Skip to main content Skip to navigation

Information Security, Risk and Compliance

IMP 06: Systems Administration Policy

Information Classification - Public

Policy Introduction and Purpose

The purpose of this policy is to define the requirements which all system administrators and owners must comply with, as well as the duties of system owners and administrators, throughout the full lifecycle of all multi-user digital systems within the remit of the University. This policy supports the principles of the IMP01 Information Management Framework PolicyLink opens in a new window

Scope

This Policy applies to any system administrator and owner who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive. It sets out the responsibilities and required behaviour of those who manage computer systems on behalf of the University.

Definitions

A system refers to any multi-user service or application that facilitates resource sharing among multiple users. This includes software platforms, databases, cloud services, and networked applications supporting collaborative work and university operations. These systems are distinct from individual hardware assets.

System Owners are individuals with overall responsibility for the management and oversight of systems within their remit. System owners must ensure their systems meet the provisions of this policy, ensuring that all requirements for functionality, security and compliance are met.

System administrators (administrators) are individuals designated by system owners to carry out management, maintenance and support tasks on systems. System administrators may also have additional responsibilities relating to the design, deployment, development and provisioning of systems.

Responsibilities (Policy and Operational)

The Chief Information Security Officer (CISO) retains overall accountability for this policy and for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Adherence to this policy and its supporting Standards and Standard Operating Procedures (SOPs) is achieved by following the policy principles, the data restrictions and security provisions. It is everyone’s responsibility to ensure that they follow this policy. 

Role Function
System Owner

Responsible – for overseeing compliance with the Policy within areas of responsibility 

Head of Department (or equivalent)

Accountable – for compliance with this policy within Departments (but not responsible for actioning the provisions of this policy)

Information Risk and Compliance Team (with escalation to CISO and CITO required) 

Consult – to discuss organisational level compliance with the Policy

IDG Digital Business Partners

Inform – must be informed of the content of the Policy to communicate it to their departments

Principles of the Policy

System Owners must abide by the following duties:

  • Ensure systems meet requirements set in policies and standards and that SOPs are followed where relevant to systems. System owners must also ensure that procedures for the use and management of their systems are documented. E.g. in the form of Standard Operating Procedures.

  • Ensuring security (Confidentiality, Integrity, Availability) of their systems is maintained. Including: timely application of software patches in accordance with the Software Management Policy and other security measures including assurance that vulnerability scanning and penetration testing is carried out.
  • All systems must be subject to regular vulnerability scanning (minimum weekly).
  • All business-critical and/or high-risk systems must be subjected to penetration testing (minimum yearly) by approved external providers or internal resource.

  • Appointing appropriately skilled personnel to carry out management activities on their systems.

  • Collaborate with customers who use systems to ensure clear communication and consultation on system changes.

  • Register systems in asset registers and adhere to requirements of the IT Asset Management Policy (currently in development).

  • Assess criticality of systems to ensure proportionate security, disaster recovery and business continuity measures are in place.

  • Priority systems must be identified by departments who own systems via business impact assessment.

  • Verify the presence of relevant business continuity and disaster recovery plans for systems. System owners are expected to produce and maintain disaster recovery plans for their systems, and to be consulted on business continuity planning relevant to their systems. All business continuity plans should be in accordance with the Business Continuity Planning Policy.

  • Disaster recovery plans must be in place for priority systems. System owners are responsible for ensuring that these plans are written, updated and implemented in the event of disaster as well as tested on a regular basis.

  • Manage systems changes in accordance with departmental change management processes with reference to business continuity, ensuring migrations, upgrades and changes are reviewed against current business continuity planning for the system/application. All system changes must be approved by the System Owner or their delegate.

  • Understand security and information management capabilities of their systems to assist customers in determining whether systems are appropriate for processing their information assets.

  • Act promptly and proportionately in response to major incidents. System owners are authorised to take immediate action on their systems to protect their systems and users. System owners must endeavour to take proportionate action in accordance with perceived risk and minimise disruption to users. Any actions must still be compliant with the Data Protection Policy and Investigation of Computer Use Policy.

  • Immediately report any information security incidents to the CISO and where personal data is present, report via the Data Breach Investigation ProcessLink opens in a new window.

  • Manage access to systems in accordance with IMP03 User Account Management Policy and IMP08 Information Access Control Policy.

  • Logging and monitoring of systems must take place. Logs must contain sufficient data to support security, regulatory and policy compliance as well as capacity planning. Accessing of logs and monitoring of use of systems must be compliant with the Investigation of Computer Use Policy. Information on what usage data is collected from users must be made available to users in the form of a system-specific privacy policy.

  • All system clocks must be synchronised to reliable time sources. These sources will be the University’s official internal time servers, with the exception of these official internal servers themselves, which must be synchronised with official JANET time servers.

  • Ensure that appropriate backup and system recovery measures are in place. Backups must follow the ‘Grandfather-father-son' principle, wherever possible to do so. System owners are also responsible for ensuring that appropriate security measures are in place to protect the confidentiality, integrity and availability of backups to their systems. When utilising third party hosting for systems, backup provisioning must be included in contracts.

Exceptions

Exception requests under this policy must be submitted to the CISO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CISO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance Monitoring

All members of the University are expected to comply with this document as part of the Information Management Policy Framework (IMPF). Where breaches of the IMPF present a significant risk, including those falling under Regulations 23 (Student Disciplinary Offences) Link opens in a new windowand Regulation 31(Information Management, Security and Records Management)Link opens in a new window, they will be subject to the appropriate student or staff disciplinary procedure or applicable contractual terms for staff not employed directly by the University or contractors.

It is the responsibility of all members to report any instances of non-compliance to the Information Risk and Compliance Team. This can be done via the Self Service PortalLink opens in a new window. This team monitors adherence to the IMPF using reported data and other available tools.

Where issues require escalation or further review, they will be referred to the Information Security and Data Protection Committee via the Chief Information Security Officer (CISO) and include either Conduct and Resolution Team or Employee Relations Team, as appropriate.

Version control

Version Date created Date published Next review Notes
1.0 August 2025 26 January 2026 January 2029 Policy replaced IS07: Systems Management Policy

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy