Information Security Policy
Note there is an overarching/main departmental IT policy to which all users of departmental IT systems agree to before they are given access to departmental IT services and systems.
Information on departmental computer systems is held in compliance with the University policy on Information Security and this Departmental policy on Information Security. See also the departmental pages on data protection and research using data involving humans.
Note also whilst a significant proportion of information covered by an information security policy will be held electronically and thus have a relation to IT, Information security refers to hard copy information storage too so covers material printed out from electronic sources or otherwise held in hard copy and must be appropriately stored and secured.
There is also a information security awareness module available that is well worth looking through to gain further understanding of the typical issues and scenarios faced. Completion of this module, followed by annual refresher training is compulsory for all university staff. Students and other members are also strongly encourage to complete and refresh this training.
Aims and responsibilities
- The aims of information security are to protect the availability, utility and confidentiality of information and to ensure compliance with legal requirements.
- The Head of Department is responsible for ensuring that the department complies with this policy and all other university policies and procedures relating to information security.
- The Mathematical Institute shall protect the security of its information and information systems and use a risk-based approach to decide the appropriate level of control.
- The Mathematical Institute shall ensure that all users receive appropriate training and education in information security.
Procedures and practices
- Mobile devices used to handle confidential information - laptops, tablets, smartphones, memory sticks, etc - must be appropriately secured. If they cannot be secured, they must not be used to handle confidential information.
- E-mail is not a secure form of communication. Users wishing to send confidential information should consider using more secure methods. Where no suitable alternative to e-mail exists, appropriate safeguards should be taken e.g. encryption.
- Confidential information should be stored on the departmentally managed IT systems within account home directories or managed file shares and not on local hard drives.
- Confidential information should be downloaded from secure University systems (e.g. SITS student systems, Oracle Financials system, DARS alumni system, X5 research costing and pricing system) only when strictly necessary.
- Passwords must not be shared or easy to guess.
- Home computers used to access University systems must be kept secure, in general this means through firewalls, anti-virus software and security updates. In particular remote working using the departmental remote access portal is recommended as this leaves all files on the departmental systems and only displays material back to the home computer whilst in use.
- Critical files must be backed up. The department runs a backup services for account home directories, managed shares and other official approved departmental file/data storage. The department also backs up such data to the university central backup system for further redundancy and security.
- Envelopes containing confidential documents must be sealed securely and addressed correctly and, in the case of external mail, sent by recorded delivery.
- Confidential information must be removed from redundant or surplus IT equipment or office furniture before disposal.
- Appropriate physical measures must be taken to prevent the theft, loss or inadvertent exposure of confidential data e.g. lock computer screens when not at your desk, lock away hard copy confidential documents, do not read confidential information in a public place where it can be viewed by others.
- Any security incidents must be reported promptly.
INFORMATION SECURITY POLICY
This policy is divided into two parts.
- Part 1 deals with the broad objectives of information security and the division of responsibility between different groups within the department.
- Part 2 sets out the detailed procedures and practices that need to be followed by all end-users in order to implement the policy's objectives.
Part 1 - OBJECTIVES AND ORGANISATION OF INFORMATION SECURITY
The Mathematical Institute is committed to protecting the security of its information and information systems.
The information it manages shall be appropriately secured to prevent breaches of confidentiality, failures of integrity or interruptions to the availability of that information, as well as to ensure appropriate compliance.
The Mathematical Institute shall provide education and training in information security and raise awareness of its importance. To determine the appropriate level of security control that should be applied to information systems, a process of risk assessment shall be carried out in order to define security requirements and identify the probability and impact of security breaches. Specialist advice on information security shall be made available throughout the Director of IT and Physical Resources and advice can be sought via the University's Information Security Team and/or OxCERT.
Importance of information security
The Mathematical Institute's computer and information systems underpin almost all departmental activities, and are essential to the research, teaching and administrative process of the department. The department recognises the need for its staff, students, visitors and contractors to have access to the information they require in order to carry out their work and recognises the role of information security in enabling this. Security of information is essential to maintaining the continuity of departmental activities and to its compliance with University regulations and policies.
In July 2012, Council approved an information security policy that provides a general framework for the management of information security throughout the University. However, in order to accommodate local differences in security requirements, each department or unit is required to formulate its own information security policy.
This policy supplements the University's overarching policy and defines the framework within which information security will be managed across the Mathematical Institute. Together with the main departmental IT policy it is the primary departmental policy under which all other technical and security related polices reside.
This policy is applicable to and will be communicated to all departmental members and other relevant parties who use departmental IT systems and services (e.g. visitors, academic conference guest, contractors etc). It covers, but is not limited to, any systems or data attached to the department's computer or telephone networks, any systems supplied by the department, any communications sent to or from the department and any data - which is owned either by the University or the Mathematical Institute - held on systems external to the department's network.
Roles and responsibilities
The Head of Department is ultimately responsible for the maintenance of this policy and for its implementation within the Mathematical Institute. This policy is approved and reviewed annually by Executive/Departmental Committee and forms part of departmental policies and procedures. The department will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.
The Director of IT and Physical Resources is responsible for the management of information security and, specifically, to provide advice and guidance on the implementation of this policy.
It is the responsibility of all line managers within the department to ensure that all staff for which they are responsible are 1) made fully aware of the policy; and 2) given appropriate support and resources to comply.
It is the responsibility of each user to comply with this policy, and with all other policies and procedures relating to information security. If a user is uncertain whether a particular activity is permissible under this or related policies, they should consult their line manager and/or the Director of IT and Physical Resources (who in turn may seek further advice and guidance as required).
Part 2 - DETAILED PROCEDURES AND PRACTICES
This part is directed at end-users and sets out the procedures and practices you need to follow in order to implement the objectives identified in Part 1, particularly in relation to the protection of confidential information. The appropriateness of some procedures or practices will depend on the results of the department's risk assessment.
Definition of confidential information
For this purpose, confidential information is any information that is not intended to be publicly available. If the loss or unauthorised disclosure of information could have adverse consequences for the University or individuals, it is confidential. Given the potentially serious consequences of breaching the Data Protection Act (DPA), you should assume that all personal data is confidential. (Personal data is any data that identifies a living individual e.g. a CV, email address, reference, job or course application, home contact details, etc.)
For further information see the departmental pages on data protection.
Use of mobile devices
The use of mobile devices (laptops, USB/memory sticks, smart phones, tablets, etc) is an area of high risk, because they can be easily lost or stolen. It is essential that such devices be appropriately secured, and where available a remote wipe facility enabled to be used in the event of loss.
You must apply an appropriate password (e.g. at least a 4 digit pin or 12 character password/phrase). Adjusting the default settings allows you to apply a more advanced password.
You must run an operating system that is still under vendor support, and apply the latest security patches (for the OS and applications) in a timely fashion (e.g. typically enabling auto-updating).
When using your device on an unsecured public Wi-Fi network you must ensure a secure connection to the department or University via the departmental remote access portal, an SSH or VPN (departmental or University service) connection (or similar). Information about appropriate mechanisms to remotely access departmental and university services is available here.
Encryption of laptops and USB/memory sticks
Any laptop or USB/memory stick containing confidential data must be encrypted, using AES 128 bit encryption or stronger. Note such measures, for some users, should rarely be required since in general such data is not expected to be stored on such devices. Details of mobile device encryption methods are available.
Other devices (Tablets, Smartphones, Blackberrys)
There are a range of ways to secure other devices and if the device is to be used to handle confidential information, it must be appropriately secured, in accordance with the principles stated in the IS toolkit. If this cannot be done, you must not use the device to hold or transmit confidential data.
Information Exchange (including Email and Cloud Services)
E-mail is not a secure form of communication, and ideally, you should not use it to send confidential information or at least minimise the amount you send in this way.
You should first consider communicating confidential information by a more secure method than e-mail. If a suitable alternative is not available, you should consider encrypting the message and/or attachment. Further information is available here.
You must ensure that emails containing confidential data are sent to the correct address and not rely solely on any 'autocomplete' function. You should take particular care when selecting an address from a directory.
If you receive confidential information inadvertently via e-mail, you should delete it as soon as possible.
Confidential information should not be stored in e-mail folders, as it is not secure. If an e-mail or e-mail attachment contains information that needs to be kept, you should save it to a secure area of the network.
You must obtain explicit authorisation from the Director of IT and Physical Resources for the storing, exchanging or synching of confidential information in order to ensure that any such activity is secure. The department and University provide their own cloud services and these should be considered ahead of public services. For further information please talk to the departmental IT Team who in turn will keep the Director of IT and Physical Resources informed to ensure consistent and appropriate advice is given.
When sending confidential data by fax, you must ensure you use the correct number and that the recipient is near to the machine at the other end ready to collect the information immediately it is printed.
When sending confidential documents by post, whether internal or external post, you must ensure that the envelope is sealed securely, marked 'Private and confidential', and addressed correctly. Recorded delivery must be used for confidential documents sent by external post.
When printing to hard copy confidential documents you should not solely reply on autocompletes or default printers being correctly set and always explicitly ensure the destination printer is correctly selected.
Confidential data should be stored on the departmentally managed IT systems within account home directories or managed file shares and not on local hard drives.
Whilst there is access control on those storage systems you may also wish to consider whether to further password protected or encrypted the stored data depending on its nature. Please seek advice from the IT Team and the Director of IT and Physical Resources if unsure.
Having access to a shared drive does not imply that you have permission to view all the folders/files on that drive. You should view only the information you need to carry out your work. Access to such shares is generally granted on a role basis and by line manager request.
You must not under any circumstances share your password with others or allow others to use your account to access the department's network or other resources.
Passwords should not be easy to guess and departmental systems impose the selection of appropriate passwords.
Only trusted machines, not public kiosk machines, should be used to connect to the University network remotely.
Home computers used for remote access must be appropriately protected, typically this means by a firewall, anti-virus software and by the installation of security updates. In particular remote working using the departmental remote access portal is recommended as this leaves all files on the departmental systems and only displays material back to the home computer whilst in use.
Copying and working off-site
To avoid the risks of taking copies of confidential information off-site, you should as far as possible use remote access facilities to look at confidential information held on University systems. Details of appropriate ways to remotely access departmental and university services are listed here and in particular include the departmental remote access portal which facilitates secure remote working whilst leaving all data/files on departmental systems.
Confidential data should be downloaded from a secure system (e.g. SITS student systems, Oracle Financials system, DARS alumni system, X5 research costing and pricing system) only when strictly necessary.
You should ensure that any copies you make of confidential data are the minimum required and that they are deleted or destroyed when no longer needed.
Any critical files must be backed up. The department runs a backup services for account home directories, managed shares and other official approved departmental file/data storage. The department also backs up such data to the university central backup system for further redundancy and security. No further backups of such files should normally be taken. See the main IT policy for further details of the backup procedures.
Before confidential data is encrypted, you must ensure that any critical data is securely backed-up.
You must ensure that mobile devices containing back-up copies of critical data are securely stored (see the section below on physical security).
When disposing of surplus or obsolete mobile devices containing confidential data, you must ensure that any confidential data is removed permanently from the device (deleting the visible files is not sufficient).
You must remove any files or papers before disposing of old office furniture.
Confidential documents must be shredded when no longer needed.
See the main IT policy for details of network security and connection.
You must lock your workstation, laptop or tablet when leaving your desk. Whilst you may leave such devices logged in and locked overnight you should strongly consider logging out instead if you are working on or have access to confidential information.
Confidential data must be stored in a locked cupboard, cabinet or drawer. If this is not possible, you must lock the room when it is unoccupied for any significant length of time.
Keys to cupboards, drawers or cabinets must not be left on open display when the room is unoccupied.
When travelling with a mobile device, you must take reasonable care to reduce the risk of loss or theft.
You should not read confidential data in areas where it can be easily viewed by others.
No users may have administrative access to departmentally managed machines and as such cannot install software that requires such access. For further information on software installation see the relevant section of the main IT policy.
Suspected or actual security incidents e.g. the theft or loss of a mobile device, a virus attack, should be reported immediately to the IT Team by emailing @email. Such incidents will then be tracked by the ticketing system and investigated as appropriate.
The department will follow the University's advice for the escalation and reporting of such incidents. Incidents involving personal data shall be reported to the University's Data Protection Team.
Any failure to comply with this policy may result in disciplinary action.