Council has ultimate responsibility for information security within the University. More specifically, it is responsible for ensuring that the University complies with relevant external requirements, including legislation.
- ensuring that users are aware of this policy;
- seeking adequate resources for its implementation;
- monitoring compliance;
- conducting regular reviews of the policy, having regard to any relevant changes in legislation, organisational policies and contractual obligations; and
- ensuring there is clear direction and visible management support for security initiatives.
Given the University’s devolved structure, heads of department are responsible for information security within their departments. They must ensure that the department has in place a local information security policy to meet its own particular needs, consistent with the requirements of this overarching policy. The local information security policy should identify the department’s own information security requirements and provide a management framework for meeting those requirements. ‘Department’ in this context includes equivalent local units, as well as divisional offices.
Agreements with third parties involving accessing, processing, communicating or managing the University’s information, or information systems, should cover all relevant security requirements, and be covered in contractual arrangements.
Up: Contents Previous: 2. Aims and Committments Next: 4. Risk Assessment and the Classification of Information