Aims
Information is vital to the operation and administration of the collegey, and the security of this information, and the assets associated with it, are fundamental to its continuing success.
There are three key aspects to information security:
- Confidentiality: information is available only to those authorised to have access
- Integrity: information is reliable, as it is accurate and complete
- Availability: information is accessible whenever and wherever required
The aim of this policy is to summarize and bring together the current sources of policy, regulations, procedures and guidelines, relating to information security. The intention is to make it easier for members of the college to understand their obligations.
Principles
The following are the guiding principles for Information Security:
The college will comply with relevant legislation related to information security.
The colleges approach is based on published best practice and guidance from the Joint Information Services Committee (JISC) and standards such as ISO27001, although it is not intended to seek formal certification to any standard at this time.
All members of the college are responsible for information security and must conform to all college policies and procedures, and to take into account the agreed guidelines.
The college seeks to build a culture of information security awareness by members of the college.
The college will constantly seek to review and improve information security.
The approach will be to implement information security by policy and education rather than technology enforcement, and only where necessary impose solutions or systems to enforce best practice.
Information security should not hinder the legitimate work of the college.
User rights and access to information will at all times be based on a person’s role and need rather than their status.
Information will only be used for legitimate academic and administrative purposes.
Supporting Documents
This policy gives the high level statement of Information Security strategy at the college. To support this, there will be the following documents:
Standards and Guidelines for All Users of College Computing and Network Facilities | The formal regulations governing computer use, and local acceptable use policy. Includes a statement on user access to systems and how that will be managed, and responsibilities of users. Also linked is the JANET AUP with which all members must also comply. |
This is a more detailed set of guidelines, covering all aspects of Information Security, based on JISC guidance and ISO27001. | |
Staff and student policies on wireless use on campus | |
Policy on desktop computers. | |
Staff and student policies on email use. | |
Policy on user access to the Internet, and any monitoring and blocking of sites | |
Policy governing what will be done to recover from any significant incident, as well as policy on how system owners and users should plan to continue to deliver business function when systems are unavailable. | |
| Formalising the process under which authorised staff will investigate suspected or reported breaches of security. |
Internet AUP | |
Social Networks AUP |