Information security awareness policy

Purpose

This policy states the University’s approach to information security awareness. It describes the guiding principles and the responsibilities needed to meet the University’s information security awareness objectives.

Scope

This policy applies to:

• All members of staff who have access to University information and technologies.
• All facilities, technologies and services that are used to process University information.
• All information processed, accessed, or stored by the University pursuant to its operational activities.
• Internal and external parties and processes performed on University information.

The policy will be communicated to users and relevant external parties by publication on the University website.

Objectives

The University’s objectives for this policy are to:

• Protect the confidentiality, integrity, availability of information.
• Safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation.
• Instil a culture which actively encourages the knowledge and effective use of cyber and information security best practices amongst staff.
• Ensure that all staff understand and comply with the information security practices required of them by the University.

Policy

The University will provide information security awareness training to all staff. This will ensure staff fully understand information and cybersecurity principles and apply best practices to their day-to-day work.

Information Security Awareness Training is important to mitigate risks arising from human error and potential mishandling of sensitive information. Training helps reduce the risk of staff falling victim to phishing attacks and helps ensure staff are aware of legal and regulatory obligations.

Information Security Awareness Training is compulsory for staff and must be completed to a satisfactory level. Training will be provided continuously to ensure staff remain aware of new and emerging threats.

Training will include Simulated Phishing exercises to assess effectiveness of awareness training and identify areas where further specific training may be helpful.

Training shall be administered by the University’s Digital and Technology Services’ Cyber Security Team who will keep records of who has completed the training.

New staff will complete training within one month of joining the University.

Legal and regulatory obligations

The University of Dundee has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

Responsibilities

The following bodies and individuals have specific information security responsibilities:

• The University Digital Committee has executive responsibility for information security within The University. Digital Committee has responsibility for overseeing the management of the information security risks to the University's information assets.
• The Director, DTS is responsible for establishing and maintaining The University’s cyber security management framework to ensure the availability, integrity and confidentiality of The University’s information.
• The University’s Digital and Technology Services (DTS) is accountable for the effective implementation of this policy and supporting information security rules and standards.
  • The DTS Cyber Security Team are responsible for the provision of appropriate Information Security Awareness Training content.
  • The DTS Cyber Security Team are responsible for reporting on uptake and engagement with Information Security Awareness Training.
• University Staff are responsible for making informed decisions to protect the information that they process. Staff users of information systems will familiarise themselves with the relevant policies and procedures governing the information and systems they access.
  • Line Managers are responsible for ensuring that staff under their supervision complete Information Security Awareness Training.
  • All University Staff are responsible for undertaking Information Security Awareness Training.

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available for viewing on the University of Dundee website.

All staff users and any third parties authorised to access the University’ network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University shall conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Failure to follow the policy will be treated seriously by the University and may result in enforcement action. If you have any questions or concerns about this policy please discuss them with your line manager.

Enforcement actions may include:

• Restrictions on access to University digital resources, including email and Office365.
• Requirement to complete or repeat training.
• Restrictions on ability to apply for promotion.
• Escalation to University management.

Review and development

This policy, and supporting documentation, shall be reviewed, and updated when best practice or the legislative/regulatory environment changes to ensure that they:

• remain operationally fit for purpose
• reflect changes in technologies
• are aligned to industry best practice
• support continued regulatory, contractual and legal compliance

Changes to this policy will follow Digital Committee procedure.

Further information

Definitions

Availability

Property of being accessible and usable upon demand by an authorized entity.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Data

Information in raw form.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to; text, images, sounds, codes, computer programmes, software, and databases.

Integrity

Property of accuracy and completeness.

Sensitive information

All information classified as private, confidential or highly confidential.

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person matriculated to pursue any course of study in the University..

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4H.

Relevant legislation

A statement of regulations with relevance to this policy can be found at IT policies - relevant legislation

If you have any questions regarding this policy please contact the University’s Help4U service