3. Responsibilities

3.1. Council

Council has ultimate responsibility for information security within the University. More specifically, it is responsible for ensuring that the University complies with relevant external requirements, including legislation.

3.2. PRAC ICT sub-committee (PICT)

The PRAC ICT sub-committee (PICT), or any future equivalent body, is responsible to Council for:

  1. ensuring that users are aware of this policy;
  2. seeking adequate resources for its implementation;
  3. monitoring compliance;
  4. conducting regular reviews of the policy, having regard to any relevant changes in legislation, organisational policies and contractual obligations; and
  5. ensuring there is clear direction and visible management support for security initiatives.

3.3. Heads of department

Given the University’s devolved structure, heads of department are responsible for information security within their departments. They must ensure that the department has in place a local information security policy to meet its own particular needs, consistent with the requirements of this overarching policy. The local information security policy should identify the department’s own information security requirements and provide a management framework for meeting those requirements. ‘Department’ in this context includes equivalent local units, as well as divisional offices.

Specific roles and responsibilities for information security within departments should be clearly identified.

The head of department must approve the policy, and ensure that it is implemented and kept under regular review.

3.4. Users and External Parties

Users of University information will be made aware of their own individual responsibilities for complying with University and departmental policies on information security.

Agreements with third parties involving accessing, processing, communicating or managing the University’s information, or information systems, should cover all relevant security requirements, and be covered in contractual arrangements.

Up: Contents Previous: 2. Aims and Committments Next: 4. Risk Assessment and the Classification of Information