Security of Information

Policy on Security of Information - version: 4 December 2008 (2.2 amended 24.06.09)

1. Policy Statement

1.1 The University's computer and information systems underpin all the University's activities, and are essential to its research, teaching and administrative functions. The University's Policy on Security of Information recognises the need for members, employees and visitors to have access to the information they need to carry out their work, and also recognises that security of information must be an integral part of its ICT structure. To achieve these goals it is necessary for all persons using the University's ICT systems to be aware of and comply with the University's security procedures and also with legal requirements.

1.2 The objectives of this policy are:
  • to ensure that members of the collegiate University have access to all information that is necessary for them to carry out their work, study or research;
  • to ensure that information is secure from unauthorised access, both from within and outside the collegiate University;
  • to establish procedures to ensure that data is accurate, complete and necessary for the purpose for which it is held, and that it complies with all relevant legislation.

1.3 This policy applies to all persons given access to University computing systems, including senior and junior members, employees, visitors and contractors. It covers all University-owned computer and network systems, and also any privately or college-owned systems that may be used to hold any information, data, programs, etc that belong to the University or are used in the work of its members or employees. Also, as far as can be applicable, it covers University data when held on outside ICT systems, e.g. those providing outsourced services to the University. Throughout this document 'data' is used to include any form of information that is held on an ICT system.

2. Responsibilities for Implementation

2.1 The collegiate University operates a devolved ICT structure, and responsibility for security of data within departments, colleges and other units rests with the Heads of Department, college or Unit. This applies to all units, including those responsible for provision of central and University-wide services. They must ensure that for all systems under their control:
  • data is held and processed in accordance with this policy and relevant legislation;
  • adequate security procedures are in place;
  • proper procedures exist to determine who should be authorised to use those systems;
  • all persons using the systems are aware of and comply with this policy.

2.2 Responsibility for management and security of the backbone computer network, and provision of central support and advice rests with the Head of Department, OUCS.

2.3 Statutory obligations on all members of the collegiate University are defined in the "Regulations Relating to the use of Information Technology Facilities" as approved by Council. This includes definition of the circumstances under which the University may monitor use of its ICT systems, and the levels of authorisation required for this to be done.

2.4 Ownership of this policy rests with the PRAC ICT subcommittee (PICT). PICT is responsible for reviewing this policy on an annual basis, having regard to changes in legislation that may affect the policy; for ensuring that all members of the collegiate University are aware of the policy; for monitoring compliance within all units of the University; and for receiving reports on breaches of security, etc.

2.5 Recommendations and guidance for technical standards, methods and levels of cryptographic control appropriate to various classes of data, and other aspects of implementation of this policy will be issued under the authority of PICT, and will be revised and updated as necessary to ensure the adoption of best practice and compliance with legal requirements.

3. Responsibilities of Divisions, Departments, Colleges and other Units within the University

3.1 The Head of Department, college, administrative unit, etc must set up a structure to ensure that this policy is implemented. This will normally consist of a departmental/college IT Committee or equivalent, chaired by a senior member of the department/college. For smaller departments this may be subsumed within a structure organised at a divisional or faculty level, although final responsibility for ensuring that policy is enforced will remain with the Head of Department or unit. Where responsibility for any part of the ICT provision is delegated to a third party, e.g. the University's ICT Support Team, the responsibilities of each party for compliance with this policy must be defined by appropriate Service Level Agreements.

3.2 The Head of Department, college or unit must ensure that there are sufficient IT staff, with adequate levels of training and competence, to ensure that systems are, as far as possible, secure from failure, unauthorised access and compromise from both within and outside the collegiate University.

3.3 A risk assessment process must be carried out as part of the business case for any new ICT system that may be used to provide shared services, or to hold confidential or critical data. This must be repeated periodically on existing systems. This risk assessment must include:
  • assessment of the business value of the data held on that system;
  • identification of confidential or critical data, which could potentially cause damage or loss to the collegiate University or to individuals if disclosed, and for which special security precautions will be required;
  • the impact on the department and/or the collegiate University of loss of the data;
  • the impact of unauthorised access to the data;
  • procedures necessary to ensure security and integrity of the data;
  • the effect of any changes to University policy or to legislation;

3.4 Adequate procedures must be in place to ensure that data can only be accessed by persons authorised to do so, and, if deemed necessary by the risk assessment, systems must be monitored to ensure that access is only for authorised purposes. If any multi-user system is used to hold confidential or critical data, details of all persons accessing the system should be logged, and that information retained for a period appropriate to the service. Further logging, including details of data accessed or amended, may be necessary: this should be determined as part of the risk assessment of the system. There must be robust procedures in place to ensure that if an authorised person leaves the department or college or otherwise becomes ineligible, authorisation is withdrawn and access barred without delay.

3.5 Data identified by the risk assessment as being confidential or critical should, wherever possible, be protected by appropriate encryption techniques, and should not be transferred or transmitted, by email or otherwise, without encryption being maintained throughout the transaction.

3.6 All systems must be maintained adequately, backed-up, kept at an up-to-date patch level, and run anti-virus software as appropriate.

3.7 Contingency plans must be in place to deal with systems failure, loss of data, or unauthorised access to data. These plans should be appropriate to the outcome of the risk assessment.

3.8 Any breach of security, unauthorised access to data, etc, must be reported to appropriate bodies in the University. The central computing services will maintain a register of security incidents relating to the network, which will be available for audit and will be summarised in regular reports to PICT.

3.9 It is the responsibility of the department or college to ensure that before any equipment is sold on, transferred or scrapped, it is cleared of all data (including any software licensed to the University). If this is handled by an outside contractor, adequate contractual safeguards must be enforced.

3.10 All new staff, students, contractors and others with access to the department/college or its network or computer systems or data must be given a copy of this policy, and of any associated departmental/college policies and procedures, and be reminded of these on a regular basis. Compliance with this policy must form part of any contract with a third-party that may involve access to network or computer systems or data.

4. Services Provided by Central Units

4.1 Oxford University Computing Services (OUCS) are responsible for particular aspects of the security of the University's networks, and for providing services, advice and support to other units. These responsibilities include:
  • maintaining the external firewall;
  • monitoring the network for evidence of compromise or misuse;
  • advising departments and colleges on known exploits and methods of compromise;
  • suspending network access to units or individual systems that appear to be compromised;
  • maintaining a register of breaches and compromises that affect the security of the University's network and the systems connected to it;
  • reporting to PICT on a termly basis.

5. Offsite Access and Transfer of Data

5.1 Data that is not for public dissemination and is to be accessed from outside the collegiate University should be protected by authorisation procedures that require identification specific to each user and are at a level commensurate with the identified risk.

5.2 Wherever possible, data that is of a confidential or critical nature will be kept on on-site systems, and users who need to access it from outside the collegiate University will do so by secured network access. Exceptions may be made for data required for tasks such as preparation of examination questions and assessment of students, which members would normally expect to do on their own off-site computers, but this must be subject to a risk assessment and safeguards as in section 5.3. University authorities responsible for regulations regarding classes of data (e.g. the Proctors) should undertake this risk assessment and issue guidelines on behalf of all units.

5.3 If users are allowed to transfer data to systems or storage media that are to be taken outside the collegiate University, a risk assessment must be carried out. Any data of a confidential or critical nature, or for which unauthorised access would have a deleterious effect on the collegiate University (financial, reputational or otherwise), or on any individual, must be encrypted at all times.

5.4 Before any data is transferred to a third-party, or held on a third-party system as part of an outsourcing contract, a risk assessment must be carried out, and permission obtained from the University Data Protection Office. Contractual arrangements must be in place to ensure the safety and integrity of the data while in the hands of the third-party. In particular it must be noted that if data is to be transferred outside the European Economic Area, special attention must be paid to the provisions of the Data Protection Act 1998.

5.5 Wherever possible any data transfer should be made by network connection (with all data that is confidential or critical encrypted), rather than by downloading to a CD, etc. If this is not possible, the data should be encrypted, with the key to that encryption sent separately from the data.

6. Physical Security

6.1 The risks of unauthorised access are not limited to breaches of computer or network security. All users should ensure that systems are not left open to access by intruders to buildings, or by unauthorised colleagues. Data not open for public access should not be accessed in public areas; offices housing systems containing non-public data should be kept locked. C omputers should be 'screen-locked' while unattended. Wherever possible non-public data should only be kept in encrypted form. Any printed records of passwords, etc must similarly be protected from unauthorised access.

7. Compliance with Legislation

7. 1 The collegiate University must abide by all UK legislation and relevant legislation of the European Community. This includes, but is not limited to:
  • the Computer Misuse Act (1990),
  • the Data Protection Act (1998),
  • the Regulation of Investigatory Powers Act (2000),
  • the Freedom of Information Act (2000),
  • the Special Educational Needs and Disability Act (2001).

7.2 The requirement for compliance devolves to all users, who may be held individually responsible for any breach of law.

Authors: Paul Jeffreys and Alan Gay