Policy on Information Access and Security
This policy is currently under review 2014/15 by the Information Access and Security Group.
1. Definition of Terms
- This document refers primarily to computer based information, or information derived from management information systems. Guidelines and procedures relating to other forms of information have been developed in conjunction with this policy statement, and are outlined in an accompanying Code of Practice.
- Management information systems include all centralised multi-user computer systems, departmental centralised systems provided for data manipulation and management reporting purposes, multi-user and single user departmental desktop computer systems used for administrative purposes, throughout the University.
- In the context of this Policy statement the University distinguishes between information and raw data. Information is made available as appropriate through the interpretation of raw data. Information requirements will be specified by the requester in discussion with the member of staff responsible for the integrity of the raw data on which it will be based (e.g. by a Data Steward defined in 4i below).
2. Policy Statement
The University recognises that all staff must have access to appropriate information in order to fulfil their job responsibilities.
Procedures will be put in place to enable members of staff to obtain authorised access to the information they need, in a manner which enables them to carry out their work effectively and efficiently.
Access to information must be provided in a secure manner which aims to protect the confidentiality and integrity of that information and without compromise to associated information or raw data. Published guidelines will define the levels of confidentiality which apply to different types of information.
A University Code of Practice for Information Security and Access defines procedures for information processing and storage which protect the University's interests. The Code of Practice refers the reader to other relevant guidelines and procedures wherever appropriate.
Business Continuity plans will be put in place to protect critical business processes from major failure or disaster.
The University will comply with all applicable laws including the Data Protection Act, Copyright Designs and Patents Act and Computer Misuse Act.
- The Information Strategy Sub Committee (of Planning and Resources Committee) is responsible for formulating policy and overseeing implementation of the Information Access and Security Policy.
- An Information Access and Security Working Group has been formed, reporting to ISSC. This has responsibility for developing and monitoring University procedures. The Registrar and Secretary, as Chairperson, is responsible for recording reports of security breaches or incidents, and taking appropriate action.
- It is the responsibility of each Head of Department to ensure that the procedures within their remit are implemented and monitored. It is also their responsibility, accountable to the Vice-Chancellor, to ensure that staff are made aware of relevant access and security procedures.
- University staff who are authorised to access information must comply with all aspects of the information access and security policy and code of practice, or will face disciplinary action in accordance with existing University contracts of employment.
- Each individual who has authorised access to information has a responsibility to report any breach or suspected breach of security via the appropriate channels.
Each computer application will have a designated person (called a Data Steward) responsible for its information.
Heads of Department will identify requirements for information access and these will be registered by the appropriate Data Steward.
The Data Steward will authorise access to specific information. In the event of access being refused by the Data Steward, there will be a right of appeal to the Data Steward's line manager and ultimately to the Information Strategy Sub Committee.
A formal record will be kept by the Data Steward of staff authorised to access information, and this will be periodically reviewed. A procedure will be developed to take account of staff changes and transfer of responsibilities.
Staff within a department may only obtain access to information by this route. It is not acceptable for information to be passed on to other staff (Secondary access) without reference to, and authority from the appropriate Data Steward.
ii. Security Strategy for Management Information Systems
A University Code of Practice for Information Security and Access will be made available to all staff. It will define required procedures and process in a manner which is easy to understand and uses clear English.
Audit checks on at least an annual basis will be made for compliance, initiated by the Information Access and Security Working Group.
Information will only be accessible by staff who have obtained prior authorisation, and continue to have current authorisation for access to the information.
The University will work towards a computer network strategy which enables access to information where appropriate, from any part of the University campus (or beyond) when electronic access is required.
Computer Application Security will be controlled by a number of independent security levels including Network Traffic controls, Operating Systems, Database Systems, and levels of access within an application.
There will be continuous monitoring of access to Management Information Systems. Audit trails will be kept of all changes to information identifying the user who has made that change along with the date and time.
Regular backups of information stored electronically will be taken, and stored securely off site in order to resume business in the event of failure or disaster. The backup procedures will be tested periodically in conjunction with internal audit.
Security measures will be reviewed as appropriate via a change control procedure. The group responsible for the change control mechanism will be the Information Access and Security Working Group. Change control will be effected whenever a new application, or significant change to an existing system, or weakness is identified. Change control procedures will be developed and monitored in conjunction with internal audit.
Failure to Comply
In the event of a security breach, appropriate action will be taken including instigation, if necessary, of the University disciplinary procedures as set out in the standard terms and conditions of employment, and University Ordinances and Regulations.
This document will be reviewed on an annual basis.