1. Introduction
1.1 The continued confidentiality, integrity and availability of University networks are essential to the operations of the University of Bath. A disruption would jeopardise the ability of the University to fulfil its mission of delivering world-class research and teaching, and have greater negative long-term impact through the consequential risk of financial or reputational loss.
1.2 This Information Security Policy provides the guiding principles for and responsibilities of all members of the University required to safeguard its University networks. Other supporting University policies, procedures and guidelines will give greater detail on specific subject areas.
1.3 The Digital, Data and Technology group will lead the University commitment to deliver a successful implementation of information security management, but this will only be possible if all members of the University community are aware of and carry out their own personal responsibilities.
1.4 Senior Management will define relevant information security objectives, and monitor and support the Digital, Data & and Technology group to achieve these objectives.
1.5 Purpose of Policy
1.5.1 The intention of this policy is to:
- Protect the University networks managed by the University from security threats and mitigate risks that cannot be directly countered, ensuring the confidentiality, integrity and availability of university data;
- Ensure that all members of the University are aware of and able to comply with relevant UK legislation related to information security, data protection and privacy;
- Educate and empower all users to understand their personal responsibilities in protecting the confidentiality and integrity of the data they access, and to comply with this policy and other supporting policies;
- Safeguard the reputation and business of the University by ensuring its ability to meet its legal obligations and to protect it from liability or damage through misuse of its IT facilities, including data breaches or unauthorised access; and
- Promote a culture of continual improvement in information security by conducting timely reviews of policies and procedures in response to feedback, changes in legislation, emerging threats and other factors to enhance ongoing security measures and practices.
1.6 Scope
1.6.1 This Information Security Policy applies to:
- All members of the University of Bath, including faculty, staff, students, volunteers, contractors and any other individuals with access to University networks;
- All third parties who interact with University information, including vendors, partners, contractors, consultants and other external entities; and
- All systems used to store, process or transmit University information, including but not limited to computers, servers, laptops, mobile devices, networks, databases, Cloud services, and any other IT infrastructure owned, operated or used by the University.
1.6.2 This policy is applicable to all individuals and entities mentioned above, and compliance with this policy is mandatory to ensure the protection and security of University information and systems.
2. Policy
2.1 Awareness and communication
2.1.1 All authorised users will be provided with information about this policy and supporting policies and guidelines when their account is issued. Updates to guidance will be communicated through the University’s Department of Digital Data and Technology (DDaT) website and will be highlighted at major points of interaction with DDaT systems, as deemed appropriate for the change. This may include email notifications, system alerts or other forms of communication to ensure that users are aware of any updates or changes to the information security policies and guidelines. It is the responsibility of all users to regularly review and comply with the most current version of the policies and guidelines to maintain a secure information environment at the University of Bath.
2.2 Information Security Principles
2.2.1 The following principles provide a framework for the security and management of the University’s information and University networks:
- Information Classification: All information should be classified in accordance with the Information Classification Framework, as well as any legislative, regulatory, or contractual requirements that may increase the sensitivity of the information and its security requirements.
- Data Stewardship: Data Stewards are responsible for writing and maintaining business definitions and help develop quality checks to ensure the data is fit for purpose. For research related work, they should ensure their data is classified and, in partnership with Data Custodians, the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
- Proper Handling of Information: All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level, relevant laws, regulations, and policies.
- Need-to-Know Principle: Information should only be made available to those individuals who have a legitimate need for access in order to perform their job duties or responsibilities. Access to information should be granted based on role-based permissions and least privilege principles.
- Unauthorised Access Protection: Information should be protected against unauthorised access and processing. This includes implementing appropriate technical, administrative, and physical safeguards such as strong authentication, access controls, and audit trails to prevent unauthorised access or data breaches.
- Data Loss Prevention: Measures should be in place to protect information against loss and corruption. This may include regular data backups, redundant storage, and disaster recovery plans to ensure business continuity in case of data loss or system failure.
- Secure Disposal of Information: Information should be disposed of securely and in a timely manner, in accordance with the appropriate measures based on its classification level. This may include shredding, secure deletion, or other approved methods for disposal of information in compliance with relevant data protection regulations.
- Breach Reporting: Any breaches of this policy must be reported by anyone who becomes aware of the breach in a timely manner, following the University's established incident reporting procedures. Reporting breaches promptly allows for timely investigation, containment, and mitigation of potential security incidents.
- IT security awareness training: Relevant training will be in place to assist staff in their day-to-day handling of information. All new staff must complete the University’s mandatory information security training (online) to ensure they are aware of the risks and their responsibilities in handling information. Staff will be required to complete refresher training annually reflecting any changes and updates in information governance best practice.
2.2.2 By adhering to these principles, the University aims to ensure the confidentiality, integrity and availability of its information assets and maintain a secure information environment.
2.3 Legal and Regulatory Obligations
2.3.1 The University of Bath and its staff/students/users/members must adhere to all current UK legislation as well as regulatory and contractual requirements. The University provides policy statements and guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements.
2.3.2 Users of the University’s online or network services, or when using or processing information assets, are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.
2.3.3 A summary of the relevant legislation is included in University – Guide to legislation relevant to the Electronic University networks Security Policy.
2.4 Information Classification
2.4.1 An Information Classification levels framework would be established which are part of the Information Security Principles. Detailed definitions and further guidance are available in the Information Classification Framework (ICF). The ICF includes definitions from the Data Protection Policy.
Highly Restricted
Description
Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage the University’s interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students.
Examples
- Sensitive personal data relating to identifiable living individuals
- Individual’s bank details
- Large aggregates (>1000 records) of personal data such as personal contact details
- Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas
Category - Restricted
Description
Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the University’s commercial interests, and/or have some negative impact on the University’s reputation.
Examples
- Personal data relating to identifiable living individuals
- Student assessment marks
- Staff contact details
- Research data or information or IP with commercial value/obligation
Category - Internal Use
Description
Information not considered being public which should be shared only internally but would not cause substantive damage to the University and/or individuals if disclosed.
Examples
- Non-confidential internal correspondence e.g. routine administration such as meeting room and catering arrangements
- Final working group papers and minutes
- Internal policies and procedures
Category - Public
Description
Information that may be viewed by anyone, inside or outside the organisation.
Examples
- Publications.
- Press releases.
- Course information.
- Principal University contacts for public-facing roles, i.e. name, email address and landline telephone number.
- Public events.
2.5 Compliance and Incident Notification
2.5.1 Compliance with the information security policy at the University of Bath is imperative for all users of information systems. Any breach of information security is a serious matter that may result in the loss of confidentiality, integrity, or availability of personal or other confidential data. Such breaches could lead to criminal or civil action against the University, as well as potential business loss and financial penalties.
2.5.2 In the event of an actual or suspected breach of this policy, it must be immediately reported to the Chief Digital and Information Officer or designate in accordance with the incident investigation procedure. All reported security incidents will be thoroughly investigated, and appropriate actions will be taken in line with this policy, the Acceptable Use Policy, the University’s disciplinary policy, and relevant laws and regulations.
2.5.3 If the breach involves or may involve personal data, the Data Protection team must be promptly notified in accordance with the University's Data Protection Policy.
2.5.4 Compliance with this policy should also be incorporated as a contractual requirement with any third party that may have access to University systems or data.
2.5.5 By promptly reporting and addressing breaches, and ensuring compliance with this policy, the University aims to safeguard its information assets, protect against potential legal and financial risks, and maintain a secure information environment for the benefit of all users.
3. Roles and Responsibilities
3.1 Individuals
Individuals must adhere to the IT Acceptable Use Policy and follow relevant supporting procedures and guidance. They should also be responsible for undertaking the information security awareness training and any refresher training that is required.
Individuals should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information.
Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don’ts’ outlined in the appendix.
3.2 Data Protection Officer (DPO)
In accordance with the GDPR the University has appointed a Data Protection Officer to carry out the DPO role as defined in the legislation. The DPO is responsible for providing advice and assistance on all matters relating to data protection, including drafting data protection statements for forms and questionnaires, advising on requests for access to personal data, responding to queries on data protection issues, overseeing the University's data protection compliance.
DPO should also report any data breaches to the ICO, and advising on Record of processing activities (ROPA) and Data Protection Impact Assessment (DPIA)s.
3.3 Information Asset Owner
Information Asset Owners are responsible for ensuring their information assets are identified, included on the University Information Asset Register and compliant with this policy and relevant data protection legislation.
3.4 Data Stewards
The responsibilities of a Data Steward is to understand the full breadth of the information they are responsible for and classify it in line with information security principles and comply with Research Data policy.
They must also ensure that Data Custodians who maintain University networks holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.
3.5 Data Custodians
Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:
- Ensure that the physical and network security of systems is maintained;
- Ensure that the systems they maintain are suitably configured, maintained and developed;
- Ensure that the data are appropriately stored and backed up.
- Ensure that appropriate access controls are in place to meet the requirements of Data Stewards;
- Understand and document risks, take suitable steps to mitigate those risks, and ensure that these risks are understood by Information Asset Owners;
- Document operational procedures and responsibilities of staff;
- Publish procedures for users of the systems to allow secure access and usage; and
- Ensure that systems are compliant with legal and other contractual requirements.
3.6 Chief Information Security Officer (CISO)
The CISO is responsible for the Information Security Policy and will provide specialist advice to the University, in particular Data Custodians and Data Stewards. The CISO will advise on appropriate security measures for any new types of University networks that are introduced in order to aid clarity of the policy.
3.7 The Digital, Data and Technology Group
In addition to its function as a data custodian for many systems DDaT must ensure that the provision of IT infrastructure is consistent with the demands of this policy to support other data custodians.
3.8 Internal Audit
Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.
3.9 Senior Management
Senior Management defines and approves this policy, sets measurable objectives for the information security programme, provides resources for the establishment and maintenance of the programme, monitors the progress and achievement of objectives, and takes strategic decisions.
4. Supporting Regulations, Policies and Guidelines
4.1 JANET Policies
As at the date of this policy the University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both of these policies are available from the JANET website.
4.2 Payment Card Industry Data Security Standard (PCI DSS)
The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards. The finance department has the ultimate responsibility for maintaining PCI DSS compliance.
5. Related Policies and Procedures
The following policies and procedures are related to the information security policy:
- Choosing a password
- University regulations
- Data Protection Policy
- Information Classification Framework
- Research Data Policy
- User accounts Policy
- IT Acceptable Use Policy
- Guide to legislation relevant to the Information Security Policy
- Protocol for Investigation of Computer Use and Monitoring Guidelines
- Guidelines for Mobile and Remote Working
- Data Security Guidelines for outsourcing and third party compliance
- Information System administrator / Data Custodian guidelines
- Acceptable use of the network | Jisc community
- Security Policy | Jisc community
6. Appendix
6.1 General Guidance
Do | Do Not |
---|---|
Do use a strong password and change it if you think it may have been compromised | Don’t give your password to anyone |
Do report any loss or suspected loss of data | Don’t reuse your University password for any other account |
Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the DD&T service desk | Don’t open suspicious documents or links |
Do keep software up to date and use antivirus on all possible devices | Don’t undermine the security of University systems |
Do be mindful of risks using public Wi-Fi or computers | Don’t provide access to University information or systems |
Do ensure University data is stored on University systems | Don’t copy confidential University information without permission |
Do password protect and encrypt your personally owned devices | Don’t leave your computers or phones unlocked |