University of Brighton School and Departmental Information Security Policy

(1)

This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

University of Brighton

School and Departmental

Information Security

Policy

This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the

requirements imposed.

Last updated Q North

16th June 2015

(2)

Summary

1

This policy guidance on the minimum standards expected for Information Security within schools and central departments. These policies define the University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information as well as compliance with the requirements imposed.

2. Scope

This policy, and the Information Security Management System, applies to all departments, schools and functional areas of the University. Whenever the term “department’ is used in this document it should be interpreted to mean to apply to a school, central department or functional area such as a campus or college.

3. Roles and Responsibilities

Each department is expected to assign the following roles. One person may hold more than one role, while the duties could be split across multiple people.

Department Information Security Representatives are responsible for monitoring the University's implemented security programmes. Within the department they will ensure that all University information security policies are understood and applied, will be the main information security point of contact, and will assist in keeping departmental risk registers up to date. Where policy is not met, they will report this in to the University information security management representative.

Information Asset Owners are assigned for each key system, application or data store. They are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of information technology resources and data they own. They are also responsible for periodically reviewing that only those

(5)

University of Brighton School and Departmental Information Security Policy

Printed Thursday, 06 August 2015 Page | 5

who require access to perform their job responsibilities have access to the data they own. This must be done at least annually.

Departmental IT security practitioners

Where departments, schools or functions have their own IT function, this role must be assigned. These persons must be aware of the University technical policies and procedures, and must be aware of the UoB Application Standards. They should be expected to provide technical input into any departmental risk management

processes.

4. Information Security Programme

Departments must support the wider University security programme through pro-active adherence to the approved policies and procedures, and pro-pro-active understanding of the potential issues that could be faced. Two practices in

particular must be addressed at a departmental level; these are Risk Assessments and Internal Audits.

4.1. Risk Management

The University of Brighton is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. This will be done by identifying potential threats to the assets held, where assets can be physical, electronic, informational or people.

Each department will be asked to complete and maintain a Risk Register. A suitable methodology that can be used is documented in the UoB Information Security Risk Assessment Methodology document.

On at least an annual basis, all current open risks on departmental registers will be discussed with the departmental senior management and where appropriate reported upwards to the Risk Management Steering Group as part of the annual University risk assessment process.

Where risk is thought to be unacceptable, treatment should be identified. Where risk can be treated at a departmental level, a responsible person and action date must be assigned for any treatment action. If a department is unable to take action themselves, the school/department will raise the risk at a Senior Management Team level.

(6)

4.2. Internal Audits

4.2.1 Audit Programme Support

Each department must support the Internal Audit programme that operates across the University. Departments must make resources available for the auditor when audits are scheduled. A representative from senior management within the department should be available for opening and closing meetings.

4.2.2. Corrective Action

For any actions arising from the audit, senior management within the department shall ensure that an action plan is agreed, resources are assigned to completing the agreed action and supporting evidence is sent to the auditor to allow closure of the identified shortcoming.

(7)

5. Information Security Controls

5.1 Human Resources Security

5.1.1. Prior to employment

It is important that all employees and relevant contractors receive appropriate checks and vetting prior to employment, depending on the level of access to information they will have, and the sensitivity of the role to be filled.

The screening ensures that employees are checked for their eligibility to work in the UK, their suitability for the role, and any potential concerns are addressed prior to them taking up a permanent or temporary role.

For this reason, all departments are required to follow the University recruitment procedures, as described on the HR SharePoint site.

5.1.2. During employment

All employees will be provided with Information Security e-learning soon after joining the organisation, reinforcing the content of the contract and UoB IT Regulations. Departmental managers should reinforce this message, with

appropriate guidance and training given to new starters on any department specific requirements.

5.1.3. Termination of Employment

On termination or change of employment, the HR and IT functions must be

informed in a timely manner that employees, contractors or third parties are leaving so that all physical and logical access is revoked, and all assets are returned.

5.2. Asset Management

5.2.1. Asset Register

Where physical assets are given out by the department, a register should be maintained. Items to be recorded include:

 User Devices (Laptops, Desktops, Phones, USB keys)

 IT Assets (Servers, Networking Equipment, Supporting Utilities)  Authentication/Entry controls (keys, key-codes, access cards etc.)

The format of asset registers can take many forms, from a simple spreadsheet to a comprehensive software application. The most appropriate method should be chosen to allow control of the items recorded.

The minimum information that should be kept include:  Owner / user

 A unique identifier for each item

 A description or other identifier (e.g. Make and model)  Location or main user

(8)

 Status (e.g. Active, spare, disposed)

Information on assets that have been disposed of should not be removed from the register, but the asset should be identified as no longer held. Unique identifiers should not be reused.

The Department Information Security Representative should review the register periodically. Asset disposal should follow the appropriate IS, Finance and Estates procedures.

Note: Only assets directly under the control of the department need to be recorded.

If items are issued and controlled by a central function, that function will maintain the register. Examples include IT equipment issued through the IS Computer Store and Service Desk. However, if you then pass an asset on to a third party, you should keep a record of that asset.

5.3. Physical Security

5.3.1. Policy

Physical security controls and secure areas are used to minimise unauthorised access, damage, and interference to information and information systems. Physical Security includes providing environmental safeguards for controlling physical access to equipment and data in order to protect information technology resources from unauthorised use, in terms of both physical hardware and

information perspectives.

5.3.2. Building Security

Because of the open nature of the University buildings, it is not possible to implement a great deal of perimeter security at the building level. However, the following minimum standards should be applied:

 External doors should only be open for as long as necessary to allow normal daytime usage. Normal hours vary by building and time of year, but are not less than 8.30 to 5pm.

 Outside of normal operating hours, access through external doors shall be provided via the Unicard system.

 CCTV shall cover all entrances/exits to the building. CCTV Shall cover any room with servers hosting protected information.

 Where offices contain protected information (as defined in the UoB IT Regulations document), those rooms must be restricted to those needing to enter for work purposes.

 A record of people authorised access to rooms containing protected information should be maintained. This shall be reviewed periodically.

 There shall be an access control system in place to ensure that only

authorised individuals may access locations where protected information is handled. The Unicard system is preferred.

(9)

 Buildings should be protected by fire and intruder alarms, linked either to emergency services or to the Estates and Facilities Management functions

5.3.3. Secure Areas

Within the University of Brighton offices, all computers containing protected information (as defined in the UoB IT Regulations document) and all important network equipment should be situated in an area restricted only to authorised personnel (e.g. IT security practitioners). No other personnel should permitted to access unless explicit authorisation has been given unless they are accompanied by someone authorised to be in that area.

Any sensitive information in physical format, for example material such as exam scripts, should be kept in a secure area (this could be a lockable room, a safe, a locked cabinet).

Any secure areas must be locked when not occupied or in use, either by physical key or Unicard. If the authentication system retains a record of accesses, these should be reviewed as appropriate to identify any unauthorised accesses.

5.3.4. Visitors

The following principles have been adopted to ensure that risks from visitors are controlled:

 Access badges, key codes or other access will only be provided to any visitor if their identity and the purpose of their visit is known by the issuing person.

 A record will be kept of which card, key etc. was provided to any visitor or third party. This register will be retained for not less than six months.  Visitor access will be set to expire at the end of the last day their visit. If not

known passes shall expire at the end of the day.

 Unallocated visitor or contractor passes providing access to protected information, or to secure areas, shall be de-activated until the time that they are required.

 All visitors accessing any secure area, or accessing any sensitive information, will be accompanied for the duration of their visit.

5.3.5. Data Centre and Server Room Environments

In order to preserve the availability of important information, it is vital that sufficient redundancy is in place, and that supporting utilities are in place to ensure that systems and applications can continue to function properly.

The preferred solution is to base all operational servers supporting important applications in the two dedicated data centres (Watts Building and Mithras House Annexe). This ensures the following:

 N+1 configuration for all important plant equipment

 Fully operated and maintained planned maintenance schedule  Resilient data networking to all University sites.

(10)

1. Key systems, as defined in the UoB Applications Standards document, should reside in the main datacentres and should not be held in individual departmental areas.

5.3.6 Disposal of Equipment

The University of Brighton recognise the need to ensure that all data and licensed software has been removed from data storage devices prior to disposal. To ensure that this is done you must use the service available from the Estates and Facilities Management that will provide you with a certificate of destruction.

The following controls must apply when undertaking disposal:

 A list of equipment being disposed of must be compiled prior to pick-up  A destruction certificate must be obtained from the disposal contractor  This list of equipment must be reconciled against the destruction certificate

to account for all devices taken.

5.4. System/Application Access Control

5.4.1. Policy

Authorisation and control of access to facilities and information systems is a crucial tool in ensuring Information security. The protection of information assets from unauthorised access is an important business requirement. It is the policy of the University of Brighton that only authorised personnel have access to facilities and information systems and that such access is limited dependent on the role of the individual concerned. For this reason, it is expected that all key applications must have been assessed against the UoB Application Standards document.

5.4.2. Controls

In order to ensure that the risks associated with any applications are recorded and assessed, the following process must be followed:

 Departments should identify important key applications as defined in the UoB Application Standards. These should be included on the departmental Asset Register

 Each application must be assessed against the standards documented in the UoB Applications Standards

 Any deviation from the guidelines must be added to the Departmental Risk Register.

 All new applications implemented should meet the minimum standards documented in the UoB Applications Standards.

5.5. Protecting Information

5.5.1. Policy

The University of Brighton has standards for protecting information to ensure that sensitive information is not unintentionally disclosed. These are documented both in the UoB IT Regulations document for data movement, and in the UoB Application

(11)

Standards for the guidelines for protection in application, databases or systems. Suitably strong protection measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage.

5.5.2. Controls

A summary of the protection standards is that the following principles have been adopted:

 It is a fundamental policy of the University of Brighton that all sensitive information will be protected while passing over public networks.

 Encryption is only permitted when authorised, using permitted technologies and methods. No unauthorised encrypted containers are permitted on the University of Brighton network.

 Systems that contain sensitive client, personnel and financial data will only be available for off-site remote access through a centrally managed secure access method that provides encryption and secure authentication.

Departments should review data transfer within their control, and ensure that the required controls have been met.

5.5. Supplier Relationships

5.5.1. Policy

The University of Brighton requires that the services provided by external suppliers meet expectations, both in terms of Information Security and agreed service levels. The risk posed by suppliers will be understood, and controls implemented to ensure that all parties are satisfied that security will be maintained. This is particularly important for any third party who holds, or has unaccompanied access to,

protected information as defined in the University of Brighton UoB IT Regulations document.

5.5.2. Controls

The following controls must be implemented:

 As part of a Risk Assessment, suppliers, contractors and other third parties have been considered and recorded in the Departmental Risk Register where there is thought to be a potential risk and reviewed periodically.  The right to audit suppliers on aspects of information security will be

considered and applied in contracts where practical and where thought necessary.

 Where applicable, suppliers will be required to demonstrate that their security controls are aligned with those of the University of Brighton, either by completing questionnaires, supplying certificates or by allowing University of Brighton staff or representatives to audit systems or premises.

 Appropriate non-disclosure or confidentiality agreements may be drawn up and signed by suppliers and the University of Brighton.

 Access to premises will be carefully controlled, as described in the Physical Security section of this document.

(12)

 Any access to systems by third parties will be provided only after

authorisation from information asset owners and IT Security Practitioners. Appropriate technical means will be implemented to ensure access is restricted to the minimum possible level. Accounts must be disabled when not in use.

 Where the supplier provides a service, the service provided will be monitored, reviewed and audited as necessary.

5.6. Incident and Weakness Management

5.6.1 Policy

While the Information Security Management System (ISMS) has been planned and implemented in order to minimise the likelihood that an incident will occur, it is recognised that there may be occasions where policies and procedures are not followed, either by staff, contractors, visitors, suppliers or any other third party. The University of Brighton is committed to responding to any breach of

confidentiality, integrity or availability of any assets either of the organisation or of its clients.

5.6.2 Controls

The following controls have been implemented to ensure that any incidents arising are quickly reported, receive an appropriate response, and are used to improve the information security management system.

 Incident management procedures have been written and are communicated to all members of the University in the UoB IT Regulations document.  All staff will receive training which includes specific instruction on the

requirement to report any incidents or potential incidents that are noted. Departmental Information Security Representatives must ensure that they are known as the local point of contact.

 Departmental Information Security Representatives will report on how many events, incidents or weaknesses have been reported (even if this is a nil return) as part of the annual departmental risk review.

5.7. Business Continuity Management

5.7.1. Policy

The University of Brighton provides a safe, secure IT environment to serve its requirements in order to ensure stability and continuity of the business. It is recognised that incidents can occur which can interrupt normal business

practices. The University of Brighton are committed to minimising the impact of any such incident that might affect the organisation’s premises, staff or equipment.

5.7.2. Controls

Each department must maintain either a plan or a set of plans that describe how it will react to an incident that affects normal business operations. The plans should address the following aspects:

 Notification of an incident, and plan invocation  Internal communications (to staff, students etc.)

(13)

 External communications (to Estates, SMT, customers and suppliers)  Recovery of important operations to a 'stable' state.

The following scenarios should be covered in the pan or plans:  The unavailability of a building (with no damage)

 The loss of a building

 The unavailability of a key application, system or IT  The loss of key resources (e.g. staff, a key supplier)

2. A scenario based walk-through of the plan or plans should take place at least once per year, taking into account one or more scenarios listed above.

3. A summary of the test shall be retained, and any actions arising from the test shall be tracked and closed as appropriate.

4. Other activities (communications cascade, testing involving other departments) should be considered to support the activities stated above.

University of Brighton School and Departmental Information Security Policy