Skip to main content

Information Security Policy

Find out your responsibilities for ensuring the security of information at the University.

Policy

Owner
Chief Information Security Officer (CISO)
Version
2.1
Approval date
12 Sep 2023
Approved by
University Executive Board (UEB)
Date of last review
23 Feb 2024
Date of next review
Information not provided

1. Introduction

1.1 The continued confidentiality, integrity and availability of University networks are essential to the operations of the University of Bath. A disruption would jeopardise the ability of the University to fulfil its mission of delivering world-class research and teaching, and have greater negative long-term impact through the consequential risk of financial or reputational loss.

1.2 This Information Security Policy provides the guiding principles for and responsibilities of all members of the University required to safeguard its University networks. Other supporting University policies, procedures and guidelines will give greater detail on specific subject areas.

1.3 The Digital, Data and Technology group will lead the University commitment to deliver a successful implementation of information security management, but this will only be possible if all members of the University community are aware of and carry out their own personal responsibilities.

1.4 Senior Management will define relevant information security objectives, and monitor and support the Digital, Data & and Technology group to achieve these objectives.

1.5 Purpose of Policy

1.5.1 The intention of this policy is to:

  • Protect the University networks managed by the University from security threats and mitigate risks that cannot be directly countered, ensuring the confidentiality, integrity and availability of university data;
  • Ensure that all members of the University are aware of and able to comply with relevant UK legislation related to information security, data protection and privacy;
  • Educate and empower all users to understand their personal responsibilities in protecting the confidentiality and integrity of the data they access, and to comply with this policy and other supporting policies;
  • Safeguard the reputation and business of the University by ensuring its ability to meet its legal obligations and to protect it from liability or damage through misuse of its IT facilities, including data breaches or unauthorised access; and
  • Promote a culture of continual improvement in information security by conducting timely reviews of policies and procedures in response to feedback, changes in legislation, emerging threats and other factors to enhance ongoing security measures and practices.

1.6 Scope

1.6.1 This Information Security Policy applies to:

  • All members of the University of Bath, including faculty, staff, students, volunteers, contractors and any other individuals with access to University networks;
  • All third parties who interact with University information, including vendors, partners, contractors, consultants and other external entities; and
  • All systems used to store, process or transmit University information, including but not limited to computers, servers, laptops, mobile devices, networks, databases, Cloud services, and any other IT infrastructure owned, operated or used by the University.

1.6.2 This policy is applicable to all individuals and entities mentioned above, and compliance with this policy is mandatory to ensure the protection and security of University information and systems.

2. Policy

2.1 Awareness and communication

2.1.1 All authorised users will be provided with information about this policy and supporting policies and guidelines when their account is issued. Updates to guidance will be communicated through the University’s Department of Digital Data and Technology (DDaT) website and will be highlighted at major points of interaction with DDaT systems, as deemed appropriate for the change. This may include email notifications, system alerts or other forms of communication to ensure that users are aware of any updates or changes to the information security policies and guidelines. It is the responsibility of all users to regularly review and comply with the most current version of the policies and guidelines to maintain a secure information environment at the University of Bath.

2.2 Information Security Principles

2.2.1 The following principles provide a framework for the security and management of the University’s information and University networks:

  • Information Classification: All information should be classified in accordance with the Information Classification Framework, as well as any legislative, regulatory, or contractual requirements that may increase the sensitivity of the information and its security requirements.
  • Data Stewardship: Data Stewards are responsible for writing and maintaining business definitions and help develop quality checks to ensure the data is fit for purpose. For research related work, they should ensure their data is classified and, in partnership with Data Custodians, the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
  • Proper Handling of Information: All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level, relevant laws, regulations, and policies.
  • Need-to-Know Principle: Information should only be made available to those individuals who have a legitimate need for access in order to perform their job duties or responsibilities. Access to information should be granted based on role-based permissions and least privilege principles.
  • Unauthorised Access Protection: Information should be protected against unauthorised access and processing. This includes implementing appropriate technical, administrative, and physical safeguards such as strong authentication, access controls, and audit trails to prevent unauthorised access or data breaches.
  • Data Loss Prevention: Measures should be in place to protect information against loss and corruption. This may include regular data backups, redundant storage, and disaster recovery plans to ensure business continuity in case of data loss or system failure.
  • Secure Disposal of Information: Information should be disposed of securely and in a timely manner, in accordance with the appropriate measures based on its classification level. This may include shredding, secure deletion, or other approved methods for disposal of information in compliance with relevant data protection regulations.
  • Breach Reporting: Any breaches of this policy must be reported by anyone who becomes aware of the breach in a timely manner, following the University's established incident reporting procedures. Reporting breaches promptly allows for timely investigation, containment, and mitigation of potential security incidents.
  • IT security awareness training: Relevant training will be in place to assist staff in their day-to-day handling of information. All new staff must complete the University’s mandatory information security training (online) to ensure they are aware of the risks and their responsibilities in handling information. Staff will be required to complete refresher training annually reflecting any changes and updates in information governance best practice.

2.2.2 By adhering to these principles, the University aims to ensure the confidentiality, integrity and availability of its information assets and maintain a secure information environment.

2.3.1 The University of Bath and its staff/students/users/members must adhere to all current UK legislation as well as regulatory and contractual requirements. The University provides policy statements and guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements.

2.3.2 Users of the University’s online or network services, or when using or processing information assets, are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.

2.3.3 A summary of the relevant legislation is included in University – Guide to legislation relevant to the Electronic University networks Security Policy.

2.4 Information Classification

2.4.1 An Information Classification levels framework would be established which are part of the Information Security Principles. Detailed definitions and further guidance are available in the Information Classification Framework (ICF). The ICF includes definitions from the Data Protection Policy.

Highly Restricted

Description

Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage the University’s interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students.

Examples

  • Sensitive personal data relating to identifiable living individuals
  • Individual’s bank details
  • Large aggregates (>1000 records) of personal data such as personal contact details
  • Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas

Category - Restricted

Description

Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the University’s commercial interests, and/or have some negative impact on the University’s reputation.

Examples

  • Personal data relating to identifiable living individuals
  • Student assessment marks
  • Staff contact details
  • Research data or information or IP with commercial value/obligation

Category - Internal Use

Description

Information not considered being public which should be shared only internally but would not cause substantive damage to the University and/or individuals if disclosed.

Examples

  • Non-confidential internal correspondence e.g. routine administration such as meeting room and catering arrangements
  • Final working group papers and minutes
  • Internal policies and procedures

Category - Public

Description

Information that may be viewed by anyone, inside or outside the organisation.

Examples

  • Publications.
  • Press releases.
  • Course information.
  • Principal University contacts for public-facing roles, i.e. name, email address and landline telephone number.
  • Public events.

2.5 Compliance and Incident Notification

2.5.1 Compliance with the information security policy at the University of Bath is imperative for all users of information systems. Any breach of information security is a serious matter that may result in the loss of confidentiality, integrity, or availability of personal or other confidential data. Such breaches could lead to criminal or civil action against the University, as well as potential business loss and financial penalties.

2.5.2 In the event of an actual or suspected breach of this policy, it must be immediately reported to the Chief Digital and Information Officer or designate in accordance with the incident investigation procedure. All reported security incidents will be thoroughly investigated, and appropriate actions will be taken in line with this policy, the Acceptable Use Policy, the University’s disciplinary policy, and relevant laws and regulations.

2.5.3 If the breach involves or may involve personal data, the Data Protection team must be promptly notified in accordance with the University's Data Protection Policy.

2.5.4 Compliance with this policy should also be incorporated as a contractual requirement with any third party that may have access to University systems or data.

2.5.5 By promptly reporting and addressing breaches, and ensuring compliance with this policy, the University aims to safeguard its information assets, protect against potential legal and financial risks, and maintain a secure information environment for the benefit of all users.

3. Roles and Responsibilities

3.1 Individuals

Individuals must adhere to the IT Acceptable Use Policy and follow relevant supporting procedures and guidance. They should also be responsible for undertaking the information security awareness training and any refresher training that is required.

Individuals should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information.

Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don’ts’ outlined in the appendix.

3.2 Data Protection Officer (DPO)

In accordance with the GDPR the University has appointed a Data Protection Officer to carry out the DPO role as defined in the legislation. The DPO is responsible for providing advice and assistance on all matters relating to data protection, including drafting data protection statements for forms and questionnaires, advising on requests for access to personal data, responding to queries on data protection issues, overseeing the University's data protection compliance.

DPO should also report any data breaches to the ICO, and advising on Record of processing activities (ROPA) and Data Protection Impact Assessment (DPIA)s.

3.3 Information Asset Owner

Information Asset Owners are responsible for ensuring their information assets are identified, included on the University Information Asset Register and compliant with this policy and relevant data protection legislation.

3.4 Data Stewards

The responsibilities of a Data Steward is to understand the full breadth of the information they are responsible for and classify it in line with information security principles and comply with Research Data policy.

They must also ensure that Data Custodians who maintain University networks holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.

3.5 Data Custodians

Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:

  • Ensure that the physical and network security of systems is maintained;
  • Ensure that the systems they maintain are suitably configured, maintained and developed;
  • Ensure that the data are appropriately stored and backed up.
  • Ensure that appropriate access controls are in place to meet the requirements of Data Stewards;
  • Understand and document risks, take suitable steps to mitigate those risks, and ensure that these risks are understood by Information Asset Owners;
  • Document operational procedures and responsibilities of staff;
  • Publish procedures for users of the systems to allow secure access and usage; and
  • Ensure that systems are compliant with legal and other contractual requirements.

3.6 Chief Information Security Officer (CISO)

The CISO is responsible for the Information Security Policy and will provide specialist advice to the University, in particular Data Custodians and Data Stewards. The CISO will advise on appropriate security measures for any new types of University networks that are introduced in order to aid clarity of the policy.

3.7 The Digital, Data and Technology Group

In addition to its function as a data custodian for many systems DDaT must ensure that the provision of IT infrastructure is consistent with the demands of this policy to support other data custodians.

3.8 Internal Audit

Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.

3.9 Senior Management

Senior Management defines and approves this policy, sets measurable objectives for the information security programme, provides resources for the establishment and maintenance of the programme, monitors the progress and achievement of objectives, and takes strategic decisions.

4. Supporting Regulations, Policies and Guidelines

4.1 JANET Policies

As at the date of this policy the University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both of these policies are available from the JANET website.

4.2 Payment Card Industry Data Security Standard (PCI DSS)

The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards. The finance department has the ultimate responsibility for maintaining PCI DSS compliance.

5. Related Policies and Procedures

The following policies and procedures are related to the information security policy:

6. Appendix

6.1 General Guidance

Do Do Not
Do use a strong password and change it if you think it may have been compromised Don’t give your password to anyone
Do report any loss or suspected loss of data Don’t reuse your University password for any other account
Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the DD&T service desk Don’t open suspicious documents or links
Do keep software up to date and use antivirus on all possible devices Don’t undermine the security of University systems
Do be mindful of risks using public Wi-Fi or computers Don’t provide access to University information or systems
Do ensure University data is stored on University systems Don’t copy confidential University information without permission
Do password protect and encrypt your personally owned devices Don’t leave your computers or phones unlocked

On this page