Information Security Policy

IT Services

Information Security Policy

Contents

1. Purpose
2. Aims and Committments
3. Responsibilities
- 3.1. Council
- 3.2. PRAC ICT sub-committee (PICT)
- 3.3. Heads of department
- 3.4. Users and External Parties
4. Risk Assessment and the Classification of Information
- 4.1. Risk assessment of information held
- 4.2. Personal Data
5. Protection of Information Systems and Assets
6. Protection of Confidential Information
- 6.1. Storage
- 6.2. Access
- 6.3. Remote Access
- 6.4. Copying
- 6.5. Disposal
- 6.6. Use of Portable Devices or Media
- 6.7. Exchange of Information and Use of Email
- 6.8. Cryptographic Controls
- 6.9. System Planning and Acceptance
- 6.10. Backup
- 6.11. Further information
- 6.12. Hard Copies
  - 6.12.1. Protective Marking
  - 6.12.2. Storage
  - 6.12.3. Removal
  - 6.12.4. Transmission
  - 6.12.5. Disposal
  - 6.12.6. Enforcement
7. Compliance

New: In July 2012 an Information Security Policy was approved by Council and this will be implemented across the University. For further information about this IS Policy and resources such as the IS Toolkit to help you implement this in your unit please see the Information Security pages from the InfoSec project in the IT Services department. The University IS Policy supersedes the policy on the ISBP pages below.

About this Policy

This policy was written by the University's ICTF Information Security Advisory Group in consultation with the Legal Services Office, Council Secretariat and the Information Security Best Practice Project. It is written in accordance with the UCISA information security toolkit and, consequently, in line with the ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management.

The policy has been approved by the PRAC ICT Sub-committee (PICT), the principal advisory body to PRAC and Council on all aspects of ICT. The ISBP team are now working with Council Secretariat to finalise the wording and to begin the process of submitting the policy to Council, the University's executive governing body. Our aim is to have the policy approved by Council and for it to become part of the Terms and Conditions of Employment for the University.

The policy is supported by an Information Security Toolkit which provides suggested technical solutions and sub-policies to help departments, faculties, colleges and halls implement the principles: Online Toolkit.

1. Purpose

This policy provides a framework for the management of information security throughout the University. It applies to:

all those with access to University information systems, including staff, students, visitors and contractors;
any systems attached to the University computer or telephone networks and any systems supplied by the University;
all information (data) processed by the University pursuant to its operational activities, regardless of whether it is processed electronically or in paper (hard copy) form, any communications sent to or from the University and any University information (data) held on systems external to the University’s network;
all external parties that provide services to the University in respect of information processing facilities and business activities; and
principal information assets including the physical locations from which the University operates.

2. Aims and Committments

The University recognises the role of information security in ensuring that users have access to the information they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, teaching and administrative functions.
Any reduction in the confidentiality, integrity or availability of information could prevent the University from functioning effectively and efficiently. In addition, the loss or unauthorised disclosure of information has the potential to damage the University’s reputation and cause financial loss. The Information Commissioner’s Office (ICO) has the power to fine organisations up to £500,000 for breaches of the Data Protection Act.
To mitigate these risks, information security must be an integral part of information management, whether the information is held in electronic or hard-copy form.
The University is committed to protecting the security of its information and information systems in order to ensure that:
1. the integrity of information is maintained, so that it is accurate, up to date and ‘fit for purpose’;
2. information is always available to those who need it and there is no disruption to the business of the University;
3. confidentiality is not breached, so that information is accessed only by those authorised to do so;
4. the University meets its legal requirements, including those applicable to personal data under the Data Protection Act; and
5. the reputation of the University is safeguarded.
In order to meet these aims, the University is committed to implementing security controls that conform to best practice, as set out in the ISO/IEC 27002:2005 Information Security Techniques – Code of practice for information security management. The University has drawn up an information security toolkit (the ‘Toolkit’) in order to provide advice and guidance on the technical aspects of information security. The Toolkit is based on the information security toolkit of the Universities and Colleges Information Systems Association and adheres to the standards of ISO/IEC 27002: 2005: it is available at http://www.oucs.ox.ac.uk/network/security/ISBP/toolkit/.
Information security risk assessments should be performed for all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits.
The University is committed to providing sufficient education and training to users to ensure they understand the importance of information security and, in particular, exercise appropriate care when handling confidential information.
Specialist advice on information security shall be made available throughout the University.
An information security advisory group (or groups), comprising representatives from all relevant parts of the University, shall advise on best practice and coordinate the implementation of information security controls.
The University will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its information security policy.
Breaches of information security must be recorded and reported to appropriate bodies in the University, who will take action and inform the relevant authorities (please refer to sections 6.13 and 9 for further information).
This Policy and all other supporting policy documents shall be communicated as necessary throughout the University to meet its objectives and requirements.

3. Responsibilities

3.1. Council

Council has ultimate responsibility for information security within the University. More specifically, it is responsible for ensuring that the University complies with relevant external requirements, including legislation.

3.2. PRAC ICT sub-committee (PICT)

The PRAC ICT sub-committee (PICT), or any future equivalent body, is responsible to Council for:

ensuring that users are aware of this policy;
seeking adequate resources for its implementation;
monitoring compliance;
conducting regular reviews of the policy, having regard to any relevant changes in legislation, organisational policies and contractual obligations; and
ensuring there is clear direction and visible management support for security initiatives.

3.3. Heads of department

Given the University’s devolved structure, heads of department are responsible for information security within their departments. They must ensure that the department has in place a local information security policy to meet its own particular needs, consistent with the requirements of this overarching policy. The local information security policy should identify the department’s own information security requirements and provide a management framework for meeting those requirements. ‘Department’ in this context includes equivalent local units, as well as divisional offices.

Specific roles and responsibilities for information security within departments should be clearly identified.

The head of department must approve the policy, and ensure that it is implemented and kept under regular review.

3.4. Users and External Parties

Users of University information will be made aware of their own individual responsibilities for complying with University and departmental policies on information security.

Agreements with third parties involving accessing, processing, communicating or managing the University’s information, or information systems, should cover all relevant security requirements, and be covered in contractual arrangements.

4. Risk Assessment and the Classification of Information

4.1. Risk assessment of information held

The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security therefore is a process of risk assessment, in order to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.

Given the devolved nature of the University’s structure, the risk assessment should be carried out in the first instance by departments, as defined in paragraph 3.3 above. However, the departmental assessment must be consistent with the general principles in this section.

The risk assessment should identify the department’s information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality to the department or University as a whole. In assessing risk, departments should consider the value of the asset, the threats to that asset and its vulnerability. (An example of a risk assessment is at Annex A.) Further guidance on risk assessment and the classification of information is available in the Toolkit.

Where appropriate, information assets should be labelled and handled in accordance with their criticality and sensitivity.

Rules for the acceptable use of information assets should be identified, documented and implemented. The University’s Regulations and Policies applying to all users of University ICT facilities are available from http://www.ict.ox.ac.uk/oxford/rules/.

Information security risk assessments should be repeated periodically and carried out as required during the operational delivery and maintenance of the University’s infrastructure, systems and processes.

4.2. Personal Data

Personal data must be handled in accordance with the Data Protection Act 1998 (DPA) and in accordance with the University’s policy and guidance on personal data.

The DPA requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

A higher level of security should be provided for ‘sensitive personal data’, which is defined in the DPA as data relating to ethnic or racial origin, religious beliefs, physical or mental health, sexual life, political opinions, trade union membership, or the commission or alleged commission of criminal offences.

5. Protection of Information Systems and Assets

Having completed a risk assessment, departments should draw up their own information security policy, setting out appropriate controls and procedures, in accordance with the Toolkit. Information owners must be satisfied that the controls will reduce any residual risk to an acceptable level.

Confidential information should be handled in accordance with the requirements set out in section 6 below.

6. Protection of Confidential Information

Identifying confidential information is a matter for assessment in each individual case. Broadly, however, information will be confidential if it is of limited public availability; is confidential in its very nature; has been provided on the understanding that it is confidential; and/or its loss or unauthorised disclosure could have one or more of the following consequences:

financial loss e.g. the withdrawal of a research grant or donation, a fine by the ICO, a legal claim for breach of confidence;
reputational damage e.g. adverse publicity, demonstrations, complaints about breaches of privacy; and/or
an adverse effect on the safety or well-being of members of the University or those associated with it e.g. increased threats to staff or students engaged in sensitive research, embarrassment or damage to benefactors, suppliers, staff and students

6.1. Storage

Confidential information should be kept secure, by keeping it, where possible, on site using dedicated storage (e.g. file servers), rather than local hard disks, and with an appropriate level of physical security.

File or disk encryption should be considered as an additional layer of defence, where physical security is considered insufficient.

6.2. Access

Confidential information must be stored in such a way as to ensure that only authorised persons can access it.

All users must be authenticated. Authentication should be appropriate, and where passwords are used, clearly defined policies should be in place and implemented. Users must follow good security practices in the selection and use of passwords.

Where necessary, additional forms of authentication should be considered.

To allow for potential investigations, access records should be kept for a minimum of six months, or for longer, where considered appropriate.

Users with access to confidential information should be security vetted, as appropriate, in accordance with existing policies.

Physical access should be monitored, and access records maintained.

6.3. Remote Access

Where remote access is required, this must be controlled via a well-defined access control policy and tight access controls provided to allow the minimum access necessary.

Any remote access must be controlled by secure access control protocols using appropriate levels of encryption and authentication.

6.4. Copying

The number of copies made of confidential information, whether on portable devices or media or in hard copy, should be the minimum required, and, where necessary, a record kept of their distribution. When no longer needed, the copy should be deleted or, in the case of hard copies, destroyed (see 6.12.5).

All copies should be physically secured e.g. stored in a locked cupboard drawer or filing cabinet.

6.5. Disposal

Policies and procedures must be in place for the secure disposal/destruction of confidential information The University's policy on the disposal of old computers can be found at http://www.ict.ox.ac.uk/oxford/disposal/.

6.6. Use of Portable Devices or Media

Procedures should be in place for the management of removable media in order to ensure that they are appropriately protected from unauthorised access.

The permission of the information owner should be sought before confidential information is taken off site. The owner must be satisfied that the removal is necessary and that appropriate safeguards are in place e.g. encryption. For further information, please see the Toolkit.

In the case of personal data, the ICO recommends that all portable devices and media should be encrypted where the loss of the data could cause damage or distress to individuals.

The passphrase of an encrypted device must not be stored with the device (see also section 6.8.2).

6.7. Exchange of Information and Use of Email

Controls should be implemented to ensure that electronic messaging is suitably protected.

Email should be appropriately protected from unauthorised use and access.

Email should only be used to send confidential information where the recipient is trusted, the information owner has given their permission, and appropriate safeguards have been taken e.g. encryption.

Further guidance on managing the risks associated with the use of e-mail is available on the University website and in the Toolkit.

6.8. Cryptographic Controls

Procedures should be in place to support the use of cryptographic techniques and to ensure that only authorised personnel may gain access to confidential information.

University guidance, provided via the Toolkit, on cryptographic policy and key management, should be followed to ensure that data are appropriately secured and that all legal and regulatory requirements have been considered.

6.9. System Planning and Acceptance

A risk assessment should be carried out as part of the business case for any new ICT system that may be used to store confidential information. The risk assessment should be repeated periodically on any existing systems.

6.10. Backup

Information owners should ensure that appropriate backup and system recovery procedures are in place. Backup copies of all important information assets should be taken and tested regularly in accordance with such an appropriate backup policy.

6.11. Further information

The Toolkit provides further guidance on the matters covered in this section.

6.12. Hard Copies

6.12.1. Protective Marking

Documents containing confidential information should be marked as ‘Confidential’ or with another appropriate designation e.g. ‘sensitive’, etc, depending on the classification system adopted by the department.

6.12.2. Storage

Wherever practicable, documents with confidential information should be stored in locked cupboards, drawers or cabinets. Where this is not practicable, and the information is kept on open shelving, the room should be locked when unoccupied for any significant length of time.
Keys to cupboards, drawers or cabinets should not be left on open display when the room is unoccupied.

6.12.3. Removal

Confidential information should not be removed from the University unless it can be returned on the same day or stored securely overnight, as described in section 6.12.2 above.

6.12.4. Transmission

If confidential documents are sent by fax, the sender should ensure they use the correct number and that the recipient is near to the machine at the other end ready to collect the information immediately it is printed.
If confidential documents are sent by external post, they should ideally be sent by a form of recorded delivery. The sender must ensure that the envelope is properly secured.
If confidential documents are sent by internal post the documents should be placed in an envelope marked ‘Confidential’ with the addresse’s name clearly written on it.

6.12.5. Disposal

Confidential documents must be shredded in a confidential manner prior to disposal.

6.12.6. Enforcement

There must be a written policy in place at the local level for the handling of confidential information, whether electronic or hard copy, and a copy of the procedures must be provided to every user so that they are aware of their responsibilities.

Any failure to comply with the policy may result in disciplinary action.

Any loss or unauthorised disclosure must be promptly reported to the owner of the information.

Computer security incidents involving the loss or unauthorised disclosure of confidential information held in electronic form must be reported to Oxford University Computer Emergency Response Team (OxCERT) and investigated.

If the loss or unauthorised disclosure involves personal data, whether electronic or hard copy, the University’s Data Protection Officer must also be informed, either by e-mail or by phone ((2)70002).

7. Compliance

The University has established this policy to promote information security and compliance with relevant legislation, including the DPA. The University regards any breach of information security requirements as a serious matter, which may result in disciplinary action.

Compliance with this policy should form part of any contract with a third party that may involve access to network or computer systems or data.

Relevant legislation includes, but is not limited to:

The Computer Misuse Act (1990)
The Data Protection Act (1998)
The Regulation of Investigatory Powers Act (2000)
The Telecommunications (Lawful Business Practice) (Interception of Communications)
Regulations (2000)
The Freedom of Information Act (2000)
The Special Educational Needs and Disability Act (2001)

8.