The University's information security policies are intended to highlight, address, and mitigate for risks associated with information loss, theft or corruption. Specific policies highlight the approach to handling risks, whereas other policies enable risks to be exposed.
Aims and objectivesThe General Information Security Policy has been developed to address security concerns regarding all electronic information within the University. Information Security is considered to comprise the following three aspects:
Confidentiality: To ensure that information assets and services are only accessed by authorised parties.
Integrity: To ensure that information assets can only be modified by authorised parties and only in authorised ways. The definition of ‘modified’ includes, created, written to, changed, have its status changed and deleted.
Availability: To ensure that information assets and services are accessible to authorised parties at appropriate times.
As part of the implementation of this Policy with respect to all assets and services, an assessment is to be carried out to ensure that the above objectives are considered during the design, creation, development, deployment, modification, maintenance and disposal of assets and services.
The General Information Security Policy is a collection of statements addressing the aims and aspirations for information security at the University. Where an implemented solution or service is unable to achieve the standard set in these policies, a risk assessment should be conducted to confirm that the risk is acceptable and if so the non-compliance should be recorded as a risk against that service. GISP1 describes policy on risk assessment and management.
The General Information Security Policy comprises the following twenty-four sections:
GISP1. Risk assessment and risk management
GISP2. Conditions of Computer Use
GISP3. Physical and environmental security
GISP4. Identification, authentication and authorisation
GISP5. Use of passwords
GISP6. Use of email
GISP7. Onsite access control
GISP8. Offsite access control
GISP9. Change management
GISP10. Protection against malicious software
GISP11. Information classification
GISP12. Secure areas
GISP13. Business continuity and disaster recovery
GISP14. Incident reporting and handling
GISP15. Network monitoring
GISP16. Legal and regulatory compliance
GISP17. IT and information asset management
GISP18. Encryption use and key material handling
GISP19. Personnel security
GISP20. Personally-owned equipment terms and conditions
GISP21. Liability of own systems and content brought to University
GISP22. Working with third parties
GISP23. Mobile devices
GISP24. Systems management and development
All twenty-four sections are also available for download in a single document.