Skip to main content

Information Security Policy

Find out your responsibilities for ensuring the security of information at the University.

Policy

Owner
Chief Information Security Officer (CISO)
Version
2.3 (04Mar2026)
Approval date
12 Sep 2023
Approved by
University Executive Board (UEB)
Date of last review
04 Mar 2026
Date of next review
05 Mar 2027

1. Introduction

1.1 The continued confidentiality, integrity and availability of University information systems is essential to the operation of the University of Bath.

1.2 The Information Security Policy provides the guiding principles for and responsibilities of all members of the University required to safeguard our information and that of our partners.

1.3 The Digital, Data and Technology group (DDaT) leads the University commitment to deliver a successful implementation of information security management, but this requires all members of the University community to be aware of and carry out their individual responsibilities.

1.4 Senior Management will define relevant information security objectives, and monitor and support the Digital, Data & and Technology group to achieve these objectives.

1.5 Purpose of Policy

1.5.1 The intention of this policy is to:

  • Protect the University networks managed by the University from security threats and mitigate risks that cannot be directly countered, ensuring the confidentiality, integrity and availability of university data;
  • Ensure that all members of the University are aware of and able to comply with relevant UK legislation related to information security, data protection and privacy;
  • Educate and empower all users to understand their personal responsibilities in protecting the confidentiality and integrity of the data they access, and to comply with this policy and other supporting policies;
  • Safeguard the reputation and business of the University by ensuring its ability to meet its legal obligations and to protect it from liability or damage through deliberate or accidental misuse of its IT facilities; and
  • Promote a culture of continual improvement in information security (IS) by conducting timely reviews of the IS Management System (ISMS) to reflect feedback, changes in legislation, emerging threats and other factors in order to enhance risk controls.

1.6 Scope

1.6.1 This Information Security Policy applies to:

  • All members of the University of Bath, including faculty, staff, students, volunteers, contractors and any other individuals with access to University networks;
  • All third parties who interact with University information, including vendors, partners, contractors, consultants and other external entities; and
  • All systems used to store, process or transmit University information, including but not limited to computers, servers, laptops, mobile devices, networks, databases, Cloud services, and any other IT infrastructure owned, operated or used by the University.

1.6.2 This policy is applicable to all individuals and entities mentioned above, and compliance with this policy is mandatory to ensure the protection and security of University information and systems.

2. Policy

2.1 Awareness and communication

2.1.1 All users of Bath systems and information will be provided with access to this policy and any other supporting materials and guidelines on joining the University and when their account is issued. It is the responsibility of all users to regularly review and comply with the most current version of the policy to maintain a secure information environment at the University of Bath.

2.2 Information Security Principles

2.2.1 The following principles provide a framework for the security and management of the University’s information and University systems and information:

  • Information Classification: All information should be classified in accordance with the Information Classification, Labelling and Handling Policy and handled in line with any legislative, regulatory, or contractual requirements that may increase the sensitivity of the information and its security requirements. Classification is risk-based, and particular controls need to be applied to information which is either internal or confidential – collectively classed as ‘sensitive’.
  • Data Stewardship: Data Stewards are responsible for writing and maintaining business definitions and help develop quality checks to ensure the data is fit for purpose. For research related work, they should ensure their data is classified and, in partnership with Data Custodians, the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
  • Vulnerability Management: those responsible for university systems (inside and outside DDaT) are required to ensure that all systems are maintained in accordance with the Vulnerability Management technical standards, with risk-based prioritisation of patches to minimise exposure to threats.
  • Proper Handling of Information: information must be handled according to its classification appropriately in accordance with its classification, relevant laws, regulations, and policies.
  • Need-to-Know Principle: sensitive information should only be made available to those individuals who have a legitimate need for access in order to perform their job duties or responsibilities; access to such information should be granted based on role-based permissions and least privilege principles.
  • Unauthorised Access Protection: Information should be protected against unauthorised access and processing. This includes implementing appropriate technical, administrative, and physical safeguards such as strong authentication, access controls, and audit trails to prevent unauthorised access or data breaches.
  • Back-ups and Data Loss Prevention: Measures should be in place to protect information against loss and corruption; key measures require timely data backups provided for business systems, provision of immutable storage, and business continuity recovery plans to ensure the persistence of confidentiality, integrity and availability in the event of primary loss or systems failure.
  • Secure Disposal of Information: sensitive information should be disposed of securely and in a timely manner and in accordance with the classification level. This may include shredding, secure deletion, or other approved methods for disposal of information in compliance with relevant data protection regulations.
  • Breach Reporting: Any breaches of this policy must be reported by anyone who becomes aware of the breach in a timely manner, following the University's established incident reporting procedures. Reporting breaches promptly allows for timely investigation, containment, and mitigation of potential security incidents.
  • IT security awareness training: All new staff must complete the University’s mandatory information security training (online) to ensure they are aware of the risks and their responsibilities to protect information. Staff will be given refresher training periodically to reflect changes and updates in information security best practice.
  • Clear Screen and Desk: all staff should ensure that desks in common areas or unsecured locations are clear and screens locked when unattended, while papers and any removable storage media containing sensitive information should be secure; management and team leaders are required to enforced appropriate supervision within areas where sensitive information processing occurs to reduce the risks of unauthorized access, loss of and damage to information during and outside normal working hours.
  • Remote working: staff should ensure that information security policy and guidelines are followed at all times when working outside the University premises , including “teleworking”, “telecommuting”, “flexible”, and “virtual work environments"; additional security measures may need to be implemented when personnel are working remotely, with guidance provided for working in high risk information locations - contact IT-Security@bath.ac.uk for guidance.

2.2.2 By adhering to these principles, the University aims to ensure the confidentiality, integrity and availability of its information assets and maintain a secure information environment.

2.3.1 The University of Bath and its staff/students/users/members must adhere to all relevant legislation as well as regulatory and contractual requirements. The University Secretariat may from time to time provide guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations, including those associated with intellectual property

2.3.2 Users of the University’s services, systems and network are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.

2.3.3 All Information security principles apply equally to Cloud/SaaS services used by the University; the procurement, adoption, and deployment processes will require IS Assurance review, and appropriate Information Security technical and Security Operations oversight.

2.4 Information Classification

2.4.1 Information Classification levels are part of the ISMS, and definitions and further guidance are available in the Information Classification, Labelling and Handling Policy

2.4.2 Guidelines and training on appropriate classification, labelling, handling storage and deletion are provided to all staff; note that additional care should be taken when using removable storage (such as USB devices), with any copies of data requiring the same security as the original classification, while such storage devices should be securely wiped by DDaT when no longer required.

2.5 Compliance and Incident Notification

2.5.1 Compliance with the information security policy at the University of Bath is imperative for all users of information systems, and users must be aware that breaches may lead to criminal or civil action against the University, as well as potential business loss and financial penalties.

2.5.2 In the event of an actual or suspected breach of this policy, users must notify IS team via IT-Security@bath.ac.uk or escalate through line management to the Chief Digital Officer or Chief Information Security Officer. All reported security incidents will be assessed, and investigated as required with appropriate actions taken – including potential to invoke the University’s disciplinary policy.

2.5.3 If the breach may involve personal data, the Data Protection team must be promptly notified in accordance with the University's Data Protection Policy.

2.5.4 Compliance with this policy is a contractual requirement for any third party that may have access to University systems or sensitive data.

3. Roles and Responsibilities

3.1 Individuals

Individuals must adhere to the IT Acceptable Use Policy and follow relevant supporting procedures and guidance. They should also be responsible for undertaking the information security awareness training and any refresher training that is required.

Individuals should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information.

Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don’ts’ outlined in the appendix.

3.2 Data Protection Officer (DPO)

In accordance with the GDPR the University has appointed a Data Protection Officer to carry out the DPO role as defined in the legislation. The DPO is responsible for providing advice and assistance on all matters relating to data protection, including drafting data protection statements for forms and questionnaires, advising on requests for access to personal data, responding to queries on data protection issues, overseeing the University's data protection compliance.

DPO should also report any data breaches to the ICO, and advising on Record of processing activities (ROPA) and Data Protection Impact Assessment (DPIA)s.

3.3 Information Asset Owner

Information Asset Owners are responsible for ensuring their information assets are identified, included on the University Information Asset Register and compliant with this policy and relevant data protection legislation.

3.4 Data Stewards

The responsibilities of a Data Steward is to understand the full breadth of the information they are responsible for and classify it in line with information security principles and comply with Research Data policy.

They must also ensure that Data Custodians who maintain University networks holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.

3.5 Data Custodians

Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:

  • Ensure that the physical and network security of systems is maintained;
  • Ensure that the systems they maintain are suitably configured, maintained and developed;
  • Ensure that the data are appropriately stored and backed up.
  • Ensure that appropriate access controls are in place to meet the requirements of Data Stewards;
  • Understand and document risks, take suitable steps to mitigate those risks, and ensure that these risks are understood by Information Asset Owners;
  • Document operational procedures and responsibilities of staff;
  • Publish procedures for users of the systems to allow secure access and usage; and
  • Ensure that systems are compliant with legal and other contractual requirements.

3.6 Chief Information Security Officer (CISO)

The CISO is responsible for the Information Security Policy and will provide specialist advice to the University, in particular Data Custodians and Data Stewards. The CISO will advise on appropriate security measures for any new types of University networks that are introduced in order to aid clarity of the policy.

3.7 The Digital, Data and Technology Group

In addition to its function as a data custodian for many systems DDaT must ensure that the provision of IT infrastructure is consistent with the demands of this policy to support other data custodians.

3.8 Internal Audit

Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.

3.9 Senior Management

Senior Management defines and approves this policy, sets measurable objectives for the information security programme, provides resources for the establishment and maintenance of the programme, monitors the progress and achievement of objectives, and takes strategic decisions.

4. Supporting Regulations, Policies and Guidelines

4.1 JANET Policies

As at the date of this policy the University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both of these policies are available from the JANET website.

4.2 Payment Card Industry Data Security Standard (PCI DSS)

The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards. The finance department has the ultimate responsibility for maintaining PCI DSS compliance.

The following documents are related to the information security policy:

6. Appendix

6.1 General Guidance

Do Do Not
Do use a strong password and change it if you think it may have been compromised Don’t give your password to anyone
Do report any loss or suspected loss of data to IT-Security@bath.ac.uk Don’t reuse your University password for any other account
Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the DD&T service desk Don’t open suspicious documents or links
Do keep software up to date and use antivirus on all possible devices Don’t undermine the security of University systems
Do be mindful of risks using public Wi-Fi or computers Don’t provide access to University information or systems
Do ensure University data is stored on University systems Don’t copy confidential University information without permission
Do password protect and encrypt your personally owned devices Don’t leave your computers or phones unlocked

On this page