policy which is intended to include University owned data wherever it is handled. The "collegiate University" is also recognised in the section on "Organisation of Information Security" in which responsibility of information security is devolved to the head of department, college or unit.
Whilst the information security policy applies specifically to ICT systems and electronic information, it is evident that information security covers a wider remit than information technology and it is not simply the responsibility of local ITSS. This is reflected by the fact that heads of department are named as being responsible for the security of information within their own units and other user groups, such as administrators, senior managers, personnel and end-user groups also need to be consulted in order to successfully identify an organisation's security requirements. The advisory group will continue to investigate the most appropriate way to include relevant user groups to ensure that the University's security requirements are identified.