1 Introduction

The continued confidentiality, integrity and availability of information systems underpin the operations of the University of Bath. A failure to secure information systems would jeopardise the ability of the University to fulfil its mission of delivering world-class research and teaching and have greater long-term impact through the consequential risk of financial or reputational loss.

This Electronic Information Systems Security policy provides the guiding principles and responsibilities of all members of the University required to safeguard its information systems. Other supporting University policies, procedures and guidelines will give greater detail on specific subject areas.

Computing Services will lead the University commitment to deliver a successful implementation of Information Security Management but this will only be possible if all members of the University community are aware of, and carry, out their own personal responsibilities.

1.1 Purpose of Policy

The intention of this policy is to:

  • Ensure that the information systems that the University manages are protected from security threats and to mitigate risks that cannot be directly countered
  • Ensure that all members of the University are aware of and able to comply with relevant UK and EU legislation
  • Ensure that all users are aware of and understand their personal responsibilities to protect the confidentiality and integrity of the data that they access
  • Ensure that all users are aware of and are able to comply with this policy and other supporting policies
  • Safeguard the reputation and business of the University by ensuring its ability to meets its legal obligations and to protect it from liability or damage through misuse of its IT facilities
  • Ensure timely review of policy and procedure in response to feedback, legislation and other factors so as to improve ongoing security.

1.2 Scope

This Information Systems Security Policy applies to all members of the University of Bath, all third parties who interact with University information, and all of the systems used to store or process it.

2 Policy

2.1 Awareness and communication

All authorised users will be informed of the policy and of supporting policies and guidelines when their account is issued. Updates to guidance will be publicised through the Computing Services website and highlighted at major points of interaction with Computing Services systems as appropriate for the change.

2.2 Definitions

University Data includes all data elements that are owned or licenced by the University or any information processed by the University on behalf of a third party.

University information systems - This includes but is not limited to all information systems owned, held, utilised or present on a University network and anyone making use of them.

Data Steward - The most senior University of Bath researcher associated with a research project is the Data Steward for that project and is ultimately responsible for research data management.

Data Custodian - Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules. Examples are systems administrators and developers within Computing Services.

2.3 Information Security Principles

The following principles provide a framework for the security and management of the University’s information and information systems.

  1. Information should be classified in line with the Information Classification Framework and in accordance with any other legislative, regulatory or contractual requirements that might increase the sensitivity of the information and security requirements.
  2. Data Stewards are responsible for ensuring that their data are classified and that in partnership with Data Custodians the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
  3. All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level.
  4. Information should be only available to those with a legitimate need for access.
  5. Information will be protected against unauthorised access and processing.
  6. Information will be protected against loss and corruption.
  7. Information will be disposed of securely and in a timely manner with measures appropriate for its classification.
  8. Breaches of policy must be reported by anyone aware of the breach in a timely manner.

2.4. Legal and regulatory obligations

The University of Bath and its staff/students/users/members must adhere to all current UK and EU legislation as well as regulatory and contractual requirements. A summary of the relevant legislation is included in Appendix A – Guide to legislation relevant to the Information Systems Security Policy.

2.5 Information Classification

The following provides a summary of the Information Classification levels which are part of the Information Security Principles. Detailed definitions and further guidance is available in the Information Classification Framework (ICF) from the University Secretary’s Office. The ICF includes definitions from the Data Protection Policy.

Category - Highly Restricted

Description

  • Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or
  • Seriously damage the University’s interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students

Examples

  • Sensitive personal data relating to identifiable living individuals
  • Individual’s bank details
  • Large aggregates (>1000 records) of personal data such as personal contact details
  • Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas

Category - Restricted

Description

  • Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the University’s commercial interests,
  • and/or have some negative impact on the University’s reputation.

Examples

  • Personal data relating to identifiable living individuals
  • Student assessment marks
  • Staff contact details
  • Research data Or information or IP with commercial value/obligation

Category - Internal Use

Description

  • Information not considered being
  • public which should be shared only
  • internally but would not cause
  • substantive damage to the University
  • and/or individuals if disclose

Examples

  • Non-confidential internal correspondence e.g. routine administration such as meeting room and catering arrangements
  • Final working group papers and minutes
  • Internal policies and procedures

2.6 Compliance and Incident notification

It is vital that all users of information systems at the University of Bath comply with the information security policy. Any breach of information security is a serious matter and could lead to the possible loss of confidentiality, integrity or availability of personal or other confidential data. Such a loss may result in criminal or civil action against the University and also the loss of business and financial penalties.

Any actual or suspected breach of this policy must be notified to the Director of Computing Services or the IT Security Manager at the earliest possible opportunity in line with the incident investigation procedure. All security incidents will be investigated and consequent actions may follow in line with this policy; the Acceptable Use Policy; University disciplinary policy; and relevant laws.

The Data Protection team will be informed of any breach found to affect personal data in keeping with the University’s Data Protection Policy. Compliance with this policy should form part of any contract with a third party that may involve access to University systems or data.

3. Responsibilities

3.1 Individuals

Individuals must adhere to the Acceptable Use Policy and follow relevant supporting procedures and guidance. An individual should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information. Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular individuals should adhere to the information security ‘dos and don'ts’ outlined in the table below:

DO DO NOT
Do use a strong password and change it if you think it may have been compromised Don’t give your password to anyone
Do report any loss or suspected loss of data Don’t reuse your University password for any other account
Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the Computing Services service desk Don’t open suspicious documents or links
Do keep software up to date and use antivirus on all possible devices Don’t undermine the security of University systems
Do be mindful of risks using public Wifi or computers Don’t provide access to University information or systems
Do ensure University data is stored on University systems Don’t copy confidential University information without permission
Do password protect and encrypt your personally owned devices Don’t leave your computers or phones unlocked

3.2 Data Stewards

The responsibilities of a Data Steward

Understand the full breadth of the information they are responsible for and classify it in line information security principle 1. Comply with Research Data policy
Ensure that data custodians who maintain information systems holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.

3.3 Data Custodians

Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:

  • Ensure that the physical and network security of systems is maintained.
  • Ensure that the systems they maintain are suitably configured, maintained and developed.
  • Ensure that the data are appropriately stored and backed up.
  • Ensure that appropriate access controls are in place to meet the requirements of Data Stewards.
  • Understand and document risks, take suitable steps to mitigate and ensure that these are understood by data owners.
  • Document operational procedures and responsibilities of staff.
  • Publish procedures for users of the systems to allow secure access and usage.
  • Ensure that systems are compliant with legal and other contractual requirements.

3.4 IT Security Manager

Is responsible for the Electronic Information Systems Security Policy and will provide specialist advice to the University, in particular Data Custodians and Data Stewards. The IT Security Manager will advise on appropriate security measures for any new types of information systems that are introduced in order to aid clarity of the policy.

3.5 Computing Services

In addition to its function as a data custodian for many systems Computing Services must ensure that the provision of IT infrastructure is consistent with the demands of this policy to support other data custodians.

3.6 Internal Audit

Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.

3.7 University Secretary

The Office of the University Secretary is responsible for information security training, the publication of the Information Classification Framework guidance, policy and compliance associated with the Data Protection Act.

4. Supporting regulations, policies and guidelines

Other policies issued by the University of Bath support and reinforce this policy statement. These include but are not limited to:

Policy review

The University will review this policy when required to ensure that it remains appropriate and up to date. Any questions or concerns should be made to the IT Security Manager.

5 Supporting documents

Document Control Information

Owner: Mark Acres IT Security Manager
Version Number: 1.0
Approval Date: April 2016
Approved By: Executive Committee
Date of Last review: July 2016