1 Introduction
The continued confidentiality, integrity and availability of information systems underpin the operations of the University of Bath. A failure to secure information systems would jeopardise the ability of the University to fulfil its mission of delivering world-class research and teaching and have greater long-term impact through the consequential risk of financial or reputational loss.
This Information Security Policy provides the guiding principles and responsibilities of all members of the University required to safeguard its information systems. Other supporting University policies, procedures and guidelines will give greater detail on specific subject areas.
The Digital, Data and Technology Group will lead the University commitment to deliver a successful implementation of information security management, but this will only be possible if all members of the University community are aware of and carry out their own personal responsibilities.
1.1 Purpose of Policy
The intention of this policy is to:
- Protect the information systems managed by the University from security threats and mitigate risks that cannot be directly countered, ensuring the confidentiality, integrity, and availability of University data.
- Ensure that all members of the University are aware of and able to comply with relevant UK and EU legislation related to information security, data protection, and privacy.
- Educate and empower all users to understand their personal responsibilities in protecting the confidentiality and integrity of the data they access, and to comply with this policy and other supporting policies.
- Safeguard the reputation and business of the University by ensuring its ability to meets its legal obligations and to protect it from liability or damage through misuse of its IT facilities, including data breaches or unauthorised access.
- Promote a culture of continuous improvement in information security by conducting timely reviews of policies and procedures in response to feedback, changes in legislation, emerging threats, and other factors, in order to enhance ongoing security measures and practices.
1.2 Scope
This Information Security Policy applies to:
- All members of the University of Bath, including faculty, staff, students, volunteers, contractors, and any other individuals with access to university information systems.
- All third parties who interact with university information, including vendors, partners, contractors, consultants, and other external entities.
- All systems used to store, process, or transmit University information, including but not limited to computers, servers, laptops, mobile devices, networks, databases, cloud services, and any other IT infrastructure owned, operated, or used by the University.
This policy is applicable to all individuals and entities mentioned above, and compliance with this policy is mandatory to ensure the protection and security of University information and systems.
2 Policy
2.1 Awareness and communication
All authorised users will be provided with information about this policy and supporting policies and guidelines when their account is issued. Updates to guidance will be communicated through the University's DDaT (Department of Digital and Technology) website and will be highlighted at major points of interaction with DDaT systems, as deemed appropriate for the change. This may include email notifications, system alerts, or other forms of communication to ensure that users are aware of any updates or changes to the information security policies and guidelines. It is the responsibility of all users to regularly review and comply with the most current version of the policies and guidelines to maintain a secure information environment at the University of Bath.
2.2 Definitions
- University - University of Bath.
- Staff – Staff, whether academic, administrative, technical, or other, currently employed by the University, or engaged on a contract of service.
- Student – An individual currently enrolled or registered with the University, or undertaking study of any kind provided by, at, or under the auspices of, the University.
- Visitor – An individual, other than Stuff or Students, who uses the University IT Systems in any way.
- University IT Systems – any of the University’s IT facilities, including email, connection from the campus to the Internet and other networks, and all computers, laptops, other mobile devices, and any other related software and hardware.
- DDaT/DD&T - Digital, Data and Technology Group
- Information Asset Owner - These will be individuals in the University who hold the responsibility for ensuring that IT assets in their particular area are processed and shared in line with the Information Management Policy Framework.
- Data Steward - Subject matter experts who are responsible for business definitions and the quality of data sets within a data domain (e.g. defining terms such as “applicant,” or “course” in the student registry domain). For research related work, the most senior University of Bath researcher associated with a research project is the Data Steward for that project and is ultimately responsible for research data management.
- Data Custodian - Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules. Examples are systems administrators and developers within DDaT.
2.3 Information Security Principles
The following principles provide a framework for the security and management of the University’s information and information systems.
- Information Classification: All information should be classified in accordance with the Information Classification Framework, as well as any legislative, regulatory, or contractual requirements that may increase the sensitivity of the information and its security requirements.
- Data Stewardship: Data Stewards are responsible for writing and maintaining business definitions and help develop quality checks to ensure the data is fit for purpose. For research related work, they should ensure their data is classified and, in partnership with Data Custodians, the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
- Proper Handling of Information: All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level, relevant laws, regulations, and policies.
- Need-to-Know Principle: Information should only be made available to those individuals who have a legitimate need for access in order to perform their job duties or responsibilities. Access to information should be granted based on role-based permissions and least privilege principles.
- Unauthorised Access Protection: Information should be protected against unauthorised access and processing. This includes implementing appropriate technical, administrative, and physical safeguards such as strong authentication, access controls, and audit trails to prevent unauthorised access or data breaches.
- Data Loss Prevention: Measures should be in place to protect information against loss and corruption. This may include regular data backups, redundant storage, and disaster recovery plans to ensure business continuity in case of data loss or system failure.
- Secure Disposal of Information: Information should be disposed of securely and in a timely manner, in accordance with the appropriate measures based on its classification level. This may include shredding, secure deletion, or other approved methods for disposal of information in compliance with relevant data protection regulations.
- Breach Reporting: Any breaches of this policy must be reported by anyone who becomes aware of the breach in a timely manner, following the University's established incident reporting procedures. Reporting breaches promptly allows for timely investigation, containment, and mitigation of potential security incidents.
- IT security awareness training: Relevant training will be in place to assist staff in their day-to-day handling of information. All new staff must complete the University’s mandatory information security training (online) to ensure they are aware of the risks and their responsibilities in handling information. Staff will be required to complete refresher training annually reflecting any changes and updates in information governance best practice.
By adhering to these principles, the University aims to ensure the confidentiality, integrity, and availability of its information assets and maintain a secure information environment.
2.4 Legal and regulatory obligations
The University of Bath and its staff/students/users/members must adhere to all current UK legislation as well as regulatory and contractual requirements. The University provides policy statements and guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements.
Users of the University’s online or network services, or when using or processing Information Assets, are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.
A summary of the relevant legislation is included in Appendix – Guide to legislation relevant to the Information Systems Security Policy.
2.5 Information Classification
An Information Classification levels framework would be established which are part of the Information Security Principles. Detailed definitions and further guidance are available in the Information Classification Framework (ICF) from the University Secretary’s Office. The ICF includes definitions from the Data Protection Policy.
Category - Highly Restricted
Description
Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage the University’s interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students.
Examples
- Sensitive personal data relating to identifiable living individuals
- Individual’s bank details
- Large aggregates (>1000 records) of personal data such as personal contact details
- Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas
Category - Restricted
Description
Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the University’s commercial interests, and/or have some negative impact on the University’s reputation.
Examples
- Personal data relating to identifiable living individuals
- Student assessment marks
- Staff contact details
- Research data or information or IP with commercial value/obligation
Category - Internal Use
Description
Information not considered being public which should be shared only internally but would not cause substantive damage to the University and/or individuals if disclosed.
Examples
- Non-confidential internal correspondence e.g. routine administration such as meeting room and catering arrangements
- Final working group papers and minutes
- Internal policies and procedures
2.6 Compliance and Incident notification
Compliance with the information security policy at the University of Bath is imperative for all users of information systems. Any breach of information security is a serious matter that may result in the loss of confidentiality, integrity, or availability of personal or other confidential data. Such breaches could lead to criminal or civil action against the University, as well as potential business loss and financial penalties.
In the event of an actual or suspected breach of this policy, it must be immediately reported to the Chief Digital and Information Officer or the IT Security Manager in accordance with the incident investigation procedure. All reported security incidents will be thoroughly investigated, and appropriate actions will be taken in line with this policy, the Acceptable Use Policy, University disciplinary policy, and relevant laws and regulations.
If the breach involves personal data, the Data Protection team must be promptly notified in accordance with the University's Data Protection Policy.
Compliance with this policy should also be incorporated as a contractual requirement with any third party that may have access to University systems or data.
By promptly reporting and addressing breaches, and ensuring compliance with this policy, the University aims to safeguard its information assets, protect against potential legal and financial risks, and maintain a secure information environment for the benefit of all users.
3 Responsibilities
3.1 Individuals
Individuals must adhere to the Acceptable Use Policy and follow relevant supporting procedures and guidance. An individual should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information. Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don'ts’ outlined in the table below.
| Do | Do Not |
|---|---|
| Do use a strong password and change it if you think it may have been compromised | Don’t give your password to anyone |
| Do report any loss or suspected loss of data | Don’t reuse your University password for any other account |
| Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the DD&T service desk | Don’t open suspicious documents or links |
| Do keep software up to date and use antivirus on all possible devices | Don’t undermine the security of University systems |
| Do be mindful of risks using public Wi-Fi or computers | Don’t provide access to University information or systems |
| Do ensure University data is stored on University systems | Don’t copy confidential University information without permission |
| Do password protect and encrypt your personally owned devices | Don’t leave your computers or phones unlocked |
3.2 Data Protection Officer (DPO)
In accordance with the GDPR the University has appointed a Data Protection Officer to carry out the DPO role as defined in the legislation. The DPO is responsible for providing advice and assistance on all matters relating to data protection, including drafting data protection statements for forms and questionnaires, advising on requests for access to personal data, responding to queries on data protection issues, overseeing the University's data protection compliance.
3.3 Information Asset Owner
Information Asset Owners are responsible for ensuring their information assets are identified, included on the University Information Asset Register and compliant with this policy and relevant data protection legislation.
3.4 Data Stewards
The responsibilities of a Data Steward is to understand the full breadth of the information they are responsible for and classify it in line with information security principle and comply with Research Data policy.
Ensure that data custodians who maintain information systems holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.
3.5 Data Custodians
Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:
- Ensure that the physical and network security of systems is maintained.
- Ensure that the systems they maintain are suitably configured, maintained and developed.
- Ensure that the data are appropriately stored and backed up.
- Ensure that appropriate access controls are in place to meet the requirements of Data Stewards.
- Understand and document risks, take suitable steps to mitigate and ensure that these are understood by Information Asset owners.
- Document operational procedures and responsibilities of staff.
- Publish procedures for users of the systems to allow secure access and usage.
- Ensure that systems are compliant with legal and other contractual requirements.
3.6 Chief Information Security Officer (CISO)
Is responsible for the Information Security Policy and will provide specialist advice to the University, in particular Data Custodians and Data Stewards. The CISO will advise on appropriate security measures for any new types of information systems that are introduced in order to aid clarity of the policy.
3.7 The Digital, Data and Technology Group
In addition to its function as a data custodian for many systems DDaT must ensure that the provision of IT infrastructure is consistent with the demands of this policy to support other data custodians.
3.8 Internal Audit
Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.
4 Supporting Regulations, Policies and Guidelines
Other policies issued by the University of Bath support and reinforce this policy statement. These include but are not limited to:
The following policies and procedures are related to the information security policy:
- Choosing a password
- University regulations
- Data Protection Policy
- Information Classification Framework
- Research Data Policy
- User accounts Policy
- IT Acceptable Use Policy
4.1 Joint Academic NETwork (JANET) policies
As at the date of this policy the University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both of these policies are available from the JANET website.
4.2 Payment Card Industry Data Security Standard (PCI DSS)
The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards.
5 Policy Review
The University will review this policy when required to ensure that it remains appropriate and up to date. Any questions or concerns should be made to the IT Security Team.
6 Supporting documents
- Guide to legislation relevant to the Information Security Policy
- Protocol for Investigation of Computer Use and Monitoring Guidelines
- Guidelines for Mobile and Remote Working
- Data Security Guidelines for outsourcing and third party compliance
- Information System administrator / Data Custodian guidelines
Document Control Information
Owner: Chief Information Security Officer (CISO)
Version Number: 2.0
Approval Date: May 2023
Approved By: Executive Committee
Date of Last review: May 2023