1. IT Management Structure
It is the University's policy that responsibility for the security of information within departments, colleges and other units rests with the head of department, college or unit.
1.1. Internal Organisation
Each unit (department, faculty, college or hall etc.) should have in place an information security policy, in accordance with that of the University, which is approved by management, published and communicated to all relevant parties. The Head of Department, College, Hall or other administrative unit should establish a management framework to initiate and control the implementation of the information security policy, and all aspects of ICT, within the unit. The information security policy should identify the unit's information security goals and organisational requirements, and should be approved by management. The unit's management are also responsible for the assignment of specific roles and responsibilities for information security within the unit, and for coordinating and reviewing the implementation of security within the unit. The unit's approach to the management and implementation of ICT/information security should be reviewed at regular intervals, or if significant changes occur.
1.2. External Parties
Agreements with third parties involving accessing, processing, communicating or managing the unit's information, or information systems, should cover all relevant security requirements, and be covered in contractual arrangements. Before any data are transferred to a third-party, or held on a third-party system as part of an outsourcing contract, an appropriate risk assessment should be carried out and, where relevant, permission obtained from the University Data Protection Office.