1. IT Management Structure

1.1. Internal Organisation

Units should have their own information security policy in place. The security policy could be part of an existing policy framework or a policy in its own right. However it should describe the information security objectives for the unit, and demonstrate the commitment, at a senior level within the unit, towards achieving those objectives. Of course, the unit may simply adopt the University's Information Security policy and sub-policies as their own. However it may be appropriate for the unit to amend, add specifics to, or create their own policy from scratch.

The unit's information security policy should be brought to the attention of, and made available to, all staff, students, third parties and other persons who may interact with the unit's and/or University's information systems. There should be an auditable process in order to demonstrate that all users are made aware of the security policies, and are reminded of them on a regular basis. This could include, for example, including reference to the policies in user registration processes etc. Reminding users of the policies once a year, or when significant changes occur, would likely be considered reasonable.

The information security policy should also describe the structure for managing information security within the unit. Normally the management of security will be included with the management of ICT and such frameworks usually exist already, consisting of a departmental/college IT committee or equivalent, chaired by a senior member of the college/department. For smaller departments this may be subsumed within a structure organised at a divisional or faculty level, though final responsibility rests with the Head of Department or unit.

All users within the unit have responsibilities for information security and the Head of Department, College, Hall or other administrative unit is ultimately responsible for ensuring that users are aware of those responsibilities. Responsibilities will vary and will include responsibilities for configuring and maintaining ICT systems (usually assigned to registered IT support staff) down to the responsibilities of all end users (e.g. not to disclose passwords or allow unauthorised use of systems or accounts etc.). When handling information classified as confidential or sensitive, users should be explicitly made aware of their responsibilities for that particular dataset (e.g. not copying to personal computers, storing unencrypted etc.). All users have a responsibility to report any breaches of information security policies.

The ICT/information security policies should be reviewed at least once a year. There should be means of demonstrating that the policy has been reviewed (e.g. minutes of meeting at which it was discussed). Policies should also be reviewed in the event of significant changes or in the event of security breaches.

1.2. External Parties

Whenever third parties are dealt with, the security requirements of the University/unit, must be brought to the attention of the relevant party and be included in any contract. Security requirements of third parties should also be included in any such agreements and/or contracts from the outset. In particular, such agreements should clearly state the roles and responsibilities for specific aspects of security including, for example, applying security updates, auditing systems, monitoring logs. Responsibilities for incident response should also be included from the beginning and all third parties should be made aware of the requirements of the unit and OxCERT for dealing with incidents (e.g. maintaining appropriate logs to be able to trace any misuse). This should explicitly include notification of any security breaches that the third party becomes aware of.

Circumstances which might involve the use of external parties include the following:
  • outsourcing the design, development or operation of information systems (e.g. websites)
  • when access to University's information systems is granted from remote locations where the facilities are not under the control of the University.
  • when users who are not staff or students of the University are given access to the information systems.
  • when any University/unit owned information is shared with non-University members (e.g. research data etc.)
When assessing the risk as part of any outsourcing contract the following may be considered:
  • the reputation of the third party
  • the security policies and management framework of the third party
  • their approach towards incident response
  • the level of sensitivity of any data being shared
  • any possible access to information other than that which is intended
  • where (physically) the information will be stored/handled
  • the laws in any locations that the information will be stored/handled
  • what controls the third party has in place to prevent unauthorised access to data
  • whether the third party is regularly audited and/or accredited
  • any previous security breaches

Back to best practices

Up: Contents Next: 2. Personnel, Recruitment and Training