Policy

Information security policy

Updated on 28 April 2020

Outlines the University’s approach to information security management

On this page

Introduction

Information, in all its forms, is a primary asset and the lifeblood of the University; its effective curation and protection is critical to maintaining the University’s operational effectiveness, financial viability and reputation.

Objectives

The objectives of this policy are to:

  • safeguard the University’s information from both internal and external security threats that could have an adverse effect on its operations, financial position or reputation
  • fulfil the University’s duty of care and legislative responsibilities in relation to the information with which it has been entrusted
  • protect the confidentiality, integrity and availability of information through the pragmatic use of controls to prevent, or reduce, undesired effects
  • ensure that all users of the University’s information understand their roles and responsibilities in relation to information security

Scope

This policy is applicable to:

  • all individuals who have access to University information and technologies
  • all facilities, technologies and services that are used to process University information
  • all information processed, accessed, shared, manipulated, or stored (in any format) by the University pursuant to its operational activities;
  • internal and external processes used to process University information
  • all external parties that provide information processing services to the University

The policy will be communicated to all users of University information and will be made available to interested parties as appropriate.

Policy

The University is committed to protecting the security of its information and information systems. It is also committed to a policy of education, training and awareness for information security and to ensuring the continued success of the University.

It is the University policy that the information it manages shall be appropriately secured to protect against breaches of confidentiality, failures of integrity or interruptions to the availability of that information and to ensure appropriate legal, regulatory and contractual compliance.

In order to meet this intent, the University, its staff, students and other interested parties (where applicable) will:

  • ensure that senior management (e.g. DRIC) provides sufficient management direction and support for information security that is aligned to the University’s strategic objectives and relevant laws and regulations
  • establish a management framework to initiate and control the implementation and operation of information security within the University
  • ensure that employees, students and contractors understand their responsibilities in relation to information security
  • identify information assets and define appropriate protection in accordance with its sensitivity and importance to the University
  • prevent unauthorised disclosure, modification, removal, or destruction of information
  • limit access to information (need to know) and information processing facilities
  • make users accountable for safeguarding their authentication information (e.g. passwords)
  • prevent unauthorised access to information systems and applications
  • ensure proper and effective use of cryptography to protect confidentiality, authenticity and/or integrity of information
  • prevent unauthorised physical access, damage and interference to the University’s information and information processing facilities
  • prevent loss, damage, theft or compromise of assets and interruptions to the University’s operations
  • ensure the correct and secure operations of information processing facilities
  • ensure that information and information processing faculties are protected against malware
  • backup information to protect against the loss of data
  • conduct logging and monitoring to detect anomalies and generate evidence
  • control operational software and applications to ensure the integrity of operational systems
  • carry out technical vulnerability assessments on a regular basis
  • ensure the protection of information in the University’s networks and its supporting information processing facilities
  • maintain the security of information transferred within the University and with any external entity
  • ensure that information security is an integral part of information systems across throughout their lifecycle (from concept to disposal/termination)
  • ensure the protection of data used for testing
  • ensure the protection of the University’s information assets that are accessible to suppliers, and maintain agreed levels of information security and service delivery in-line with supplier agreements
  • ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses
  • embed information security into the University’s business continuity management systems
  • ensure compliance with legal, statutory, regulatory or contractual obligations related to information security and any security requirements
  • ensure that all users conduct mandatory information security awareness training
  • ensure that this information security is implemented and operated in accordance with this policy and other, supporting, policies, procedures or standards

Legal and regulatory obligations

The University of Dundee will comply with all UK and EU legislation as well as a variety of regulatory and contractual requirements.

Compliance

The University will conduct information security compliance and assurance activities, facilitated by the University's Information Security Team, to ensure information security objectives and the requirements of the policy are met. Wilful failure to comply with the policy will be treated extremely seriously by the University and may result in enforcement action on a group and/or an individual.

Responsibilities

The following bodies and individuals have specific information security responsibilities:

  • Director of IT Has operational authority for the information security within the University and develops policies that underpin the necessary controls. This is normally exercised by delegation to the Assistant Director of IT for Security, Infrastructure & Research Computing
  • The Data, Records and Information Committee (DRIC) has executive oversight for information security within The University. DRIC has responsibility for overseeing the management of the information security risks to the University's staff and students, its infrastructure and its information.
  • Information Security Working Group (ISWG) the Risk management group of key stakeholders who compile the Cyber security risk profile and recommend activities to reduce/mitigate those risks. ISWG is a working group of DRIC
  • Information Asset Owners
  • Data Stewards
  • Users are responsible for making informed decisions to protect the information that they process. Users will familiarise themselves with the relevant policies governing the information and systems they access

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed (see below) to strengthen and reinforce this policy statement. These, along with associated, procedures, standards and guidelines are published together and are available for viewing on the University of Dundee website.

All staff, users, and any third parties authorised to access the University’ network or information system facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Supporting policies

A document outlining regulations and information relevant to IT policies has also been created

All staff, users, and any third parties authorised to access the University’ network or information system facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University shall conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Wilful failure to comply with the policy will be treated extremely seriously by the University and may result in enforcement action on a group and/or an individual. If you have any questions or concerns about this policy please discuss them with your line manager.

Review and development

This policy, and supporting documentation, shall be reviewed and updated annually or more frequently when best practice or the legislative/regulatory environment changes to ensure that they:

  • remain operationally fit for purpose
  • reflect changes in technologies
  • are aligned to industry best practice
  • support continued regulatory, contractual and legal compliance

Changes to this policy will be presented to DRIC for review prior to publication.

Further information

Definitions

University
The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4HN
Staff
Staff are salaried members of the University or contracted individually by the University to provide a service.
Student
A person pursuing any course of study in the University.
Visitors
A visitor is anyone, not a member of staff or student, requiring access to University premises or services.
Information
The result of processing, manipulating, or organising data. Examples including but not limited to, text images, sounds, codes, computer programmes, software and databases.
Data
Information in raw form.
Confidentiality
Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity
Property of accuracy and completeness.
Availability
Property of being accessible and usable upon demand by an authorized entity.

Relevant legislation

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

If you have any questions regarding this policy please contact the University’s Help4U service

Corporate information category IT