New: In July 2012 an Information Security Policy was approved by Council and this will be implemented across the University. For further information about this IS Policy and resources such as the IS Toolkit to help you implement this in your unit please see the Information Security pages from the InfoSec project in the IT Services department.
1. Information Security Best Practice Project
Our aim is to help members of the collegiate University employ best practice within information security.
- a new Information Security Policy
- an Information Security Toolkit to support that policy
Are you responsible for how your department or college operates? Information for Administrators.
The Information Security Best Practice Project was housed within the Oxford University Computer Emergency Response Team (OxCERT). The project was led by Jonathan Ashton, member of the OxCERT team and Chair of the ICT Forum's Information Security Advisory Group (IS-AG). The project received valuable technical expertise from the OxCERT team and was guided by the Information Security Advisory Group.
The project sought to build on the knowledge, commentary and information gathered during the 2009 Self-Assessment exercise.
- Consolidate the existing policies on information security (Conditions for Connection and Security of Information) into one, high-level policy document.
- Review the best practice guidelines provided in 2009, taking into account comments made in the 2009 Self-Assessment Questionnaire, and in accordance with the consolidated policy.
- Develop an Information Security Toolkit, which includes policies, guidelines, documentation and education and awareness programmes.
- Identify areas where resources (knowledge and skills) can be found and shared and investigate the possible pooling and sharing of those resources.
- Investigate the area of Information Handling to develop guidelines and classification schemes.
- Consider specific services that could be provided centrally, resulting in a more efficient use of resources.
- November 2011 - End of the project
- November 2011 - as part of the process of submitting to Council, the new Information Security Policy will be submitted to PRAC in December 2011
- October 2011 - Toolkit published online Information Security Toolkit
- October 2011 - Toolkit reviewed by the Information Security Advisory Group
- September 2011 - Presentation at the UAS conference The new Information Security Policy (PDF 557kb) (only available within the University network)
- July 2011 - Latest draft of the Information Security Policy available
- July 2011 - Toolkit additions
- July 2011 - Meeting with Council Secretariat to discuss submission to Council
- June 2011 - Information Security Policy package approved by the PRAC ICT Sub-committee
- June 2011 - Submitted the Information Security Policy package to the PRAC ICT Sub-committee
- May 2011 - Spin off project: bid for Whole Disk Encryption project submitted to the PRAC ICT Sub-committee
- May 2011 - Information Security policies circulated to Advisory Group and Council Secretariat
- March 2011 - Meeting of Advisory Group to refine the subsidiary policies
- March 2011 - Progress report at the ICT Forum Termly meeting
- February 2011 - One page briefing document for Heads Div/Dept: ISBP Flyer [52KB PDF]
- February 2011 - Subsidiary policies drafted and circulated to Advisory Group
- January 2011 - Meeting with Council Secretariat and Legal Services
- November 2010 - Draft policy submitted to the PRAC ICT Sub-committee
- September 2010 - Policy in drafting stage
- September 2010 - ISBP project at UAS Conference
- August 2010 - Meeting of Advisory Group
- August 2010 - Online access to British Standards, see Toolkit
- July 2010 - ISBP project at ICTF conference
2. Information Security Policy
Our aim was to provide you with an Information Security policy, approved by
Council and supported by the University:
New Information Security
Policy
We focused on consolidating the pre-existing policies on Information Security into one document. That resulting policy (new Information Security Policy) defines the University's objectives for Information Security in line with its operational requirements and strategic plan. It also defines the scope of the policy and identifies roles and responsibilities for security.
In a devolved environment, such as a collegiate university, it is imperative that the policy should not go into detail about how those objectives should be met: each unit within the University will have their own methods, practices and controls in order to achieve the objectives, depending on local influences. The Information Security Toolkit provides guidance as to how those objectives might be met.
- Nov 2011: as part of the process of submitting to Council, the new Information Security Policy will be submitted to PRAC in December 2011
- July 2011: The ISBP team are now working with Council Secretariat to finalise the wording of the policy and then submit it to Council
- June 2011: Approved by PICT - Information Security Policy, June 2011
- Nov 2010: Submitted to PICT - Covering Letter and Draft Information Security Policy v 1.1 [pdf 58 KB]
3. Information Security Toolkit
Access the new Information Security Toolkit
To access the online library ensure that you are connected to the internet through the University network. Then go to the BSI home page and you will be automatically logged into the BSI subscription. The right hand corner of the screen should display the message 'Welcome, Mr. Oxford University'.
The July 2009 Self-Assessment Questionnaire (based on the existing security policies - Conditions for Connection and Security of Information) is a useful tool for units within the University to assess their approach to IT operations, management and security: self-assessment.
The University's IT Support Staff (ITSS) were invited to post questions and comments on the dedicated: ITSS Talk Shop. (To browse the ITSS Talk Shop - please use your oxford single sign on details.)
Discussions may also be found on the ITSS Discuss mailing list.
Encryption wiki: https://wiki.oucs.ox.ac.uk/itss/Encryption
4. Building on the 2009 Self-Assessment
The 2009 Self-Assessment exercise asked each unit within the collegiate University to assess their current approach to IT operations, management and security against recommended best practice guidelines (provided in the form of a self-assessment questionnaire). Every unit that completed the questionnaire was sent a confidential report based on their responses. The reports helped units to focus on areas where further resources may need allocating and to highlight if similar units have particular needs. Further detail on the Self-Assessment Questionnaire is available from the Office of the Director of IT website: 2009 Self-Assessment
The Advisory Group considered the responses gathered through the self-assessment process in detail. They summarised their thoughts and recommendations in the following: Report - 2009 Self-Assessment Exercise (link to Office of the Director of IT website, access restricted to Oxford only).
The information gathered helped the Advisory Group to understand where further attention, resource, and best practice is needed to guide units of the collegiate University in their approach to IT operations, management and security. In general, the best practice guidelines on information handling proved to be an issue for all units within the collegiate University. However, the questionnaire also gave units the opportunity to comment and these comments proved effective in helping the Advisory Group understand why information handling proved to be an issue, where gaps in policy exist and what can be provided to help close those gaps. The comments have been instrumental in guiding the 2010/2011 follow-up activity. A summary of the comments provided through the self-assessment exercise is available: Response to Comments (link to Office of the Director of IT website, access restricted to Oxford only).
5. Project Team
- Principal Investigator: Jonathan Ashton, Oxford University Computing Services
- Project Manager: Miranda Llewellyn, Office of the Director of IT
- Information Security Officer: Mark Duller, Oxford University Computing Services
- Project Sponsor: Professor Paul Jeffreys, Director of IT
- Advisory Group: Information Security Advisory Group
6. Project Planning
Report: Project Phase 2010-2011
Status: Submitted to the PRAC ICT
Sub-committee, May 2010
Author: Jonathan Ashton
Following on from the 2009 Information Security Best Practice (ISBP) project, the Information Security Advisory Group (formed through the ICTF) reported to PICT on the findings of the Self-Assessment exercise. That report made a number of recommendations and was coupled with a request for funding to continue the project.
Having secured funding for 2 FTEs for 18 months, this report details how that money will be allocated in terms of the organisational structure for the project. The report also outlines the project plan for the next 18 months and includes the key deliverables.
- Section 1. ISBP 2009 Self-Assessment
- Section 2. Organisation of ISBP 2010
- Section 3. Project Objectives
- Section 4. Information Security Policy
- Section 5. Information Handling
- Section 6. Best Practice and ISO27001-27002
- Section 7. Project Plan
Download a copy in PDF: Project Phase 2010-2011 (68 KB PDF)
7. Contact
Further Information on the Project
For information about the project, please contact: infosec@oucs.ox.ac.uk
Notification of a Security Breach
If you discover, or are alerted to, a security breach relating to the University of Oxford information systems or network, please let OxCERT know as soon as possible: contact OxCERT. They will endeavour to assist in the investigation, liaise with external organisations where appropriate, and look for other systems within the University network that may be involved.
Please also refer to OxCERT's information on incident handling: security incidents