It is the responsibility of the University senior management to sufficiently resource and directly implement the Framework. The University is expected to inform the Information Commissioner's Office of any significant information security breach relating to personal data as per the Data Protection Act 2018 and has an obligation to report any significant breaches pertaining to other types of protected information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory and contractual obligations may result in significant financial and legal penalties and reputational damage1.
All Individuals with Access to University Information Assets
Everyone granted access to University information assets (e.g. email, teaching and learning materials, staff/student information, financial information, research information, and the systems used to process these) has a personal responsibility to ensure that they, and others who may be responsible to them, are aware of and comply with the Framework. Failure to adhere to the mandatory requirements of the Framework could result in disciplinary action2.
Everyone is responsible for protecting the University’s information assets, systems and IT infrastructure, and will protect likewise those belonging to third parties but used in the course of their work at the University. Protection of University or third party information and assets could be required contractually, legally, ethically or out of respect for other individuals or organisations.
Everyone will immediately report any observed or suspected security incidents where a breach of the University's security policies has occurred, any security weaknesses in, or threats to, systems or services. The first steps are to inform your Head of Department and email informationsecurity at warwick dot ac dot uk. Further details of the type of information you should provide when reporting an incident is available at How should I report an Information Security Incident?
Heads or Directors of Academic and Administrative Service Departments3
Heads of Departments, with support from Information and Data Compliance, are accountable for ensuring that information and information systems within their department are managed and used in accordance with the Framework. Heads of Departments must ensure that the staff within their department are aware of their responsibilities when it comes to information security, have undertaken all appropriate training to be able to carry out their role and are adhering to the mandatory elements of the Framework.
Additionally, Heads of Departments will be required to participate in "health checks" from time-to-time to identify and address areas of non-compliance with the mandatory requirements set out in the Framework. The Information and Data Compliance team will work in partnership with Heads of Departments to undertake the "health checks" and to provide subsequent additional support to resolve any issues.
Heads of Departments will to do the following if there is a suspected breach of information security:
- Find out exactly what has happened and take urgent action to control any resulting damage (direct or indirect) to individuals, reputation etc. – Advice can be sought in the first instance from the Information Security team (informationsecurity at warwick dot ac dot uk or ext 50681)
- Ensure that the incident is reported via informationsecurity at warwick dot ac dot uk as soon as possible - more information on How should I report an Information Security Incident?
- Participate openly with IT Services and the Secretary to Council's Office in any resulting investigation.
- Make the appropriate changes to local practices or seek co-operation from other areas of the University as required to ensure it does not happen again.
IT and Information System/Application Administrators
Those responsible for the technical support (System) or user (Application) support of information or information systems, for example database and IT systems or application administrators, must ensure the confidentiality, integrity and availability of information and IT assets are protected by proactively managing risk and ensuring systems are managed to industry standard controls. IT Services publish obligations for systems administrators on its website and can advise on appropriate industry standards (ITIL for example).
Information and Data Compliance
Information and Data Compliance will ensure that documents forming part of Information Security Framework are kept-up-to date in response to changes in legislation as well as to reflect the changing University information and IT strategy and requirements. The Framework will be available to all staff and students via the web as part of the Information Security website with updates to the Framework being communicated via the intranet or email as appropriate. The Information and Data Compliance team will also provide training and advice to staff in terms of good information security practice and compliance with information legislation, primarily the Data Protection Act 2018 and the Freedom of Information Act 2000.
- The Information Commissioner’s Office can issue a monetary penalty up to €20,000,000 or 4% of annual turnover if it were determined that the University did not take reasonable steps to secure personal information or acted in such a way as to knowingly put information security at risk.
- Hereafter referred to as "Heads of Departments"
- Corporate information assets are those which are managed centrally and used institutionally for the delivery of core teaching, research, administration and commercial functions (student administrative data, staff data for example)