Policies, Procedures and Related Guidance
(Formally the Electronic Information Security Framework - EISF)
1. This framework covers information stored, accessed and transmitted by electronic means including, but not limited to, audio, video and other media.
2. Information Security for the purposes of this framework is defined as the protection of information to facilitate business continuity and appropriate levels of confidentiality, integrity and availability. It is recognised that the achievement of optimum levels of business continuity, confidentiality, integrity and availability depends on a wider range of measures and considerations.
3. It is a framework because, nevertheless, it includes a wide range of relevant policies, regulations, procedures, controls and guidance.
4. Some of the relevant policies, regulations, procedures, controls and guidance relate solely to electronic information but there are others which are relevant as well to paper based information and verbal delivery.
5. The framework applies to the following people although some documents are addressed to particular groups; collectively they are referred to as 'users':
- Full-time, part-time and temporary staff employed by or working for and on behalf of the University
- Students of the University
- Contractors and consultants working for or on behalf of the University
- All other individuals and groups who have been granted access to the University's IT and information systems
6. Information Security is important because of the importance of information to the success of all the University's functions. Security failures such as access to its IT systems by unauthorised users, unauthorised access to confidential data or prolonged failure of its IT systems could have a significant detrimental impact on the University, resulting in, for example, the corruption of student results, the unlawful disclosure of personal data, damaging disclosure of confidential commercial information, and the loss of reputation.
7. The purpose of the controls detailed in the framework is to minimise the risk of information security failures while not stifling innovative, efficient, effective and flexible use of the University's IT systems by the University's staff or students, or limiting unnecessarily their access to useful information.
Information Security Management and Responsibilities
8. Information Systems & Technology ( IS&T) is responsible for the development of the technical aspects of IT security and related regulations, procedures and processes. The University Secretary and Registrar's Directorate is responsible for the development of policies, regulations and procedures relating to statutory and regulatory aspects of information management. The two Directorates cooperate, and consult more widely, to develop the measures necessary to ensure sufficient levels of IT security.
9. The various policies, regulations and procedures which relate to IT security will be approved at the appropriate level for the particular document: for example, Board of Governors, University Leadership Team or appropriate senior manager.
10. The Information Strategy Executive (ISE), advised by the IS&T Senior Management Team (SMT) and the University Secretariat, have responsibility for monitoring the effectiveness of, and reviewing annually, the University's IT Security.
11. Within IS&T there is the University IT Security Officer (ITSO), who will:
- act as JANET security contact and act as liaison with JANET-CERT during investigation and resolution of security incidents
- ensure necessary action is taken by the University to respond to security incidents
Legislation, Policies, Regulations, Guidance and Standards
Detailed information is available on the following pages;