IS01: Information Security Policy
This overarching policy document provides an overview of Information Security and lists a hierarchical set of policy documents (sub-policies) which when taken together constitute the Information Security Policy of the University.
Policy Introduction and Purpose
This policy is concerned with the management and security of the University’s information assets and the use made of these assets by its members and others who may legitimately process University information on behalf of the University.
An effective Information Security Policy provides a sound basis for defining and regulating the management of information systems and other information assets. This is necessary to ensure that information is appropriately secured against the adverse effects of failures in confidentiality, integrity, availability and compliance which might otherwise occur.
Scope and Definitions
This overarching policy document provides an overview of information security and lists a hierarchical set of policy documents (sub-policies) which when taken together constitute the Information Security Policy of the University.
This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes students, visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure.
The documents in the Information Security Policy set apply to all information which the University processes, irrespective of ownership or form.
A glossary of the terms used throughout the Policy can be found in our Information Management Glossary.
This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.
Responsibilities
Policy Responsibilities
The CITO is responsible for the production, maintenance, communication and review of this top-level policy document and all sub-policy documents within the Information Management framework.
Operational Responsibilities
Role | Function |
---|---|
Digital Strategy Group representative | Responsible |
Head of Department | Accountable |
Chief Information and Transformation Officer Data Protection Officer |
Consult |
University Information Management Committee representative | Inform |
Principles of this Policy
This top level ‘over-arching’ document lists a set of other sub-policy documents which together constitute the Information Security Policy of the University. All of these documents are of equal standing. Although this policy set should be internally consistent, for the removal of any doubt, if any inconsistency is found between this overarching policy and any of the sub-policies, this overarching policy will take precedence.
Each of the sub-policy documents only contains high-level descriptions of requirements and principles. They do not, and are not intended to, include detailed descriptions of policy implementation. Such details will, where necessary, be supplied in the form of separate process and procedural documents which will be referenced from the relevant, individual sub-policy documents.
This Information Security Policy is founded upon the following principles:
- Information will be protected in line with all relevant University policies and legislation, notably those relating to data protection, human rights and freedom of information.
- Each information asset will have a nominated owner who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
- Information will be made available solely to those who have a legitimate need for access based upon an individuals’ Information Management Profile.
- All information will be classified according to an appropriate level of sensitivity (see Information Classification Policy, IG05).
- The integrity of information must be maintained.
- It is the responsibility of all individuals who have been granted access to information to handle it appropriately and in accordance with its classification.
- Information must be protected against unauthorised access.
- Compliance with Information Security policies will be monitored, and non-compliance will be dealt with through the UIMEC non-compliance escalation process.
Legal and Compliance
The University provides policy statements and guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements.
Users of the University’s online or network services, or when using or processing Information Assets, are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.
The University and individuals must comply with all relevant legal requirements whether such requirements are detailed in internal policies or not. Any suspected breach of the University’s legal requirements must be reported to the CITO Organisation (helpdesk@warwick.ac.uk).
To ensure compliance with Data Protection and GDPR legislation, plus other relevant legislation the University has a number of Information Governance Policies which all staff are required to be compliant with. In particular, staff should refer to:
- IG02 – Data Protection Policy
- IG03 – Information & Records Management
Other regulatory requirements
JANET policies
The University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both policies are available from the JANET policy website.
Payment Card Industry Data Security Standard (PCI DSS)
The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards.
Collection of evidence
At times, it may be necessary for the University to collect evidence in relation to a potential legal claim or internal investigation.
Where there is suspicion of a criminal offence involving the University’s information or systems, the University will cooperate with the relevant agency to assist in the preservation and gathering of evidence, based on appropriate internal authorisation and compliance with relevant statutory requirements.
Further details on internal investigations and related procedures can be found in the Investigation of Computer Use Policy (IS12).
Network and IT Systems Monitoring
The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated devices. Details of the University policy on monitoring is contained within the investigation of Computer Use Policy (IS12).
Exemptions
‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.
Compliance Monitoring
All polices linked to this policy will be monitored and compliance performance will be reported monthly by Information Asset Owners to the University Information Management Committee.
A failure to comply with any of the linked policies will be deemed to be a disciplinary offence and will be subject to the University Information management Executive Committee escalation process and may lead to proceedings being taken through the University Disciplinary Process.