It is the responsibility of the University senior management to sufficiently resource and directly implement the Framework. The University is expected to inform the Information Commissioner's Office of any significant information security breach relating to personal data as per the Data Protection Act 1998 and has an obligation to report any significant breaches pertaining to other types of protected information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory and contractual obligations may result in significant financial and legal penalties and reputational damage1.
All Individuals with Access to University Information Assets
Everyone granted access to University information assets (e.g. email, teaching and learning materials, staff/student information, financial information, research information, and the systems used to process these) has a personal responsibility to ensure that they, and others who may be responsible to them, are aware of and comply with the Framework. Failure to adhere to the mandatory requirements of the Framework could result in disciplinary action2.
Everyone is responsible for protecting the University’s information assets, systems and IT infrastructure, and will protect likewise those belonging to third parties but used in the course of their work at the University. Protection of University or third party information and assets could be required contractually, legally, ethically or out of respect for other individuals or organisations.
Everyone will immediately report any observed or suspected security incidents where a breach of the University's security policies has occurred, any security weaknesses in, or threats to, systems or services. The first steps are to inform your Head of Department and email informationsecurity at warwick dot ac dot uk. Further details of the type of information you should provide when reporting an incident is available at How should I report an Information Security Incident?
Heads or Directors of Academic and Administrative Service Departments3
Heads of Departments, with support from the Secretary to Council's Office, are accountable for ensuring that information and information systems within their department are managed and used in accordance with the Framework. Heads of Departments must ensure that the staff within their department are aware of their responsibilities when it comes to information security, have undertaken all appropriate training to be able to carry out their role and are adhering to the mandatory elements of the Framework.
Additionally, Heads of Departments will be required to participate in "health checks" from time-to-time to identify and address areas of non-compliance with the mandatory requirements set out in the Framework. The Institutional Resilience Team will work in partnership with Heads of Departments to undertake the "health checks" and to provide subsequent additional support to resolve any issues.
Heads of Departments will to do the following if there is a suspected breach of information security:
- Find out exactly what has happened and take urgent action to control any resulting damage (direct or indirect) to individuals, reputation etc. – Advice can be sought in the first instance from the Institutional Resilience Team (informationsecurity at warwick dot ac dot uk or ext 50681)
- Ensure that the incident is reported via informationsecurity at warwick dot ac dot uk as soon as possible - more information on How should I report an Information Security Incident?
- Participate openly with IT Services and the Secretary to Council's Office in any resulting investigation.
- Make the appropriate changes to local practices or seek co-operation from other areas of the University as required to ensure it does not happen again.
All corporate information assets4 will have a Custodian and this will be a senior member of staff. An Information Custodian has management responsibility for controlling the production, development, maintenance, use of, access to, retention, security and destruction of a specific information asset or group of assets. For example, the Information Custodian of staff information is the Director, People Group. The Information Custodian may delegate the operational responsibility to a named representative but will remain accountable for ensuring these obligations are met. A list of Custodians is available on the Information Security website.
IT and Information System/Application Administrators
Those responsible for the technical support (System) or user (Application) support of information or information systems, for example database and IT systems or application administrators, must ensure the confidentiality, integrity and availability of information and IT assets are protected by proactively managing risk and ensuring systems are managed to industry standard controls. IT Services publish obligations for systems administrators on its website and can advise on appropriate industry standards (ITIL for example).
Secretary to Council's Office
The Institutional Resilience and Legal Services Teams will ensure that documents forming part of Information Security Framework are kept-up-to date in response to changes in legislation as well as to reflect the changing University information and IT strategy and requirements. The Framework will be available to all staff and students via the web as part of the Information Security website with updates to the Framework being communicated via the intranet or email as appropriate. The Institutional Resilience and Legal Services Teams will also provide training and advice to staff in terms of good information security practice and compliance with information legislation, primarily the Data Protection Act 1998 and the Freedom of Information Act 2000.
- The Information Commissioner’s Office can issue a monetary penalty up to £500,000 if it were determined that the University did not take reasonable steps to secure personal information or acted in such a way as to knowingly put information security at risk.
- Hereafter referred to as "Heads of Departments"
- Corporate information assets are those which are managed centrally and used institutionally for the delivery of core teaching, research, administration and commercial functions (student administrative data, staff data for example)