The University Information Security Framework applies to the following:
All information systems (manual or electronic)
- Owned by the University
- Being used for University business
- Connected to networks managed by the University
- Information in any format that the University owns or is handling for another organisation
- Software owned or licensed by the University
All individuals (referred to as "everyone" hereafter)
Staff, students, third parties if:
- Managing or using any system identified here
- Responsible to the University for handling information identified here
"All information" applies to (non-exhaustive list): research data and administrative information; student and staff administrative information; financial information; teaching and learning materials; strategic planning information; commercial information including contracts and information about University resources (space, equipment).
We use the term "information assets" within the Framework to describe a useful or valuable store of information in any format or an information processing system of any type.
Whilst everyone has a role to play in protecting information, some members of our University community will have specific roles and responsibilities for information security and these are set out in section 4 below. These roles will be used consistently throughout the Framework.
The University Information Security Framework works across the full range of information security activities, namely:
- Data Protection
- Freedom of Information
- Corporate Records
- Intellectual Property and Copyright
- Protection of Information against Cyber and Physical Threats
The University also seeks to align the Framework with allied University activities, such as risk management as well as business continuity and emergency planning, and works closely with specialist areas (IT Services, University Library, Research & Impact Services, for example) to provide a package of cohesive support and instruction to staff, students and partners across these important areas. The University will adopt, where relevant, the principles of recognised international standards, such as ISO 27001.
Mandatory requirements will be indicated within Framework documentation by using "will", "shall" or "must" and recommended or advisory requirements will be indicated by "should", "may" or "might".