Everyone will take an active role in identifying risks to University information assets within their areas and protecting them as far as can be reasonably expected.
You must not store University information on local computer drives (desktops, C or D drives) as these are not backed up and loss/failure of the computer will mean that the information may not be recoverable or available as required to undertake your activities.
You must only store Protected, Restricted and Reserved information in secure, access controlled and backed up locations (your H: drive, departmental shared drives, encrypted USB or other University provided facility appropriate for the task) to ensure it is available when required and protected from loss, theft or alteration. If these are not suitable for specific reasons or you need help, please seek advice from the IT Security Service (firstname.lastname@example.org)
Everyone will handle Restricted and Reserved information in line with the University Information Classification and Handling Procedure, to reduce the likelihood of security incidents and the resulting impact on confidentiality, integrity and availability of University information assets.
Everyone will seek advice from the Institutional Resilience Team if unsure (informationsecurity at warwick dot ac dot uk)
As set out in the Information Security Framework, all information assets must be owned by an Information Custodian – a senior individual with management responsibility for controlling the production, development, maintenance, use of, access to, retention, security and destruction of a specific information asset or group of assets.
Information Custodians should ensure that the electronic systems containing Restricted or Reserved data for which they have management responsibility are subject to periodic penetration testing and vulnerability scanning to identify new risks and to check the effectiveness of existing controls. This will be handled by IT Services for centrally provided services, such as departmental shared drives and H: drives. Advice on testing can be given by IT Security Team in IT Services for electronic systems (helpdesk at warwick dot ac dot uk).
Heads of Departments will maintain a list of systems (e.g. shared network drives, local admin databases) under their control that contain Restricted or Reserved information and are responsible for ensuring access is restricted to only those with appropriate authorisation.
Heads may delegate the operational responsibility to a named representative but remain accountable for ensuring these obligations are met.
The above responsibilities of Information Custodians and Heads of Departments include ultimate oversight of who has access to information assets and/or to information within their management responsibility.
Good practice would be to formally review the processes for granting access and the currency of those individuals with access annually and whenever there is a change in the classification of the information. This is to ensure that those with access still have a valid need to access the data. There should be an evidenced authorisation mechanism to set up new users and remove leavers consisting of approval of an access request and authorisation by a named individual with responsibility for the system concerned.
University and departmental Business Continuity Plans should include contingency or alternative arrangements for vital information assets supporting critical activities. Significant departmental risks, either specific to information assets or arising from vulnerabilities in systems, should be included within departmental risk registers and appropriate measures should be put in place to manage the risks.
- You may find this guidance and template useful when carrying out a risk assessment
Overall Framework Info
The minimum mandatory working practices in these pages are presented in boxed text to distinguish them from recommended practices.
Current document version: 1.3